The cyber insurance market is confronting a new and fast-escalating challenge as privacy liability risks shift from traditional data breach claims to wrongful data collection allegations. At least one expert has flagged a decades-old California law that is now driving litigation against companies across the US.
The California Invasion of Privacy Act (CIPA), enacted in 1967 to regulate wiretapping, has become the leading basis for cyber privacy lawsuits, according to breach and claims data from cyber insurer Coalition.
Since 2023, approximately 70% of wrongful collection claims reported to Coalition have been tied to CIPA, a trend that is expanding rapidly across all industry sectors and well beyond California’s borders.
Speaking with Insurance Business America, Daniel Woods (pictured), principal researcher at Coalition, said the wave of CIPA claims is catching both insurers and insureds off guard because it represents a fundamental change in how privacy liability is being litigated.
“For the last two decades, the conversation around privacy liability was almost synonymous with data breaches,” Woods said. “A company would lose sensitive information in an attack and face litigation from individuals affected. Wrongful data collection was talked about, but rarely litigated.”
That changed in 2019 when plaintiffs began pursuing claims under the Illinois Biometric Information Privacy Act (BIPA). Instead of needing to prove harm, plaintiffs only had to show a “technical violation” of the law to seek statutory damages of $2,500 per person.
That model led to enormous settlements, including $900 million against Facebook, and paved the way for law firms to apply the same strategy under broader statutes such as CIPA.
“CIPA isn’t limited to biometrics or video data; it covers virtually any type of digital communication,” Woods said. “What’s driving the increase is not large breaches but the use of ordinary tracking technologies like Meta Pixel, TikTok Pixel, or session replay tools.”
Although CIPA is a California law, plaintiffs are increasingly targeting businesses located outside the state by asserting that online activity constitutes interstate commerce with California users. As a result, companies in healthcare, financial services, retail, education and even small businesses have found themselves facing a surge in demand letters and lawsuits.
Woods described a fast-growing litigation ecosystem driven by a handful of law firms that have developed volume-based strategies.
“More than 70% of web privacy claims are coming from just four law firms,” he said. “They’ve built a business model around sending mass demand letters, often without filing formal litigation. The goal is to obtain a quick settlement before the company incurs legal defence costs.”
These “nuisance-style” cases are typically low severity, he said, but they are being filed in high volumes. At the same time, more complex lawsuits are emerging that seek to establish new precedents and pursue large-scale damages.
“That’s where we see seven- and eight-figure exposure,” Woods said, pointing to precedents under BIPA, VPPA, and ongoing litigation in the healthcare sector involving alleged unlawful use of tracking tools on patient portals.
The surge in CIPA claims is testing insurers’ appetite for cyber coverage and forcing the market to make strategic decisions around underwriting and policy wording. According to Woods, insurers are currently taking three main approaches:
Woods said brokers must carefully examine policy wordings to determine whether coverage responds to lawsuits alleging violations of privacy laws, not just violations of a company’s own privacy policy.
“Many lawsuits today don’t argue that the company failed to follow its own policy,” he said. “They argue the business violated a statute such as CIPA. If the policy only responds to breaches of the company’s policy, it may not respond to the actual claim.”
He also highlighted ambiguities around coverage triggers related to “intentional” versus “unintentional” collection.
“A marketing department may intentionally install a tracking tool without leadership’s approval. Does that count as intentional? These are the gray areas that could lead to disputes,” Woods said.
As wrongful collection litigation accelerates, Woods said there are several immediate steps brokers should take to protect clients:
As CIPA continues to be deployed as a litigation tool, insurers, brokers, and policyholders will need to adapt quickly to manage what is emerging as one of the most consequential liability trends in cyber insurance today.
“These lawsuits are not slowing down,” Woods said. “Any business with a customer-facing website is now exposed.”
