The latest wave of privacy litigation doesn't involve data breaches, AI models, or spyware. It involves tracking pixels—and legal theories pulled from a time when Blockbuster Video was still a thing.
Companies across industries are being sued for using widely available web technologies: session replay tools, analytics platforms, and advertising trackers. None of this is new or particularly exotic. The tools are often installed by default, with little scrutiny, and operate in the background of nearly every digital experience.
What's new is how these tools are being framed in court.
[RELATED: The Pixel Lawsuits Aren't About Pixels]
Plaintiffs are bringing claims under wiretap laws passed in the 1960s, privacy statutes from the early days of home video, and consumer protection provisions that predate modern web architecture. The intent of these laws was clear at the time—stop phone tapping, protect physical spaces, prevent retailers from disclosing what you rented on VHS. That's not how they're being used now.
Today, these statutes are being leveraged to argue that ordinary web tracking—especially on sites involving health, financial, or subscription data—amounts to unlawful interception or disclosure. Whether or not those theories hold up in the long run is still an open question. But in the short term, they're proving effective at one thing: creating expensive, hard-to-predict costs.
In cybersecurity, a zero-day is a vulnerability no one knew existed—until someone uses it. In the legal world, we're seeing the same pattern emerge. These old statutes were considered dormant, irrelevant, even forgotten. But now, they're being reinterpreted as tools for modern privacy enforcement, with companies caught unprepared and exposed.
It doesn't take much. A misplaced pixel on a login page. A poorly configured analytics tool that captures a query string with health keywords. A privacy policy that hasn't kept up with what the marketing team is actually doing.
Once a claim is filed, it's already costly. Legal teams are engaged. Coverage counsel may get involved. Discovery looms. Even if the case is weak, it's rarely dismissed quickly. The longer it lingers, the more pressure builds to settle—especially when the statutory damages stack up and the optics look bad. This is relatively new litigation, and defendants just want to make it go away.
This isn't a global trend. It's uniquely American.
In most countries, regulators take the lead on privacy enforcement. The U.S., in contrast, leaves space for private plaintiffs to test the boundaries of old laws in new contexts. We don't have a national privacy law, but we have dozens of state statutes and consumer protection rules—some with private rights of action, some without. That legal fragmentation, combined with relatively low barriers to filing a suit, creates fertile ground for speculative litigation. And right now, it's working.
For most of these new tactics, Plaintiffs don't have to show harm in the conventional sense. They don't need a breach or even intent. They just have to argue that the statute was technically violated.
If they survive a motion to dismiss, they've already won leverage.
And it's not just about the law—it's about the facts. These cases rarely involve a clean, deliberate violation. More often, the facts are messy. A third-party tag was added without legal review. A query string with sensitive terms was captured automatically. The privacy policy is vague, outdated, or disconnected from actual site behavior. And no one—from IT to legal to marketing—really owns the full picture of what data is being collected, shared, or stored.
That kind of ambiguity doesn't make for a strong defense narrative. It makes for long discovery, complex expert reports, and optics that don't play well with judges or juries. The longer the case lingers, the more it costs—and the more pressure there is to settle.
For insurers, this is a coverage minefield. Many cyber policies weren't built to respond to privacy litigation that doesn't stem from a breach or cyber incident. Others exclude statutory damages or contract-based liability. There's wide variation in how defense costs are treated. The result is a growing gap between where the risk is developing and where coverage reliably responds.
The lawsuits themselves might seem like a stretch. In some cases, they are. But merit isn't the metric anymore. If a claim takes effort to dismiss and is costly to defend, that's enough to make it real. And for companies that haven't revisited their web tracking practices, policy language, or vendor configurations, it will take a lot of effort to close the gap.
There's nothing futuristic about this version of privacy risk. No advanced surveillance, no cutting-edge tech stack—just legacy laws being exploited in ways no one saw coming. And like a zero-day, by the time the threat is obvious, it's already active.