Privacy Litigation Risk Grows ‘Substantially,’ According to Coalition Report

• By: Will Jones
• November 12, 2025

Privacy litigation is shaping up to be the “next frontier of digital risk,” according to Coalition’s new “State of Web Privacy” report.

The report, based on nearly 200 cyber insurance claims and scans of 5,000 business websites, shows that lawsuits over how businesses collect and use data have surged. It also found that the increase is driven largely by aggressive plaintiff’s attorneys leveraging decades-old privacy laws in modern contexts.

“Privacy litigation risk has grown substantially and continues to evolve, much like cyber risk,” said Daniel Woods, principal researcher at Coalition. “For businesses, especially small and midsize organizations, keeping track of complex privacy laws is a significant challenge.”

“At the center of these lawsuits is the issue of wrongful collection, the practice of gathering or sharing personal data without proper consent, disclosure or legal justification,” the report said. “In many cases, this is the result of a business using web-tracking technologies without clearly disclosing how data is used or obtaining the required permission.”

“Understanding wrongful collection is critical for businesses that rely on digital engagement, as it’s not just about whether businesses protect customer data from cyber criminals, but whether the data was collected lawfully in the first place,” it said.

The findings highlight how privacy exposure has expanded beyond large enterprises, with nearly 60% of web privacy claims reported by businesses with less than $100 million in revenue.

The report also found that 77% of all wrongful data collection claims originated from website tracking and 73% of claims involved analytics technologies, such as Google Analytics or the Meta Pixel.

Further, chatbots accounted for 5% of all claims, with lawsuits citing decades-old state wiretap laws like Florida’s Security of Communications Act, which were written long before these technologies existed.

Despite new frameworks such as the GDPR and CCPA, most privacy lawsuits don’t stem from these regulations. Instead, nearly three-fourths of all web privacy lawsuits cited the 1967 California Invasion of Privacy Act (CIPA), a law that was originally designed to protect telephone communications. Plaintiff’s attorneys are now reinterpreting those statutes for today’s digital tracking ecosystem, the report said.

Coalition found that just four law firms were responsible for 72% of all web privacy claims, using nearly identical demand letters to drive fast settlements before lawsuits ever reach court.

“Just as they did with federal TCPA robocall and texting litigation, plaintiff’s firms are testing the limits of old state statutes to allege privacy-related claims in ways legislators never intended,” says Eric Lipton, Big “I” senior council and a Certified Information Privacy Professional (CIPP). “Demand letters may increasingly target digital data collection methods, such as cookies or even an artificial intelligence (AI) chatbot or notetaker.”

Crucially, outdated or vague privacy policies add to the risk. Coalition found that while 73% of high-traffic websites updated their privacy policies within the past year, only 37% of low-traffic websites had done the same. Even more concerning, only 29% of privacy policies specifically disclosed which tracking technologies were in use. And just 19% of websites deployed consent banners to request user permission.

The report also defined the term “wrongful collection,” which first emerged in the cyber insurance industry to describe claims involving the improper gathering of biometric data.

However, it has since broadened to encompass a wide range of privacy rights disputes. It can also refer to situations where a business collects data lawfully but later misuses it, such as sharing an IP address with a third party without consent, sending unsolicited messages to stored phone numbers, failing to delete data upon customer request or inadvertently disclosing information to an unintended recipient.

As more businesses rely on digital engagement tools, privacy risk management must become a continuous process: monitoring what data is collected, how it’s shared and how transparently it’s disclosed to users, the report warned.

For independent agents who assume the role of risk manager or advisor, that means guiding clients toward stronger privacy controls, more transparent data practices and cyber insurance coverage that includes privacy violation protection.

“Agents can help mitigate their risk by ensuring appropriate disclosures are provided in privacy policies and client interfaces, and consents are collected as needed,” Lipton adds.

Will Jones is IA editor-in-chief.