Web Tracking Suits Draw Pushback From Cyber, Liability Insurers

A surge in privacy lawsuits over tools tracking how users interact with websites is leaving some companies questioning whether their insurers will step in to cover the costs of litigating and resolving the claims.

Some carriers, particularly cyber insurers, are now adding specific exclusions to their policies to shield against litigation over web tracking technologies, insurance attorneys said.

A few insurers—including units of Berkshire Hathaway Inc. and Hartford Insurance Group Inc.—have also sued in recent months to avoid paying for the underlying cases, although the coverage suits so far have been infrequent and mostly limited to commercial general liability policies.

The underlying litigation targets various technologies developed by Meta Platforms Inc., Alphabet Inc.'s Google, and others to monitor website user activity and collect consumer data. Plaintiffs have brought class actions challenging companies’ use of the technologies under state wiretap statutes and such other laws as the California Invasion of Privacy Act.

Although the health-care industry has been a major target, companies from various sectors that use web tracking—including sports organizations, entertainment companies, and video content providers—are facing similar suits.

“Everybody’s got a website, so everybody’s a potential target,” said Brian Middlebrook, a partner at Gordon Rees Scully Mansukhani LLP who often represents entities defending against cyber and privacy claims.

Shifting Cyber Coverage

Cyber insurance in particular has often covered web tracker litigation “because the language in cyber policies tends to correspond with the type of claim that’s being made, which is an unauthorized collection or disclosure of private information,” according to Troutman Pepper Locke’s Timothy Carroll, who represents insurers.

That likely explains the lack of coverage litigation so far, said Samantha Riley, a partner at Skarzynski Marick & Black LLP who represents insurers. But, she said, even cyber insurers have begun to add exclusions for web tracking claims, leading to some behind-the-scenes fights.

In addition to specific exclusions, some cyber insurers have narrowed the threshold for coverage, for example by requiring a “cyber event” to trigger coverage rather than a broader “privacy breach,” Riley said, describing the changes as a “belts-and-suspenders” approach to reducing exposure.

The tightening of policy language is a “natural reaction to increased exposure from a certain risk, no different than, say, insurance companies increasing use of a virus exclusion in policies following the Covid-19 pandemic,” Carroll said.

Still, the cyber insurance market is widely considered to be competitive, which generally leads to favorable terms and puts pressure on insurers to protect their market share.

That may also explain why there have been few coverage disputes so far, according to Peter Halprin, a partner in Haynes & Boone LLP’s policyholder-side insurance coverage practice.

Unlike general liability insurance, which often uses standardized language, language in cyber insurance varies widely across policies and is constantly evolving, attorneys said. That means coverage for web tracker claims will continue to differ across cyber policies.

Liability Fights

Commercial general liability insurance is a more likely battleground over coverage for pixel tracking litigation.

The standardized nature of general liability policies may compel insurers to file declaratory judgment actions—such as the handful of suits seen so far—where a ruling can offer guidance on how claims should be handled across the board, said TittmannWeix partner Matthew Bricker, who represents insurers.

CGL insurers may also be more inclined to push back on web tracker claims, whether through litigation or policy changes, because those policies typically have higher limits and nearly every organization has some form of general liability coverage.

Companies hit with with web tracking suits should provide notice under all kinds of policies that could be implicated to avoid potentially losing out on coverage, said Hakeem Rizk, special counsel at Covington & Burling LLP who represents corporate policyholders.

Parallels to Illinois

The insurance challenges for pixel tracking claims echo coverage issues associated with litigation under Illinois’ landmark Biometric Information Privacy Act, which allows plaintiffs to seek damages from companies collecting biometric information without proper consent or notice, several lawyers said.

BIPA claims, like many web tracker cases, were often covered under cyber policies. But an uptick in expensive BIPA class actions led to disputes over general liability policies and whether certain exclusions—such as for claims alleging companies violated consumer and privacy statutes—barred coverage.

“Everyone started excluding BIPA claims and that tends to kill the cottage industry, because the plaintiffs’ attorneys are looking for insurance proceeds to fund settlements, and they’re not necessarily looking to put businesses out of business,” Riley said. Changes in compliance, legislation, and case law also put a damper on BIPA-related litigation, she added.

The combined threats of web tracker litigation and a potential dearth of insurance coverage could drive a focus on compliance by businesses, as occurred with BIPA, minimizing the risk of future claims. Health-care companies, for example, have significantly curbed their use of tracking software on password-protected patient portals in recent years.

”It’s essential that entities, whether they’ve had a lawsuit or not, look to compliance for forward-thinking concerns,” Gordon Rees partner Justin Holmes said.