Wrongful collection of data: Reduce the risk

The law tends to lag a bit behind the rapid evolutionary pace of the technology and software that we use in our businesses. Even before the recent developments in artificial intelligence (AI) gave us cause for concern, there has been the risk of unknowingly violating data privacy through the technology we use. Businesses of all sizes and sectors may be subject to unlawful data processing claims. According to the International Association of Privacy Professionals, lawsuits focusing on whether businesses lawfully collect and use personal data have been steadily increasing. These claims can cause significant financial and reputational damage to companies.

As businesses analyze the risks associated with personal data collection, they must be familiar with an evolving regulatory landscape and take steps to address their exposures.

The range of what constitutes wrongful, or unlawful, data collection can vary by jurisdiction, making it difficult for businesses to understand exactly what rules apply to them. While there currently isn’t a national consumer data privacy law in the United States, several states have enacted their own legislation. Also, aspects of other U.S. laws that affect data privacy apply to certain sectors, for example the Health Insurance Portability and Accountability Act, or HIPAA, which applies to health care). Additionally, different laws are in place internationally. 

Most of us use website forms, CRM or ERP software and email automation programs, all of which can store data. Even though it may be complicated, businesses have the duty to comply with applicable data privacy laws. For example, depending on the jurisdiction, there may be regulations that dictate how or if an organization may collect, use and share personal data. There may also be requirements for the business to inform consumers that data is being collected and to allow the consumer to opt out of that collection. Failure to adhere to relevant laws may be considered wrongful and businesses may be subject to fines and potential litigation. 

Areas of concern

Laws may regulate certain aspects of personal data collection are of concern, including:

Pixel tracking: The use of pixel technology to track how individuals use websites to target advertisements may be subject to regulations. For example, under the European Union’s General Data Protection Regulation, pixel tracking technology may only be used if an individual consents, while the California Privacy Rights Act (CPRA) requires users to be notified of the implementation of pixels and how they will be processed. Furthermore, HIPAA can be used to safeguard patients’ confidential health data that may be exposed to third parties utilizing pixels.

Precise geolocation: There may be legal obligations regarding collecting and processing data that is used to locate a consumer within a specific area. For example, the CPRA requires individuals to receive notice and the right to limit the use and disclosure of that precise geolocation information.

Biometric data: Collection of data regarding unique physical characteristics (e.g., fingerprints, faces, voice patterns) has been regulated by some jurisdictions. For example, Illinois has enacted the Biometric Privacy Act, which forbids businesses from collecting biometric data unless the business has informed the individual about the data being collected, how long it will be stored and received written consent.

Genetic information: Data that is compiled from the analysis of a person’s biological sample and involves genetic material (e.g., DNA, genes, chromosomes) may also be subject to regulations.

Strategies to reduce risk exposure 

It is essential for businesses to implement risk management strategies to reduce the likelihood of lawsuits, reputational damage and regulatory fines or penalties stemming from wrongful data collection claims. Some techniques to consider:

  • Weigh the benefits and drawbacks of data collection and determine if you can use alternative marketing strategies that do not require data collection.Replace with your text
  • Provide notice and obtain consent before collecting, processing, using, sharing, or selling personal data.
  • Allow individuals to opt out of having their personal data collected.
  • Limit personal data collection to only what is necessary.
  • Monitor regulations as they are quickly evolving.
  • Conduct audits of data collection practices to ensure they conform to applicable regulations.
  • Provide education to employees on proper technology use and applicable legislation.

Like cyber risk, reducing the risk around wrongful data collection is much more effective if you have a team of experts to consult across the various areas of concern. Consult your IT resource, go over data collection concerns with your legal team, discuss data privacy with your board of directors, and review insurance coverage with a licensed professional to determine if coverage is available for wrongful data collection claims.

Headshot of Jonathan Theders

Jonathan Theders

CRA, ACRA, RiskSOURCE Clark-Theders, Chairman & Chief Growth Officer

(513) 644-1263


About the Goering Center for Family & Private Business

Established in 1989, the Goering Center serves more than 400 member companies, making it North America’s largest university-based educational non-profit center for family and private businesses. The Center’s mission is to nurture and educate family and private businesses to drive a vibrant economy. Affiliation with the Carl H. Lindner College of Business at the University of Cincinnati provides access to a vast resource of business programing and expertise. Goering Center members receive real-world insights that enlighten, strengthen and prolong family and private business success. For more information on the Center, participation and membership visit goering.uc.edu.

Related Stories


Protect Company Assets by Mitigating Cyber Risks

April 8, 2021

Cyber threats and insurance have become a ubiquitous business issue. Insurance is intended as a vehicle to transfer catastrophic risk to carriers contractually in consideration for premium dollars. There is no coverage area where the risks evolve more rapidly than cyber, and so the insurance must evolve with it.