Wrongful collection litigation, claims that a company’s website or app collected, shared or intercepted visitor data without valid consent, has become one of the fastest-growing sources of class action exposure in the U.S.
Many common marketing technologies are under scrutiny, including tracking pixels, session replay software, chat widgets, analytics scripts, cookies and mobile SDKs. Any organization with a public-facing website that collects consumer data may face exposure, regardless of where it is headquartered.
The Legal Landscape
Website tracking risk continues to expand across state and federal laws, led by the California Invasion of Privacy Act (CIPA) and reinforced by statutes such as the federal Wiretap Act (ECPA) and Video Privacy Protection Act (VPPA). At the same time, a growing number of state privacy, biometric, health and children’s data laws are increasing regulatory activity nationwide.
Organizations face risk when data is collected or shared in ways that exceed, or occur before, clear user consent and disclosed practices. Recent litigation highlights how tracking technologies function in practice, particularly when tools activate automatically, such as on page load, before consent is obtained.
Action Steps for Organizations
Organizations can take practical steps to better align their digital practices with evolving regulatory expectations:
- Inventory your tracking technologies: Identify all cookies, pixels, scripts, SDKs, chat tools and session replay tools across websites and applications. Document what activates, when it activates, what data is collected and which third parties receive it. Manage tags through a controlled tag manager and remove any unapproved or inactive tags.
- Update your privacy policy and cookie notice: Disclosures should reflect actual practices, including what data is collected, which tracking technologies are used, third parties receiving data, retention periods and consumer rights. Misalignment between disclosures and technical implementation can increase legal exposure. Review policies regularly and when new tools are introduced.
- Deploy a consent banner that functions effectively: Use a consent management platform (CMP) that blocks non-essential cookies and tags until consent is captured and logged. A banner that displays while tracking occurs in the background is a common issue in current claims.
- Honor opt-outs and universal signals: Recognize Global Privacy Control signals where required. Provide clear “Do Not Sell or Share” options and maintain a documented process for handling access, deletion and correction requests within required timeframes.
- Minimize and protect sensitive data: Limit data collection to what is necessary. Mask form fields and suppress keystroke capture in session replay tools. Avoid deploying tracking technologies on pages involving health, financial transactions, checkout processes, video content, precise location data or children’s content without appropriate controls.
- Manage vendors contractually: Establish clear data processing agreements with vendors, including compliance obligations and accountability provisions. Reassess agreements when data processing activities change.
- Audit workflows and train staff: Test consent workflows regularly, including opt-out functionality across systems. Monitor for unauthorized tags and provide training for marketing teams to support compliant implementation of tracking tools.
- Establish governance for new web tools: Create a cross-functional review process, involving IT, marketing and legal or privacy teams, for evaluating new tracking technologies before deployment. Periodic audits can help identify and remove unapproved scripts.
Taking a Proactive Approach to Privacy Risk
Privacy requirements continue to evolve, and compliance depends on more than a single control. Regular reviews of your website, privacy disclosures, vendor contracts and consent mechanisms can help strengthen your overall approach. Engaging experienced privacy counsel can provide additional clarity as expectations shift.
Insurance Considerations: Engage Your Broker Early
Coverage for wrongful collection claims may vary. Organizations should review cyber and liability policies carefully and discuss potential gaps with their broker and legal advisors to better understand how coverage may respond.
A proactive approach can help ensure coverage aligns with real-world exposures. Our Cyber Practice works with organizations to assess risk, evaluate policy structure and identify opportunities to strengthen protection. This may include evaluating coverage structure and limits, analyzing potential business income exposure and helping organizations better position their risk for underwriting discussions. Connect with an advisor to learn more.