Businesses are increasingly being pulled into lawsuits over how they collect and share user data online. What was once the domain of large tech firms is now a widespread legal risk for companies of all sizes. The latest analysis from cyber insurer Coalition shows that outdated privacy laws are driving a surge in web privacy claims, with small and midsize businesses now common targets.
Third parties named in web privacy claims (Source: Coalition)
A growing threat from routine web tools
Coalition analyzed nearly 200 data privacy-related insurance claims and scanned 5,000 business websites to assess exposure. The research found that 77 percent of wrongful collection claims came from web activity, often tied to everyday tracking technologies. Tools like pixels, analytics platforms, and chatbots are now central to many lawsuits alleging unlawful data collection or disclosure.
Websites frequently rely on tracking technologies to personalize content and measure engagement, but the same tools can open the door to claims that users were tracked without proper notice or consent. The Meta Pixel, for example, was cited in 43 percent of all web privacy claims.
Analytics misuse was the top allegation, appearing in almost three-quarters of the analyzed cases. In many instances, these claims stem from technologies businesses install automatically, often without realizing the potential legal implications.
Old laws, new interpretations
The research found that nearly three-quarters of web privacy claims cited the California Invasion of Privacy Act (CIPA) of 1967. Far fewer referenced modern laws such as the GDPR or California Consumer Privacy Act (CCPA). Other decades-old statutes, including the 1988 Video Privacy Protection Act, have also been revived in new ways.
This means that businesses may be caught off guard even if they have invested heavily in compliance with newer regulations. A website might be fully aligned with today’s privacy frameworks yet still be accused of violating laws written long before digital tracking existed.
In California, proposed legislation such as Senate Bill 690 aims to curb this wave of litigation, but until new rules are in place, lawyers are making extensive use of the old ones. According to the researchers, four law firms accounted for 72 percent of all web privacy claims. Their approach often involves sending near-identical demand letters alleging violations under state wiretap or privacy acts and seeking fast settlements to avoid lengthy court proceedings.
Small businesses, big exposure
The researchers found that 59 percent of web privacy claims were reported by companies with less than $100 million in revenue. These smaller organizations often rely on third-party web tools for marketing and analytics, which makes them easy targets for wrongful collection allegations.
Retailers and hospitality firms accounted for much of this activity, but healthcare organizations also featured prominently. Given the sensitivity of health data, hospitals and clinics that use online tracking technologies risk scrutiny over how patient information is handled.
Even industries not traditionally viewed as consumer-facing, such as manufacturing and nonprofits, showed measurable exposure. Many claims were filed against companies located outside California, since state privacy laws apply to residents’ data regardless of where a business operates.
Chatbots join the list of risks
Chatbots appeared in 5 percent of the claims, a small but notable share given how recently businesses began adopting them. The claims alleged that customer conversations were intercepted without consent, often under state wiretap laws written in the 1960s. Each case followed a similar pattern: the chatbot failed to disclose that conversations were recorded, triggering a potential violation.
Privacy controls lag behind
Coalition’s website scans revealed that only 19 percent of businesses displayed a consent banner to inform visitors about data collection. Adoption was much higher (61 percent) among heavily trafficked sites. Many smaller or less visited sites still lacked basic privacy disclosures.
About half of all privacy policies examined included a generic statement saying users were tracked, while fewer than one-third detailed the specific technologies used. Only 37 percent of low-traffic websites had updated their privacy policy within the past year, compared to 71 percent of highly visited ones.
The gap suggests that smaller businesses often treat privacy compliance as a one-time exercise rather than an ongoing responsibility.
Litigation outpaces regulation
The research shows that lawsuits are moving faster than regulators can keep up. As law firms scale up and old laws get new life online, more businesses are being pulled in.
Coalition’s analysis found that many businesses do not have visibility into which tracking technologies are deployed across their web domains. Traditional compliance checklists are proving insufficient for this environment. The researchers found that the litigation trend thrives on inconsistencies: privacy policies that lack detail, outdated consent mechanisms, or invisible data-sharing practices that users never agreed to.