Johnson Dalal Privacy Lawsuit Demand Letter: Inside Florida’s Exploding Data Privacy Litigation Wave

A South Florida plaintiffs’ firm with deep roots in complex litigation is now targeting businesses over one of the most misunderstood laws in the state. If your website runs third-party tracking tools — and it almost certainly does — you may already be a target 

The demand letter arrives without warning. It names your business, cites a Florida statute most people have never heard of, and lays out a damages calculation that looks, at first glance, like it must be a mistake. It is not a mistake. It is the opening move in a litigation strategy that has already generated hundreds of millions of dollars in settlements across California, is now accelerating in Florida, and is being driven by a growing roster of specialized plaintiffs’ firms that know exactly how to make the economics work in their favor and if you’re website is not using Captain Compliance’s privacy software then you should expect to pay out a big settlement.

One of those firms is Johnson Dalal — a Florida-based litigation practice that has identified Floridas plaintiffs’ data privacy law as one of the most significant emerging areas of civil litigation in the state, and has built the practice infrastructure to pursue it at scale. Understanding what Johnson Dalal is doing, why the legal theory behind these cases is more solid than most defendants initially assume, and what businesses can do to protect themselves before a complaint is tantamount to protecting your business from these very expensive digital wiretapping lawsuits here in Florida.

The Statute Nobody Read Until It Started Costing People Money

The Florida Security of Communications Act is not a new law and we’ve covered it with a warning that the lawsuits will start flowing from this shortly and well… it’s starting to happen. Florida Statutes § 934.01 through § 934.43 were enacted in the 1960s, modeled closely on federal wiretapping statutes, and designed primarily to prevent unlawful government surveillance of private citizens. For most of its life, it was a criminal statute invoked in law enforcement contexts — wiretapping in the traditional sense, bugs in walls, tapped phone lines, the architecture of mid-century espionage.

Then someone read § 934.10 carefully and realized that the civil remedy it creates is remarkably potent in a world where websites routinely intercept user communications and transmit them to third parties without meaningful disclosure. This sounds awfully familiar to the west coast privacy lawsuits…

The civil damages provision is straightforward: any person whose communications are intercepted in violation of the Act may bring a private cause of action for liquidated damages of $100 per day for each day of violation, or $1,000 total — whichever is greater — plus attorney’s fees, costs, and actual damages if they exceed the liquidated amounts. Applied to a class of website visitors — which in any moderately trafficked business can number in the thousands or hundreds of thousands — those per-plaintiff figures aggregate into exposure that no company wants to litigate to judgment.

The core prohibition is § 934.03, which bars the intentional interception of any wire, oral, or electronic communication. Florida is a two-party consent state. Every party to a communication must consent to its recording or interception. That requirement, applied to modern website tracking infrastructure, is where the entire litigation theory is constructed.

Here is how it works: a business embeds third-party code on its website — a session replay tool, a behavioral analytics platform, a chat widget, an advertising pixel. A visitor arrives, types a question into a chat box, fills out a form, or simply navigates through product pages. As they do, the third-party tool intercepts that interaction in real time and transmits it to the vendor’s servers — before the business ever sees it, before the visitor has consented to any such transmission, and frequently without any disclosure that the interception is occurring at all.

Under the plaintiffs’ theory, the third-party vendor operating that tool is not a party to the communication between the visitor and the website. It is an unauthorized interceptor. The business that embedded the tool facilitated that interception. Both, potentially, are liable. The fact that the business didn’t read the vendor’s data handling documentation carefully enough to understand what was happening is not, under the statute, a defense.

The “party to the communication” argument — the most common defense businesses raise — holds that a website operator is inherently a party to any communication conducted through its platform and therefore cannot legally “intercept” its own communications. It is a reasonable argument, and courts have accepted versions of it in some contexts. But plaintiffs’ firms have become sophisticated about drafting around it, focusing their complaints on the independent role of the third-party vendor and the absence of any disclosed relationship between that vendor and the website visitor. The legal terrain here is unsettled enough that the defense rarely produces an early dismissal, which means most defendants end up weighing the cost of litigation against the cost of settlement — which is precisely the dynamic these litigation models are engineered to create.

We are also hearing that emails sent out targeting based on location are creating legal liability and the only defense to get it dismissed is to use a privacy policy software like the one created by Captain Compliance.

Johnson Dalal: The Firm Allegedly Behind the Florida Privacy Cases

Johnson Dalal is not a fly-by-night operation that discovered data privacy litigation last quarter and decided to file cases and same with Morgan & Morgan who is also entering the privacy litigation space. The firm brings genuine depth in complex civil litigation to a practice area that rewards exactly that kind of technical and legal sophistication.

