New Privacy Risk Insights to Help Navigate Wrongful Collection

As the privacy landscape shifts rapidly, an emerging category of cyber risk, wrongful collection, is catching many businesses off guard. To make matters worse, wrongful collection claims target legal exposures that most organizations don't even know they have.

The growing wrongful collection challenge

In our new report, The State of Web Privacy, we found that the majority of wrongful collection claims stem from three core issues:

1. Unlawful data collection: Companies collecting personal information without meeting legal consent requirements

2. Unauthorized third-party data sharing: Companies sharing personal information, often through web tracking technologies deployed by marketing or product teams without proper disclosure

3. Inadequate or missing consent mechanisms: Companies lacking or improperly implementing cookie banners, opt-out links, and privacy controls

What makes these practices unlawful is often the company’s failure to provide proper notice and consent to website users in their privacy policies. Companies may be collecting data or sharing it with third parties in ways that would be legally permissible if only they had obtained consent or and compliantly disclosed it first.

The key challenge for businesses is visibility. Those who purchase cyber insurance on behalf of their organization may not have insight into what privacy controls their organizations have in place or where their exposures lie. Marketing and web teams may deploy tracking pixels and analytics tools to the company’s website without realizing the privacy risk such tools can pose. This disconnect between risk ownership and operations can create a significant blind spot.

Introducing Active Privacy Protection

To address this growing challenge, Coalition launched Active Privacy Protection, applying our revolutionary Active Insurance approach to privacy risk management. We're now integrating Privacy Risk insights into two of our core risk management tools: the Cyber Risk Assessment and Coalition Control®.

Privacy Risk insights in the Cyber Risk Assessment

Every Coalition quote now includes Privacy Risk insights as part of our free Cyber Risk Assessment. This addition provides both brokers and policyholders with immediate visibility into their privacy exposures.

The insights are pulled from our assessment of the organization's websites, focusing on the following key areas:

• Privacy Risk Score by domain: See a high-level score based on a review of the exposures versus controls.

• Exposure identification: Get a breakdown of the tracking technologies and third-party integrations detected on a company’s website that may create liability

• Policy gap analysis: Learn which privacy policy disclosures are missing or outdated

• Consent Mechanisms: Identify which consent mechanisms are in place or missing

For example, the updated assessment might reveal that a business’ main website has robust privacy controls currently in place, but a subsidiary domain is missing key consent mechanisms. Or it might show that the privacy policy was last updated 28 months ago while new tracking technologies have been deployed more recently.

Deeper insights through Coalition Control

For Coalition policyholders, these Privacy Risk insights are also integrated into Coalition Control, providing ongoing monitoring and detailed analysis of the organization’s privacy posture alongside its cybersecurity risk.

What we're analyzing: Privacy controls & exposures

Our Privacy Risk insights cover two critical dimensions: the privacy controls an organization has in place and the exposures that could create liability.

Privacy controls

Privacy policy disclosures: We automatically scan and analyze an organization’s privacy policies to verify the presence of this key information:

• Regular updates with the most recent update clearly identified

• Complete contact information for privacy inquiries

• Clear opt-out mechanisms for user data collection and sharing

• Detailed user rights sections covering access, rectification, and deletion rights

• Explicit disclosures about tracking technologies 

Consent mechanisms: We also evaluate the privacy control tools websites deploy, for example:

• Cookie consent banners that enable proper cookie compliance

• "Do Not Sell" links required by the California Consumer Privacy Act (CCPA) and other state privacy laws

• Global Privacy Control (GPC) implementation to honor standardized browser privacy preferences, which are also required by the CCPA

Privacy exposures 

Tracking technologies: Our scan identifies and categorizes tracking tools present on an organization’s websites:

• Analytics tools like Google Analytics and Meta Pixel that collect behavioral data

• Session replay tools like Pendo or Hotjar that record detailed user interactions and may capture personally identifiable information

• Geolocation tracking tools that pinpoint user location data—which are particularly high-risk due to the sensitive nature of location information

Third-party domains: We identify the external domains that your website(s) connect to and cross-reference them against known data brokers and tracking networks. A high number of third-party connections, especially to domains known for tracking, can present significant privacy risk exposure.

Taking action on privacy risk

As wrongful collection claims continue to rise, proactive privacy risk management is becoming essential, helping protect organizations from emerging privacy-related exposures.

For brokers, these Privacy Risk insights provide concrete points for risk conversations with clients, such as pointing to specific missing disclosures or problematic tracking implementations. Download a Cyber Risk Assessment for your clients or check out this sample. 

For policyholders, providing these insights enables informed decision-making about privacy investments and helps bridge the gap between technical implementation and business risk management. Access these Privacy Risk insights for your business in Coalition Control today.

This blog post is provided for general informational and discussion purposes only. The analysis, conclusions and opinions stated herein, as well as in The State of Web Privacy report, are our own. Although we believe our findings are appropriate for generalization, we make no claim that they are representative of all data privacy related matters or to your unique situation. In addition, while we strive to provide accurate and up-to-date information, the data privacy landscape is rapidly evolving, and therefore, this blog, as well as the report, may not reflect the most current privacy developments. These materials are not intended to be a substitute for legal or professional advice. We encourage you to seek the advice of a qualified professional with any questions or concerns you may have. Any action you take based upon these materials is strictly at your own risk. Neither Coalition, Inc., nor any of its affiliates, will be liable for any losses or damages in connection with your use of or reliance upon these materials. This blog post may include links to third-party websites. These links are provided as a convenience only.

Coalition Control is provided by Coalition Incident Response, Inc., or one of its affiliates, dba Coalition Security, an affiliate of Coalition Inc. Coalition Security does not provide insurance products. 

Copyright © 2025. All rights reserved. Coalition, Coalition Control and the Coalition logo are trademarks of Coalition, Inc.