The Old Privacy Laws That May Be Putting Your Business At Risk

Everything old is new again. Mom jeans, animal print, and neon colors are all back in the zeitgeist. When almost anything “outdated” can be reinvented with a modern twist, it’s not just old fashion trends that return to haunt us. 

Privacy laws enacted before the internet even existed are making a resurgence, too. 

In present-day data privacy litigation, the same statutes that address telephone communications and video store rentals are being used to regulate modern solutions, such as website-tracking technology. 

As plaintiffs' firms apply new legal theories to old laws, compliance can feel like a moving target. What trending statutes are putting businesses at risk now?

Web privacy claims & tracking technologies

Every day, millions of people turn to the internet to accomplish a litany of tasks, ranging from making one-click purchases, researching medical symptoms, or getting directions. No matter where they go online, one thing unites most users: Three-quarters of Americans feel like they have little control over what happens to their data.

Wrongful collection claims, where a business is alleged to have gathered or shared personal data without proper consent, disclosure, or legal justification, are increasingly common. Among all wrongful collection insurance claims received by Coalition since July 2023, 77% resulted from user activity on websites. But it's not regulatory enforcement driving the majority of these web privacy claims.

Instead, plaintiffs’ firms are finding creative ways to retrofit old statutes to apply to modern technology, often by testing new legal theories related to the 1967 California Invasion of Privacy Act (CIPA) or the 1988 Video Privacy Protection Act (VPPA) with demand letters, arbitration matters, or class-action lawsuits. 

At the heart of recent web privacy litigation is the use of analytics technology, scripts installed on a website to collect data about visitors’ behavior, usage patterns, and interactions.

Lawsuits initially focused on healthcare entities and media companies, alleging that they shared patient and consumer information through tracking pixels with third-parties, like Meta. Now, plaintiffs’ firms have widened their scope to target small and midsize businesses (SMBs) across many different industries. 

“Plaintiffs’ firms are repeating earlier successes seen with large enterprises, but now at scale targeting SMBs." — Anne Juntunen, Senior Manager, Claims, Coalition

In fact, nearly 60% of web privacy insurance claims reported to Coalition came from businesses with less than $100 million in revenue. 

“Plaintiffs’ firms are repeating earlier successes seen with large enterprises, but now at scale targeting SMBs. By sending templated demand letters that often cite the same technology or legal violations, many are looking to quickly settle out of court,” said Anne Juntunen, Senior Manager, Claims at Coalition. “Most of the alleged violations focus on decades-old laws, like CIPA and the VPPA, and not modern regulations, which can come as a surprise to smaller businesses with fewer legal and compliance resources.”

CIPA: Don’t eavesdrop on calls or browsing history

California lawmakers passed CIPA in 1967 to address growing privacy concerns related to the unauthorized interception of telephone communications during the Cold War era. 

Advances in technology had made it easier for individuals and authorities to secretly listen to private phone calls. To safeguard communications, CIPA prohibited “wiretapping” without both parties’ consent. 

Almost three-fourths of web privacy claims reported to Coalition allege violations of CIPA.

For decades, CIPA primarily applied to telephone lines and physical recording devices. But now, wrongful collection litigation argues that tracking technologies, such as cookies and pixels, fall under that same “wiretapping” umbrella. 

Almost three-fourths of web privacy claims reported to Coalition allege violations of CIPA. Why are plaintiffs’ firms regularly turning to a law that came out the same year as Sgt. Pepper's Lonely Hearts Club Band?

• Financial returns: CIPA imposes potential statutory damages of $5,000 per violation. In a class action lawsuit, these penalties can easily bubble up to six-figure losses by multiplying the damages amount across a large class of plaintiffs. 

• Room for creativity: Lawsuits have evolved over the years to focus on different aspects of the statute. For example, a wave of lawsuits targeted the use of tracking technologies that “record” user interactions, arguing that this is equivalent to using a “pen register” (a practice prohibited by CIPA without a court order). After a ruling determined that CIPA’s pen register provision does not apply to internet communications, plaintiffs’ firms pivoted to other provisions in the law, like suggesting that online tracking tools allow third parties to intercept communications.