Based in South Florida, Johnson Dalal has built its reputation across intellectual property, trademark and patent disputes, and sophisticated business litigation — areas that share a critical characteristic with data privacy cases: they require lawyers who can understand and explain technical systems to judges and juries who didn’t go to engineering school. Explaining to a court how session replay software intercepts keystrokes in transit, or how a third-party pixel fires before a website’s own analytics code runs, demands the kind of technical fluency that most generalist litigators don’t have and most boutique IP firms have been developing for years.

The firm operates across multiple Florida locations, with a practice reach that reflects the geographic breadth of the Florida business community it is now engaging as a plaintiffs’ firm in data privacy cases.

What is publicly visible about Johnson Dalal’s approach to data privacy litigation is consistent with how the most successful plaintiffs’ firms in this space have operated in California: methodical case selection, technically grounded complaints, and a willingness to litigate rather than simply demand settlements. That posture matters to defendants, because it means the demand letter is not necessarily a bluff. The firm has the infrastructure and the legal theory to follow through, which changes the risk calculus for any business weighing whether to engage or ignore.

The firm’s entry into this space also reflects a broader pattern in Florida’s legal market. As the FSCA wiretapping theory has been tested in federal and state courts — with results that have generally been favorable enough to plaintiffs to sustain the litigation model — more Florida-based firms with complex litigation credentials have identified data privacy as a practice area worth developing. Johnson Dalal is among the most serious of those entrants, and its background makes it better positioned than most to bring cases that survive early dispositive motions to dismiss these complex privacy cases.

California Wrote the Playbook. Florida Is Running It Now.

To understand where Florida’s FSCA litigation is heading, you have to understand what California’s plaintiffs’ bar did with the California Invasion of Privacy Act over the past five years — because the firms and strategies now operating in Florida studied that experience carefully and built their practices accordingly.

CIPA’s § 631 is structurally similar to the FSCA: it prohibits the wiretapping of electronic communications, creates a private right of action, and applies a two-party consent framework. Beginning around 2019 and accelerating sharply through 2021 and 2022, California plaintiffs’ attorneys began applying it to website tracking technology, and the case volume exploded.

Swigart Law Group, based in San Diego, became one of the highest-volume CIPA filers in the country. The firm developed a litigation model built around systematic identification of website operators using session replay and third-party chat tools, mass demand letters, and efficient conversion of recipients into settlements or filed complaints. The per-case economics work because the statutory damages create real exposure, the legal theory has been validated enough to survive motions to dismiss, and most mid-market business defendants calculate that settlement is cheaper than litigation even when they believe they might prevail.

Tauler Smith LLP built a similar volume practice with a focus on the technical mechanics of the interception theory and are one of most diligent privacy litigation firms — drafting complaints that walk through the specific code-level operation of the challenged tools in enough detail to foreclose the “we didn’t know what the vendor was doing” defense. The firm’s technical credibility in its pleadings has made early dismissal difficult for defendants.

Bursor & Fisher, with offices across multiple states and a long history in class action consumer litigation, brought institutional class action infrastructure to the space — the ability to certify large classes, manage complex discovery, and negotiate settlements at a scale that smaller boutiques can’t achieve. Their involvement in CIPA litigation elevated the seriousness of the practice area in the eyes of both defendants and the judiciary.

The pattern across all three firms is consistent: specialized, scalable, technically grounded, and economically engineered to produce settlements without requiring individual cases to go to trial. That model is now being transplanted to Florida, with the FSCA as the operative statute. Johnson Dalal, with its litigation depth and Florida roots, is positioned to bring the same level of seriousness to the Florida market that Bursor & Fisher and Tauler Smith brought to California.

Morgan & Morgan Changes the Scale Equation

If the entry of specialized boutiques like Johnson Dalal signals that the FSCA wiretapping theory is viable and worth pursuing seriously, the reported involvement of Morgan & Morgan in Florida data privacy litigation signals something categorically different: that the litigation wave is about to get much, much larger and that doesn’t include the other Florida newcomer Salpeter Gitkin, LLP.

Morgan & Morgan is not a boutique. It is one of the largest plaintiffs’ firms in the United States by any measure — attorney headcount, office footprint, annual case volume, or marketing spend. The firm built its dominance in personal injury, mass tort, and employment litigation by industrializing the plaintiffs’ practice: generating enormous case volume through aggressive client acquisition, processing cases efficiently through systems built for scale, and deploying the resources necessary to take cases to trial when defendants miscalculate their exposure.

