The world of cyber insurance is facing a new challenge as claims of wrongful data collection rise rapidly, shifting the focus away from traditional data breaches. At the heart of this shift is an old California law, the California Invasion of Privacy Act (CIPA), which was originally created in 1967 to regulate wiretapping. Today, it is driving many of the cyber privacy lawsuits filed against companies across the United States.
Since 2023, about 70% of the wrongful data collection claims reported to the cyber insurer Coalition are linked to CIPA. This trend is not limited to California companies—it’s now affecting businesses across many industries, including healthcare, financial services, retail, and education, no matter where they are located in the country. The key factor? Plaintiffs argue that online activities involving California users fall under California law, opening the door to lawsuits nationwide.
Daniel Woods, head of research at Coalition, says this wave of CIPA claims caught many by surprise because privacy issues were mostly associated with data breaches in the past. Traditionally, privacy lawsuits happened when a company’s sensitive information was stolen. Wrongful data collection was talked about but rarely turned into legal action. That changed in 2019 with lawsuits under the Illinois Biometric Information Privacy Act (BIPA), where plaintiffs only needed to prove a technical violation of the law to claim damages. This led to huge settlements, like the $900 million case against Facebook, and encouraged law firms to use similar strategies with other privacy laws like CIPA.
CIPA covers much more than just biometrics or video data. It includes everyday tracking tools commonly used on websites, such as Meta Pixel and TikTok Pixel. These tools gather user data, and their presence has become a key reason for the rise in claims. A small group of law firms has built a volume-based approach, sending mass demand letters to companies instead of immediately filing lawsuits. They aim to get settlements quickly, often before companies even spend money on legal defenses.
These cases often have low financial stakes individually but pile up because of their numbers. At the same time, bigger and more complicated lawsuits are emerging, with some seeking major damages and legal precedents, especially in healthcare, where tracking tools on patient portals are under scrutiny.
Insurers are responding in different ways. Some are adding exclusions that remove coverage for wrongful data collection. Others leave policies unclear about whether such claims are covered, which could lead to disputes later. A third group offers clear coverage but requires companies to follow privacy rules closely.
Woods advises insurance brokers to look closely at policy details. Many current policies cover lawsuits based on a company’s violation of its own privacy rules but might not cover claims based on breaking laws like CIPA. There’s also confusion about whether the data collection was intentional or accidental—another area that could cause disagreements in claims.
For brokers helping clients, Woods suggests clear communication about exclusions, pushing for clear coverage for privacy laws, reviewing client privacy policies, checking which tracking tools are in use, and making sure consent systems, like cookie banners, meet modern rules.
With CIPA claims growing fast and showing no signs of slowing, any business with a website facing customers could soon find themselves targeted. The cyber insurance market, brokers, and companies must act fast to handle this new risk that is reshaping privacy liability in the digital age.