How Privacy Litigation Impacts Small and Midsize Businesses

No matter the size or sector, every business relies on data for daily operations. Customer information, employee records, and transactional archives keep the wheels turning.

Consumers and regulators rightly expect businesses to handle all of this information with care — but one single error can result in thousands of dollars in penalties or damages. 

Over the past five years, the consequences of wrongful data collection have become increasingly visible, with Big Tech companies making headlines after incurring significant fines for violating applicable privacy laws.

From 2020 to 2024, the number of data privacy lawsuits brought to U.S. federal courts by litigants have doubled. But it’s not just large enterprises that are at risk of data privacy litigation. In fact, the majority of wrongful collection claims received by Coalition impact businesses with less than $100M in revenue. 

Without access to extensive legal resources, small and midsize businesses (SMBs) are often unaware that they are violating privacy laws in the first place. Below, we’ll explore the challenges SMBs face navigating compliance and best practices to reduce their exposure.

The reality of data privacy compliance for SMBs

Big expectations, limited resources 

The average consumer is concerned about the safety of their personal information, especially as it becomes more common to do everything online, from placing mobile grocery orders to participating in virtual doctor appointments. 

In 2018, the General Data Protection Regulation (GDPR) took effect, harmonizing privacy laws across the European Union and providing individuals better control over their data in the digital era. Since then, many comprehensive consumer privacy bills have followed suit in the U.S., such as the California Consumer Privacy Act (CCPA).

Without access to internal compliance expertise, many SMBs are particularly vulnerable to litigation related to “wrongful” data collection practices.

 In 2024 alone, seven states in the United States passed new privacy legislation. For businesses, it can be an unyielding task to keep up with a patchwork of privacy laws and regulations, many that are still in flux. And compliance isn’t cheap: California’s Department of Finance estimated that it would cost businesses with more than 500 employees an average of $2 million in initial costs to comply with the CCPA’s requirements. 

Without access to internal compliance expertise, many SMBs are particularly vulnerable to litigation related to “wrongful” data collection practices. In fact, 80% of SMBs admit to knowing very little about how data protection laws affect their business. 

Old laws, modern applications

Many alleged privacy violations also arise from much older statutes, such as the 1967 California Invasion of Privacy Act (CIPA) and the 1988 Video Privacy Protection Act (VPPA), which are being (creatively) applied to modern technology, like website tracking pixels and personalized advertising. 

Tracking pixels are tiny snippets of code embedded on websites that allow businesses to collect data on users’ online activities, like clicks and time spent on a page. By creating unique IDs per visitor, pixels are able to track user activity across sessions and devices.

With CIPA and the VPPA, plaintiffs’ attorneys allege that ad-tracking technology falls under the umbrella of “trap and trace devices” and that websites with video players are “video tape service providers,” exploiting the gap between modern digital consent mechanisms and decades-old applications of privacy law.

Lawsuits aren’t just hitting big tech 

Meta, Google, and Amazon have all made headlines for lawsuits regarding their data collection practices, with Google recently being told to pay $425M after allegedly collecting privacy data after users’ sought to disable the tracking feature on their accounts. 

But no matter their size, if a business is collecting and storing data, they can be held liable for mishandling it.

Many SMBs may think they are too small to be a target for data privacy litigation or regulatory fines because they don’t see their cohorts in the same headlines. But no matter their size, if a business is collecting and storing data, they can be held liable for mishandling it.

The privacy litigation playbook doesn’t discriminate

Plaintiffs’ attorneys are increasingly looking for “easy wins” as they scan the web. The common targets are businesses that are unintentionally mishandling data and likely to settle out of court. 

By depending on decades-old laws, like CIPA and VPPA, “compliance” is often open to legal interpretation, as the laws were written before the internet existed. The strategy is simple:

1. Plaintiffs’ attorneys scan websites for privacy violations. They look for third-party tracking technology, like pixel trackers from Meta, Tiktok, and LinkedIn. These tools may not be disclosed in privacy policies, posing liability risk to a business.

2. Send a demand letter outlining legal theory. Plaintiff’s attorneys contact the business and allege violations of the law without filing a formal lawsuit. Many cite CIPA, claiming that ad-tracking technology falls under the umbrella of “wiretapping and recording communications.”

3. Victims settle to make the problem go away. To avoid negative publicity or additional defense costs, many businesses will settle with the plaintiffs’ attorney. 

Fines and damages add up quickly 

Seemingly minor issues, like unclear cookie banners or improperly configured tracking tools, can result in significant penalties for SMBs. Under most regulations, fines accrue for each violation. 

For example, the civil penalties for violations of CCPA range between $2,500 and $7,500 per violation and each affected person’s data can be treated as a separate violation. Consequently, one technical misstep can result in hundreds of thousands of dollars in penalties. 

Geographic boundaries look different online 

Compliance requirements apply based on where the user resides, not the company. Even if just one resident from California visits the website, a business can be held liable for violating California-based privacy laws.

Imagine that there is a small New York-based retailer that sells kitchen supplies online. It uses ad-tracking technology to monitor user behavior but doesn't mention the use of the tool in its privacy policy. With users from across the country, including California, the retailer can be hit with a demand letter that alleges a violation of CIPA.

The retailer has to keep up with an entire patchwork of state laws, not just those enacted in New York.

How SMBs can reduce their risk 

1. Keep privacy policies up-to-date

Regulators often check when a business last updated its privacy policy. Regularly reviewing your company’s privacy policy to ensure it accurately describes what data is being collected and how it will be used, including any tracking tools is a critical compliance control. 

2. Give users control over their personal data

Most privacy laws require businesses to give website users control over their personal data. There are two broad options:

• Opt-out: Track users by default but explain how users can opt-out of certain data collection practices in the privacy policy, respect browser signals, or add a Do Not Sell Link.

• Opt-in: Present a consent banner to users when they first access your business’ website, giving them an option to either accept or reject certain data collection practices. Tracking should only start after a user agrees to it.

3. Disable unnecessary ad-tracking technology 

Businesses should look at all of the tracking tools on their website (Google Analytics, Meta pixels, etc.) and ask: “Is this data actually used to make business decisions?” 

Pay special attention to TikTok pixels, Twitter analytics, and LinkedIn Insights tags — these data collection tools are disproportionately represented in Coalition’s claims data.

Businesses should look at all of the tracking tools on their website (Google Analytics, Meta pixels, etc.) and ask: “Is this data actually used to make business decisions?” 

4. Get covered 

Due to the current regulatory and legal landscape, many cyber insurance providers have adopted strict exclusions to costly wrongful collection of data claims or choose to stay “silent” on coverage leaving policyholders potentially exposed. 

Businesses should check their current cyber insurance policy to confirm they are protected (and identify where they are not). Coalition provides dedicated sublimits for Wrongful Collection with our Enhanced Privacy Liability endorsement. Contact your broker to learn more.

UNPACK PRIVACY LIABILITY. PREVENT WRONGFUL COLLECTION CLAIMS.

Strengthen Your Privacy Risk Expertise

Download Coalition's Privacy Best Practices Roadmap >

This blog post, as well as Coalition’s privacy roadmap, is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisers and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition is not responsible for the accuracy or completeness of the contents herein and expressly disclaims any responsibility or liability based on any legal theory or in any form or amount, based upon, arising from or in connection with, for the reader’s application of any of the contents herein to any analysis or other matter, nor do the contents herein guarantee and should not be construed to guarantee any particular results or outcome. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.