• Not just California businesses: A business doesn’t need to be located in California to face lawsuits related to CIPA, as privacy laws attach to the user and their state of residency. In fact, just 20% of web privacy claims alleging violation of California laws were brought against companies actually located in California. 

“Lawmakers increasingly recognize that outdated privacy statutes need reform, but progress remains slow despite the costs of inaction,” said Sezaneh Seymour, VP and Head of Regulatory Risk and Policy at Coalition. “California lawmakers have introduced legislation (SB 690) to amend key provisions of CIPA to include a "commercial exception" for routine website business practices. However, that legislation won't be considered until 2026 at the earliest, with no updates likely to take effect before 2027.”

VPPA: Privacy after the Blockbuster era 

The 1988 VPPA came into effect when malls reigned supreme and brick-and-mortar video stores were still totally tubular. 

After a journalist published Supreme Court nominee Robert Bork’s video rental records, the statute was quickly introduced to prohibit videotape service providers from disclosing a customer’s personal information without consent. 

Despite physical video rentals being replaced by streaming services, the VPPA has an impressively long shelf-life due to its broad language. For example, “video service provider” has been interpreted by courts to apply to streaming websites, newsletters, and even cooking blogs — essentially any business with video functionality. 

Both media companies and retailers have paid million dollar settlements to resolve claims that they violated the VPPA by sharing consumer information with third-parties. However, recent court rulings suggest an ongoing legal debate over how to apply language from a decades-old statute to modern mechanics of websites, users, and video streaming. 

The statute prohibits the disclosure of a consumer’s personally identifiable information (PII). But modern interpretations of both “consumer” and “PII” have varied from court to court, with competing definitions of who qualifies as a consumer of online content and whether an IP address constitutes PII. 

The privacy landscape remains in flux

After successfully testing the application of old statutes to analytics technologies, plaintiffs’ firms are now turning their focus to AI-enabled chatbots. 

Businesses leverage chatbots to allow consumers to submit questions and get real-time responses generated by large language models. But a new legal theory asserts that the chatbot providers intercept communications between the customer and website owner without consent. 

"We’ve seen templated demands now applied to chatbots, alleging that businesses should have disclosed that the conversation was being recorded." — Cara Thompson, Assistant General Counsel, Data Privacy and Security, Coalition

“We’ve seen templated demands now applied to chatbots, alleging that businesses should have disclosed that the conversation was being recorded. They’re citing the decades-old Florida Security of Communications Act, which was enacted long before chatbot technology,” said Cara Thompson, Assistant General Counsel, Data Privacy and Security at Coalition

Like tracking technologies, AI-enabled chatbots have become the target of wiretapping allegations. Plaintiffs’ firms have argued that chatbots violate CIPA, specifically by “intercepting communications while in transit to learn the contents of the communication.” 

Businesses can’t afford to treat web privacy as a one-time project because plaintiffs’ firms continue to test new legal theories. And websites evolve: tracking technologies can be deployed on microsites and campaign pages without centralized oversight. 

Both the lack of visibility and evolving web-privacy litigation makes wrongful collection claims increasingly likely for SMBs. The answer? Businesses need to treat privacy risk with the same rigor as cybersecurity — an adaptive and continuous discipline.

This article originally appeared in the October 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is provided for general informational and discussion purposes only. It is based on our analysis of data privacy related cyber insurance claims reported to Coalition Insurance Solutions, Inc. The analysis, conclusions and opinions stated herein are our own. Although we believe many of the findings presented in this report are appropriate for generalization, we make no claim that the findings are representative of all data privacy related matters or to your unique situation. In addition, while we strive to provide accurate and up-to-date information, the data privacy landscape is rapidly evolving, and therefore, this blog may not reflect the most current developments. This blog is not intended to be a substitute for legal or professional advice. We encourage you to seek the advice of a qualified professional with any questions or concerns you may have. Any action you take based upon this blog is strictly at your own risk. Coalition and its affiliates will not be liable for any losses or damages in connection with your use of or reliance upon this blog. The blog post may include links to other third-party websites. These links are provided as a convenience only.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.