New Challenge for Insurers as Privacy Litigation Risk Surging Among U.S. SMBs

Cyber risk intelligence company KYND has published new research revealing a sharp rise in U.S. privacy litigation linked to everyday website tracking practices – with small and medium-sized businesses (SMBs) at the center of the risk.

The findings, published in KYND’s latest white paper, Privacy Risk in 2026, show that lawsuits related to website tracking and digital wiretapping – the recording of electronic communications without a user’s consent – have surged from just a few hundred cases per year to more than 2,000, as legal action increasingly targets routine online behavior rather than cyberattacks or data breaches.

Claims focus on how websites collect and share user data activity that is recorded when visiting a website, which can be used to identify users without their consent, even if no personal information is entered. This data collection can be challenged under laws that do not require proof of financial harm. Visitors can be recorded using widespread tools like pixel-based trackers used to measure website performance and user engagement.

KYND analyzed nearly 10,000 North American organizations to understand how this risk appears in practice. The study found 17.7% had tracking technologies operating without any visible user consent, rising to 20.2% among SMBs with revenues under $1 billion.

“Privacy risk is no longer just about data breaches”, said Andy Thomas, CEO of KYND. “What may seem like a minor compliance issue is becoming a repeatable and scalable source of litigation, particularly across the SMB market. We’re seeing a shift toward claims driven by everyday website behavior.

“For insurers, this creates a new challenge. These risks are scalable, often hidden, and can accumulate across portfolios in ways that are difficult to detect without the right visibility.”

According to KYND, rather than large, one-off events such as ransomware attacks, privacy claims linked to website tracking are typically high-frequency and lower severity but can build into significant losses across a portfolio. As similar tracking practices are widely used across many businesses, the exposure can accumulate quickly and affect large numbers of insureds at once.

KYND’s research highlights that this risk is now firmly embedded within SMB portfolios, driven by common website configurations and the widespread use of third-party tools such as analytics and marketing pixels.

The report also found SMBs are more likely to be affected due to a combination of factors, including reliance on default website tools, limited technical resources and the growing use of legal frameworks that allow claims to be brought at scale.

“The key for insurers is visibility. These risks aren’t hidden deep inside systems – they’re happening in plain sight on company websites”, Thomas added. “By bringing that external data into underwriting and ongoing portfolio monitoring, insurers can spot exposure earlier, differentiate risk more effectively, and avoid unwanted accumulation.”

Read KYND’s white paper, Privacy Risk in 2026, here. 

For more information, please visit: www.kynd.io