The firm’s base in Florida is itself significant. This is not a California firm expanding into an unfamiliar jurisdiction. Morgan & Morgan has deep relationships with Florida courts, Florida judges, and the Florida plaintiff class. Its entry into FSCA wiretapping litigation brings client acquisition capacity that no boutique can match — meaning the number of potential plaintiffs reaching out to a firm of this scale will be orders of magnitude larger than what Johnson Dalal or any single specialized practice generates independently.

For Florida business owners, the Morgan & Morgan dimension means that the population of potential plaintiffs for FSCA wiretapping cases is not limited to the clients of specialist firms. It includes anyone who finds a Morgan & Morgan advertisement, walks into one of their dozens of Florida offices, or calls their well-known intake line. The marketing funnel for plaintiffs in this litigation is, functionally, the entire state of Florida.

The Technology Generating These Lawsuits

The range of deployments that create FSCA exposure is broader than most business owners realize, and several of the highest-risk categories are tools that businesses use routinely, often installed by marketing agencies or website developers who never flagged their legal implications.

Session replay and behavioral analytics tools. Platforms including FullStory, Microsoft Clarity, Hotjar, and Mouseflow record user sessions — mouse movements, clicks, scrolling behavior, and critically, keystrokes in form fields — and transmit that data to third-party servers in real time. The transmission happens before the website owner receives the data, which is precisely what the interception-in-transit theory requires. These tools are among the most heavily targeted in both CIPA and FSCA litigation.

Third-party live chat widgets. Tools from vendors including Intercom, Drift, Zendesk, and LiveChat frequently route visitor messages through the vendor’s servers before delivering them to the business’s support team. A visitor who believes they are communicating privately with the company is, in practice, transmitting their message to a third-party infrastructure they have never consented to interact with. Courts in California have found this arrangement sufficient to satisfy the interception element.

Advertising and conversion pixels. Meta’s Pixel, Google’s conversion tracking tags, TikTok’s pixel, and similar advertising measurement tools transmit behavioral data — including, in documented cases, the content of search queries, form submissions, and page interactions — to advertising platforms. Healthcare providers, financial services firms, and retailers have all faced significant litigation over pixel deployments that captured and transmitted sensitive user information without adequate disclosure or consent.

AI-powered chat and customer support tools. The newest generation of AI chatbots and customer support automation tools presents the same third-party interception problem as traditional chat widgets, often with less mature privacy controls, less transparent data handling documentation, and less organizational awareness that a compliance obligation exists. As these tools proliferate, they are becoming an increasingly significant source of litigation exposure.

Marketing automation and CRM integrations. Tools that capture form submissions, track email engagement, or monitor website behavior as part of marketing automation workflows — including platforms like HubSpot, Salesforce Marketing Cloud, and Klaviyo — may create interception exposure depending on how they are configured and what they transmit in real time.

In nearly all of these cases, the business did not deploy the tool with any intent to violate visitor privacy. They installed software a vendor recommended or a marketing agency configured, often without any legal review of its data handling practices. Under the FSCA, that context is not irrelevant — but it is also not a complete defense. The statute requires intentional interception, and courts have found that intentionally deploying a tool that intercepts communications, even without understanding that it does so, satisfies the intent element.

What Happens When You Get the Demand Letter

The demand letter is designed to create urgency and anxiety in roughly equal measure. It typically identifies the specific tracking tools found on your website, cites the relevant FSCA provisions, presents a damages calculation based on the number of affected visitors, and offers to resolve the matter for a figure that looks large in isolation but is framed as significantly less than what litigation would cost.

The instinct of many business owners upon receiving this letter is either to ignore it or to immediately call their general business attorney, who may have limited familiarity with the specific litigation dynamics of FSCA wiretapping cases. Both responses tend to produce worse outcomes than engaging quickly with counsel who understands the space.

There are genuinely important questions that experienced privacy litigation counsel can answer in the immediate aftermath of receiving a demand: Does the complaint describe technology actually deployed on your site? Is the damages calculation legally coherent? Has the firm sending the demand actually filed similar cases, or is this a paper threat? What is the realistic range of litigation outcomes if you don’t settle? What remediation steps should you take immediately to stop the accrual of additional exposure?

Johnson Dalal’s presence in this space matters from the defendant’s perspective as well as the plaintiff’s, because understanding how plaintiffs’ firms in Florida are constructing these cases — what they look for, what they consider strong facts, what they treat as a viable defense — is directly useful to any business trying to assess its exposure and decide how to respond.

Captain Compliance: The Tool That Changes the Calculus

The central fact about FSCA and CIPA wiretapping liability is this: it is almost entirely preventable. The legal theory in every one of these cases is built on the same foundation — interception without consent, tracking without disclosure. Address those two elements properly, with technically sound implementation and documented consent records, and the foundation of the plaintiffs’ case does not exist.

