Wrongful data collection is increasingly becoming a critical concern for privacy and cyber insurers, exposing a widening gap between evolving regulatory requirements and routine business practices. According to Chris Gonzales, VP cyber and professional lines at Arch Insurance Canada, this is a trend that shows little sign of slowing.
“Wrongful collection class action filings will continue to rise based on the success of CIPA-related settlements in 2025,” Gonzales said, pointing to recent US cases that challenged how websites track and share user information.
As legislators review and update these regulations, additional rules – such as federal wiretap statutes and state-level privacy laws – are likely to provide new avenues for legal action.
At the heart of many claims, Gonzales explained, is a lack of strong governance around website tracking technologies and consent management.
“Most organizations do not have strong governance around their use of website tracking technologies and often have trackers firing after a user has rejected all non-essential cookies, even when a consent management platform is in place to manage these trackers,” he noted.
He recommends that companies maintain a detailed inventory of their tracking technologies and ensure that consent management policies are not only implemented but continuously reviewed and monitored for effectiveness.
Privacy risk, he added, cannot be treated as a static issue. Organizations must approach it with the same discipline applied to cybersecurity, which requires ongoing assessment, updates, and real-time monitoring to keep pace with rapidly evolving digital threats.
“Organizations should look at privacy risks not as a static exposure, but with the same rigor and evolving landscape as cybersecurity, implementing continuous controls, regular policy updates, and real-time monitoring,” Gonzales said.
Certain digital tools carry a particularly high risk. Adtech and analytics platforms, which can record user sessions and access sensitive search histories, are under increasing scrutiny because they often collect more information than users realize, and the potential for misuse or accidental exposure is significant.
“Adtech and analytics are considered higher risk trackers as they can record sessions, have access to search history and other data that may be classified as sensitive,” Gonzales explained.
Some sectors are especially exposed. Businesses in healthcare, media, retail, and financial services often experience high website traffic and handle sensitive user interactions, and in many cases, they rely on adtech as a key revenue driver – even when it conflicts with consent management policies.
“Organizations in healthcare, media, retail and financial services are higher risk classes due to having elevated website traffic, sensitive nature of user visits and may be more inclined to have adtech trackers enabled after a user has rejected all cookies or trackers due to ads being a revenue generator for the business,” he said.
On the insurance side, carriers are reevaluating the risks they are willing to cover. Some markets are hesitant to provide full coverage (or even sublimits) for wrongful collection due to prior claims history and the rising frequency of litigation.
“Some markets are not eager to offer full or sublimits for wrongful collection coverage due to their claims history in this space,” Gonzales noted.
In response, underwriters are increasing their scrutiny of client practices. Supplemental questionnaires, privacy scans, and other monitoring tools are now commonly used to ensure organizations are complying with legal requirements and adhering to their own privacy policies.
“Many markets require a supplemental to be filled out when considering offering this coverage and some are now beginning to run privacy scans on a website similar to what they are doing with attack surface monitoring services,” Gonzales said. “New risk management tools are being deployed by insurers to help clients understand whether they are adhering to law and their own privacy policies.”
The growing focus on wrongful collection reflects a broader shift in digital risk management. Companies are being asked to combine technical diligence with legal awareness, constantly reviewing how data is collected, stored, and used, and ensuring that all trackers, cookies, and analytics tools operate within clearly defined governance frameworks. Even as organizations implement stronger controls and monitoring, the evolving regulatory landscape and the sophistication of emerging claims mean that this area of risk will remain a moving target, demanding ongoing attention and adaptation to the new realities of online privacy and data protection.
