Live Radio
Home » The Legal Lowdown » 5 lawsuit risks hiding…

5 lawsuit risks hiding on your website

Vanessa Roberts | vroberts@federalnewsnetwork.com

April 24, 2026, 3:46 PM

This content is sponsored by Shulman Rogers.

For many business owners and senior leaders, a company website feels like a solved problem. It looks professional, it functions properly, and it’s been live for years without incident. But that sense of security can be misleading.

Website privacy compliance is no longer a background issue. Changing state laws, increasingly aggressive enforcement and evolving technologies, from analytics tools to AI-driven chatbots, can turn routine website features into unexpected legal exposure.

“What we see most often is not bad intent,” said Joshua Glikin, a lawyer who specializes in intellectual property and technology law at Shulman Rogers. “It’s routine, overlooked issues that create liability.”

For The Legal Lowdown on WTOP, we asked Glikin to identify the most common lawsuit risks hiding in plain sight on business websites today.

1. Your privacy policy doesn’t match what your website is actually doing

One of the most common website compliance failures is a disconnect between what a company’s privacy policy says and what the website actually does behind the scenes.

“There are so many ways that a business can be liable for what happens on their website,” Glikin said. “One of the most common is that their privacy policies, assuming one exists, do not accurately reflect the data collection and use practices of the company, and they don’t comply with applicable state laws.”

This mismatch often stems from organizational silos, he said. It happens organically if not addressed. Marketing teams choose tools. IT teams implement them. Business leaders focus on growth and operations. Rarely does anyone step back to confirm that all of those decisions are accurately disclosed in a single, legally compliant policy, Glikin noted.

“I’ve never seen an intentional bad-faith outdated website policy,” he said. “It’s usually because the business people, the marketing people and the IT people don’t really know what the others are doing.”

But intent doesn’t matter under most privacy laws. Businesses are responsible for what their websites do, not what leadership believed they were doing, Glikin pointed out.

2. An outdated privacy policy is a legal liability

Many executives assume that if their privacy policy was compliant when it was written, it remains compliant today. That assumption is increasingly risky.

“Even if a privacy policy was viable and compliant a year ago, that doesn’t mean that it will be the following year,” Glikin said.

Over the past several years, more than a dozen states have passed or expanded comprehensive privacy regulations. California, in particular, continues to amend and strengthen its requirements, often influencing enforcement nationwide by both attorneys general but also plaintiffs’ lawyers, he said.

“Website privacy policies are just never set it and forget it,” Glikin said.

From a legal standpoint, a stale policy can be worse than no policy at all. Outdated language can affirmatively misrepresent current practices and become a written exhibit against the company in litigation or enforcement actions, he warned.

3. Cookies, tracking tools and analytics create risk you still own

Tracking technologies are one of the fastest growing sources of website lawsuits, particularly under state privacy laws that require disclosure and consent.

“All of these data collection practices and sharing policies might be happening on your business’ website without you even knowing it,” Glikin said, “because different people control coding, marketing decisions and business operations.”

Even businesses that attempt to comply sometimes fail on execution. He described a case where a company installed a cookie consent pop-up but then forgot to configure the technology behind it.

“They intended to comply with cookie laws,” Glikin said. “But they forgot to turn on the cookie collection filter. Data was collected whether users clicked ‘accept’ or ‘decline.’ Clicking the button had no meaning.”

Legally, that type of gap can be devastating. Businesses, not vendors, are responsible for ensuring that consent mechanisms work as advertised.

“If the actual practices of the website don’t mirror what your policy says,” Glikin said, “you’ve got the potential for trouble.”

4. AI chatbots can quietly introduce new privacy risks

AI chatbots have quickly become standard on business websites, but many companies deploy them without fully understanding how they collect and use data.

“These AI chatbots often collect information consumers voluntarily provide,” Glikin said. “The real trouble starts when that data is stored, integrated into company records or shared for marketing and advertising purposes.”

In many cases, existing privacy policies never contemplated conversational artificial intelligence tools. As a result, companies may be disclosing less than the law requires — or nothing at all — about how that chatbot data is handled.

“You have to think about policies specific to what the chatbot collects and how that data is used,” Glikin said, “not just your general privacy policy.”

AI tools can quietly expand a company’s data footprint, creating privacy and cybersecurity exposure that isn’t discovered until a complaint or investigation forces the issue.

5. The “We’re too small to matter” assumption is wrong

Perhaps the most dangerous misconception among business owners is the belief that website privacy laws only affect large companies.

“One of the biggest misconceptions is, ‘I’m just a small business. Nobody’s going to care about my website,’ ” Glikin said. “That’s simply not true.”

Small and midsize businesses are frequent targets for private lawsuits, especially in California, where plaintiffs’ firms actively search for noncompliant websites nationwide.

“You don’t have to be very good to break into a small website,” he added, “and small businesses often have just as much personal information.”

Because the internet doesn’t distinguish between company size, businesses may be subject to laws in states where they don’t operate physically but where their websites collect consumer data.

Gentle reminder: Website privacy requires ongoing maintenance

Website compliance isn’t about checking a box. It’s about treating privacy the way businesses treat other operational risks — with ongoing review, clear accountability and expert support, Glikin said.

The main thing is to ask the question: Does my privacy policy meet our current digital and business practices? Typically, a simple review by an experienced lawyer can determine potential risk, and the burden of complying isn’t high, he said. All in, it might require two or three calls.

“Your website is just like your company’s new truck. You can’t just let it get old and never maintain it.”

What business owners and senior leaders should ask about website privacy

Use this checklist to quickly assess whether your website may be carrying hidden legal risk.

If you cannot confidently answer most of these questions, your website may already be creating legal exposure, whether you intended it or not, Shulman Rogers intellectual property lawyer Joshua Glikin advised.

He made the analogy to cybersecurity: It requires cross-discipline leadership, cultural adoption and iterative upkeep.

Privacy policy basics

    • Do we have a privacy policy at all, and is it easy to find on our website?
    • Does the policy clearly explain what data we collect, why we collect it and who we share it with?
    • Does it include a clearly visible “last updated” date from within the past year?

Ongoing compliance

    • Has our privacy policy been reviewed since new or amended state privacy laws took effect?
    • Has legal counsel confirmed that the policy still reflects our current business and data practices?
    • Do we treat website privacy as ongoing maintenance rather than a one time legal task?

Cookies, tracking and analytics

    • Do we know which cookies, tracking pixels and analytics tools operate on our website?
    • If we use a cookie notice or consent banner, does it actually work from a technical standpoint?
    • Is data collection paused or limited when users decline consent, where legally required?

Third-party tools and vendors

    • Can we identify all third party services integrated into our website?
    • Do our privacy disclosures accurately describe what those tools collect and share?
    • Do we understand that our company, not the vendor, is legally responsible for compliance?

AI tools and chatbots

    • Do we use AI tools or chatbots on our website?
    • Do we know what information they collect, where that data is stored and how it is used?
    • Is chatbot data collection clearly addressed in our privacy policy?

For more legal tips and advice, visit The Legal Lowdown on WTOP, brought to you by Shulman Rogers.

Vanessa Roberts

Vanessa Roberts crafts content for custom programs at Federal News Network and WTOP. She’s been finding and telling B2B, government and technology stories in the nation’s capital since the era of the “sneakernet.” Vanessa has a master’s from the Columbia Graduate School of Journalism.

vroberts@federalnewsnetwork.com

Related News

Recommended

Related Categories:

The Legal Lowdown
Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up