Debunking 4 Myths Around Wrongful Collection

We often hear talk about "cybersecurity insurance.” It makes sense. Cybersecurity is a well-known term and most insurance claims result from security failures. The problem is the term "cybersecurity insurance" sells the product short. 

The reality is that standalone cyber insurance policies can include coverage for many different losses that don’t necessarily result from a breach of security, such as an accidental digital outage at the policyholder’s supplier (e.g. the AWS outage). 

Yet, because the cyber insurance industry’s education efforts often center on security-based incidents like ransomware, many businesses are left with dangerous blind spots. For example, wrongful data collection claims, where companies face third party legal claims that they violated privacy rights in their processing of personal data through their website, are increasingly common.

Despite the emerging risk, many businesses underestimate their exposure because they misunderstand what drives privacy litigation in the first place. 

With our new report, The State of Web Privacy, we’re bridging the gap between perceived misconceptions, or privacy myths, and reality. To shed light on the practices and technologies that lead to legal action against companies, Coalition examined nearly 200 wrongful collection insurance claims and analyzed the scans of 5,000 business websites.  Below, we’ll use key insights from the report to debunk four of the most persistent myths tied to wrongful collection.

Myth #1: Data privacy is just a cybersecurity issue

Between 2022 and 2024, the number of federal lawsuits filed involving allegations of data privacy violations against companies have nearly doubled. There’s no sign that legal action is slowing soon, either.

Part of this trend results from lawsuits filed after security incidents during which customers were notified about their data being exfiltrated. However, the trend is also driven by an increase in “wrongful collection” lawsuits that allege violations related to the legal right to collect or store data gathered in connection with a user’s interface with a company’s website in the first place.

Threat actors excluded: Some of the highest severity legal cases result from “wrongful collection,” where the company gathers and shares data gathered from its website with third-parties without proper consent. 

For example, Advocate Aurora Health entered into a class-action settlement for $12.25 million in 2023 after allegations of illegally sharing patient data with Meta through its tracking pixel found on its website. In addition, Hulu and The Boston Globe faced lawsuits that alleged video-viewing histories and other personal data from website users were improperly gathered and shared with third parties, resulting in multi-million dollar settlements.

The common thread? Website tracking technologies. Across wrongful collection claims reported to Coalition, 77% trace back to tracking tools embedded on websites, suggesting that web privacy needs to be on businesses’ radar along with cyber threats.

Myth #2: Modern regulations drive most web privacy claims

Lawmakers introduced stronger data privacy regulations, such as the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US, to give individuals more control over how their data is handled. Dozens of other states have followed suit, introducing their own comprehensive privacy laws. 

Nearly three-fourths of web privacy lawsuits cited CIPA, while only a handful of claims cited modern privacy laws, such as the GDPR and CCPA.

Despite businesses dedicating significant time and resources to comply with modern privacy regulations, it’s decades-old statutes that are driving the majority of web privacy claims:

• Video Privacy Protection Act (VPPA): In 1988, the VPPA was introduced to prohibit videotape service providers from disclosing a customer’s personal information without consent. Today, plaintiffs allege that essentially any website with video functionality can act as “video service providers,” and therefore, should be afforded protections under this law.

• California Invasion of Privacy Act (CIPA): Lawmakers introduced CIPA in 1967 to address growing privacy concerns related to the unauthorized interception of telephone communications. Modern wrongful collection litigation seeks to expand its applicability, arguing that tracking technologies, such as cookies and pixels, count as “wiretapping," and therefore, should be viewed as violations under CIPA.

Nearly three-fourths of web privacy lawsuits cited CIPA, while only a handful of claims cited modern privacy laws, such as the GDPR and CCPA. This may well change going forward as, for example, the California Privacy Protection Agency ramps up enforcement.

Myth #3: Only large enterprises experience privacy litigation

The first wave of web privacy litigation focused on national healthcare entities, large media companies, and tech giants. After seeing record-breaking settlements, plaintiffs’ attorneys began to make allegations using similar legal theories at scale, turning their attention to small and midsize businesses (SMBs). In the last year, nearly 60% of Coalition’s web privacy claims were reported by businesses with less than $100 million in revenue. 

No business is too small to be at risk. This is partly because the technologies at the heart of litigation — analytics tools, third-party data sharing, and chatbots — are now widespread and deployed on millions of websites, including SMBs. The misuse of these analytics tools, such as Meta Pixel and Google Analytics, led to 73% of web privacy claims. 

Web privacy claims cut across nearly every industry because virtually every business maintains an online presence and uses digital tools to track web usage, understand user behavior, and serve targeted ads all of which may unknowingly put the business at risk.

In the last year, nearly 60% of Coalition’s web privacy claims were reported by businesses with less than $100 million in revenue. 

Myth #4: Compliance checklists are the answer

Most businesses turn to annual compliance reviews and static checklists to ensure they are meeting compliance standards and modern web privacy laws and statutes. Unfortunately, in today’s evolving landscape, that isn’t enough:

• The legal landscape is in flux: As plaintiffs’ firms apply new legal theories to decades-old laws, compliance becomes a moving target. While some courts dismiss certain cases, other courts generate rulings that trigger a flood of new litigation. 

• A lack of centralized oversight: Many businesses are unaware of how many tracking technologies are deployed across their sprawling web estates. Microsites or campaign-specific landing pages may include unvetted trackers, introducing new risks.

Law firms will continue to test novel theories and legal loopholes. In turn, businesses need to treat web privacy as an ever-present and evolving threat, just like cyber risk. 

Don’t fall victim to wrongful collection allegations: Businesses that proactively manage their websites’ data collection practices, disclose them transparently to users, and respond swiftly to customer concerns are far better positioned to withstand scrutiny and prepare for the future.

Download the full State of Web Privacy report and stay ahead of emerging privacy risks.

This blog post is provided for general informational and discussion purposes only. The State of Web Privacy report (the “Report”) is based on our analysis of data privacy related cyber insurance claims reported to Coalition Insurance Solutions, Inc. and the results of adjacent website security scans businesses sought in connection with Coalition’s cyber insurance policy application process. The analysis, conclusions and opinions stated herein, as well as in the Report, are our own. Although we believe many of the findings are appropriate for generalization, we make no claim that the findings are representative of all data privacy related matters or to your unique situation. In addition, while we strive to provide accurate and up-to-date information, the data privacy landscape is rapidly evolving, and therefore, this blog, as well as the Report, may not reflect the most current developments. These materials are not intended to be a substitute for legal or professional advice. We encourage you to seek the advice of a qualified professional with any questions or concerns you may have. Any action you take based upon these materials is strictly at your own risk. Coalition and its affiliates will not be liable for any losses or damages in connection with your use of or reliance upon these materials. This blog post may include links to other third-party websites. These links are provided as a convenience only.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.