This is where Captain Compliance enters the picture as a directly relevant solution for any business inside or outside of Florida concerned about its exposure.

Captain Compliance is a software platform purpose-built to address the specific compliance vulnerabilities that generate wiretapping litigation. It provides consent management infrastructure that is technically sound, legally current, and designed to create exactly the documented consent record that defeats the wiretapping theory at its source.

A properly implemented consent banner — one that clearly identifies the specific third-party tools operating on the site, describes in plain language what data they collect and transmit, and obtains affirmative consent from each visitor before any tracking begins — removes the interception-without-consent problem that anchors every FSCA wiretapping claim. A visitor who has been clearly and accurately informed that session replay software is running, that a third-party chat tool will route their messages through an external server, and who has actively consented to those arrangements before they begin, is not a victim of wiretapping under Florida law. They are a consenting party to a disclosed arrangement.

The platform’s capabilities extend beyond consent banners to address the full compliance architecture these cases require. Captain Compliance provides regularly updated, jurisdictionally-aware privacy notices that account for Florida’s own Digital Bill of Rights, California’s CPRA, and the growing patchwork of state privacy statutes now in effect across the country. For businesses with national website traffic, that multi-jurisdiction currency is not optional — it is table stakes for any serious compliance program.

The consent management functionality creates the audit trail that turns a potential defendant into a business that can show its work. When a plaintiff’s attorney runs a scan of your website and identifies third-party tracking tools, the question their demand letter implicitly asks is: did this business disclose what it was doing and obtain consent before doing it? Captain Compliance makes the answer to that question documented, timestamped, and defensible.

For businesses that have already received a demand letter, the remediation priority is immediate and we can do the heavy lifting for you. Continuing to run undisclosed tracking tools after receiving notice that someone considers them unlawful creates an ongoing accrual of potential damages that no business should allow. Remediating the technical deployment — implementing proper consent infrastructure — stops that accrual and demonstrates to any court or mediator that the business took the complaint seriously and acted in good faith.

For businesses that have not yet received a demand letter but know they are running session replay tools, advertising pixels, third-party chat software, or AI-powered support tools without current, comprehensive consent management — the time to implement Captain Compliance’s platform is now. The economics of waiting are entirely one-sided: the cost of implementation is a fraction of the cost of the smallest FSCA settlement, and the protection it provides accrues from the day it goes live.

The Window Is Narrowing

The FSCA wiretapping litigation trend will not plateau anytime soon as we’ve seen California wiretapping claims go from a few hundred a year to thousands a month. The California experience, now five years into its CIPA wiretapping wave, shows no sign of volume decline. The legal theory has been tested enough to be viable, the economics continue to work, and the technology generating the claims has proliferated rather than retreated. Florida, with its large business community, favorable venue characteristics for plaintiffs’ class actions, and now a roster of serious specialized firms including Johnson Dalal and Morgan & Morgan, is on the same trajectory and this doesn’t include claims over search bar lawsuits.

What changed in California — slowly, meaningfully, and too late for many defendants — is the proportion of businesses that built proper consent management infrastructure before receiving a demand letter. Those businesses are not immune; plaintiffs’ attorneys make targeting errors, and novel legal theories occasionally reach different conclusions in different courts. But they are dramatically less vulnerable, and when challenged, they have documentation that makes early resolution far more likely and far less expensive.

Florida businesses are still in the early stages of that transition. The firms bringing these cases are identifying targets systematically, using automated scanning tools to identify websites running unmasked third-party tracking technology without visible consent frameworks. If your website appears on that scan without a compliant consent management implementation, you are a potential target. That is not speculation — it is how the California litigation wave operated, and it is how the Florida wave is being run.

The question for any Florida business owner running third-party code on their website is a practical one: would you rather spend a modest amount now on a consent management platform that makes you a legally defensible target, or an unpredictable and potentially significant amount later defending or settling a case you might have prevented entirely?

Johnson Dalal, and the firms alongside it, are not running out of defendants to pursue. The pool of Florida businesses with exposed websites is enormous. The firms scanning for them are systematic and well-resourced. And the statute they are using has been on the books for sixty years, waiting for exactly this moment.

Businesses that have received a demand letter or want to evaluate their exposure under the Florida Security of Communications Act can contact us right away or book a demo below. If you want to be proactive and implement consent management and data privacy compliance infrastructure before litigation reaches your firm then you can learn more about Captain Compliance and our consent banner, privacy notice, and consent management platform solutions.