Newsletters
Risk Central
Digital EditionOutdated Privacy Laws Fuel Wave of Business Litigation
A new generation of privacy litigation is sweeping across the business landscape—driven not by regulators, but by plaintiff attorneys who have weaponized half-century-old privacy laws to target companies far beyond Silicon Valley’s largest players, according to a Coalition analysis of web privacy claims.
The nature of data privacy risk has fundamentally transformed, the report said. What once centered on major technology providers protecting customer information from hackers has evolved into a complex legal terrain where businesses of all types face lawsuits based on how they collect, disclose, and share data in the first place.
The plaintiff bar has turned this reality into a systematic business model. Four law firms—Tauler Smith, Swigart Law, Pacific Trial Attorneys, and Gutride Safier—have collectively pursued nearly three-quarters of web privacy claims by deploying templated demand letters designed to force settlements before formal litigation begins, according to the report. Tauler Smith alone accounts for 27% of all web privacy claims, followed by Swigart Law at 25%, the report said.
What makes this litigation strategy so effective is that it targets technologies embedded in everyday business operations, Coalition said. Among the web privacy claims analyzed, 73% alleged misuse of analytics tools like Google Analytics, the Meta Pixel, and TikTok’s tracking technology. The Meta Pixel alone appeared in 43% of analytics-related privacy claims—a technology installed on millions of websites worldwide.
A majority of wrongful collection claims are based on modern interpretations of older statutes, Coalition found. Nearly three-quarters of all web privacy claims cite the California Invasion of Privacy Act, a statute enacted in 1967 to address telephone wiretapping before the internet existed, the report said. Other frequently cited laws include the Video Privacy Protection Act from 1988 and the Florida Security of Communications Act from 1969. Lawmakers who drafted these statutes could not have anticipated they would become tools for challenging modern web tracking practices.
Who’s Getting Sued—And Why It Matters
The narrative that privacy litigation only impacts major technology companies no longer holds weight, according to Coalition’s analysis. Nearly 60% of web privacy claims targeted businesses with less than $100 million in revenue, often in consumer-facing industries like retail and health care. Consumer discretionary businesses represented 43% of all claims, with clothing and specialty retailers particularly vulnerable. Health care providers accounted for 17% of claims.
This concentrated exposure among smaller companies rather than technology giants reflects both how broadly web-tracking technologies are deployed and how cost-effective they have become as targets for litigation. A business with multiple third-party vendors embedded on its website can face statutory damage claims of thousands of dollars per alleged violation. In one case documented in Coalition’s analysis, a defendant faced a $280,000 demand based on $5,000 in alleged damages per vendor, with 56 vendors installed on a single webpage.
The targeting of health care and retail businesses reveals another pattern: industries that rely heavily on web engagement and customer analytics have become prime litigation targets. These businesses often lack the compliance infrastructure of enterprise technology companies and operate with less sophisticated privacy practices.
What Companies Need to Do Now
The path forward requires businesses to treat data privacy as a continuously evolving risk rather than a static compliance exercise, Coalition said. Most web privacy claims originated from website tracking technologies—77% of all wrongful collection claims—yet only 19% of websites deploy consent banners offering users privacy choices. Among the highest-traffic websites, that number climbs to 61%, suggesting significant gaps in lower-traffic sites.
Many businesses remain vulnerable even when investing in modern privacy frameworks like GDPR and CCPA compliance because litigation is driven by older statutes being reinterpreted in contemporary contexts. The solutions require moving beyond checkbox compliance toward active monitoring of data collection practices, transparent disclosure of how customer data flows through third-party vendors, and regular updates to privacy policies and consent mechanisms.
“Privacy litigation risk has grown substantially and continues to evolve, much like cyber risk. For businesses, especially small and midsize organizations, keeping track of complex privacy laws is a
significant challenge,” added Daniel Woods, principal researcher at Coalition.
Obtain the full report here. &
