If you own a small business, there is a good chance you have never thought of your website as a legal liability. It is where customers find you, book a job, read a review, maybe pay an invoice. Then one day an email lands from a law firm you have never heard of, telling you your site violates federal law and that you have a short window to respond before they file. The first instinct is to assume it is a scam. The second, once it sinks in, is panic.
We started paying attention to this when it stopped being something we read about and became something happening to the businesses we work with. A few of our own clients have gotten these letters. So we put this together to explain, in plain language, what is actually going on.
By the time you finish, you should understand what these lawsuits are, why small businesses keep getting targeted, the real difference between accessibility and privacy compliance, the insurance conversation you need to have this week, and the specific steps that lower your risk. We are a website design and marketing agency, not a law firm, so none of this is legal advice. It is the lay of the land as we have watched it unfold.
The litigation landscape
Website lawsuits have grown into an industry, and the data is not subtle. According to AudioEye’s 2026 Web Accessibility Litigation Report 1, the total number of accessibility lawsuits has more than doubled since 2020, a 102% jump, climbing past 26,000 filings in 2025. Federal filings have actually leveled off since peaking at 6,722 in 2023. The explosion is happening in state courts, which now account for roughly 77% of all filings, and about 78% of these lawsuits target e-commerce and online businesses 2.
And how does this affect small businesses? The famous cases you may have heard about involve giant companies, but your day-to-day risk is not a courtroom battle. It is a form letter from a firm running the same play across hundreds of small sites at once, betting you will settle rather than fight. A landmark lawsuit against a major brand is not the scenario most small businesses need to worry about. More often, exposure comes from being one of many smaller companies contacted through mass demand campaigns — a trend that continues to expand.
Part one: website accessibility
Accessibility means your website works for people with disabilities. That is a broad group, and the barriers are specific.
Someone who is blind uses a screen reader, software that reads the page aloud and lets them navigate by listening. If your images have no text descriptions, if your buttons are unlabeled, or if your menus only work with a mouse, the screen reader hits dead ends. Someone with a motor disability may navigate entirely by keyboard, tabbing from link to link, so a form that cannot be completed without a mouse shuts them out. Someone with low vision needs strong contrast between text and background to read at all.
The standard the industry and the courts point to is the Web Content Accessibility Guidelines, or WCAG. It has three levels, A, AA, and AAA, and AA is the level most commonly treated as the target for legal compliance. It covers the practical things: text alternatives for images, keyboard operability, sufficient color contrast, labeled form fields, and content that works with assistive technology.
The same handful of problems show up in case after case. AudioEye’s review of 2025 lawsuits found the most common issues were broken keyboard navigation (cited in 88% of cases), missing structural landmarks (88%), screen reader incompatibility (74%), vague button and link labels (63%), and missing alt text (39%) 1. These are not exotic flaws. A separate AudioEye scan of more than 100,000 websites found that 80% of pages had links without clear descriptive text, 75% failed to provide alt text for all images, and 62% had form fields or buttons that were not properly labeled. If your site was built like most small business sites, it almost certainly has several of these right now.
This is also why many of these cases are not brought by a frustrated customer. They are run like a business. Certain firms use automated tools to scan thousands of sites at once, flag the common WCAG failures, and send demand letters in volume. The letter usually offers an exit: pay a settlement, agree to remediate the site, and the matter goes away. The dollar amount is set deliberately, high enough to sting and low enough that writing the check feels cheaper and faster than hiring a lawyer to fight. That is the whole business model behind these letters.
A warning on a popular shortcut: You may have seen accessibility overlay widgets that promise instant compliance from a single line of code. The plain truth is, they do not deliver what they claim. In 2025, 38.5% of the businesses that got sued already had an accessibility solution in place, usually one of these widgets 3 4. The reason is simple: automated tools alone might catch about two-thirds of accessibility barriers and fix about half of those, but that still leaves the issues that trigger lawsuits (broken checkout flows and keyboard traps) sitting in plain sight. The bottom line is, a line of code simply won’t work as a defense.
Part two: consumer privacy
Now, when it comes to privacy, the central issue is the data your website quietly collects on visitors – whether you told them and got their permission first. Most small business sites gather far more than the owner realizes. The moment a visitor lands on a page, tools like Google Analytics, the Meta pixel, and various ad and chat scripts often begin firing, tracking behavior and sending it to third parties, all before the visitor has agreed to anything. For years that was normal and nobody thought twice. That window is closing.
Several forces are converging here.
State privacy laws are multiplying. California led with the CCPA and its successor the CPRA, and a growing list of states have followed with their own consumer privacy laws. The common thread is that businesses must disclose what data they collect, maintain an accurate and current privacy policy, honor certain consumer rights, and in many cases obtain consent before non-essential tracking runs.
Old wiretapping laws are being repurposed. In California, plaintiffs have used the California Invasion of Privacy Act, a decades-old wiretapping statute, to argue that tracking a visitor’s activity without consent, through session-recording tools, chat widgets, or pixels, amounts to illegal interception. The statute allows damages of up to $5,000 per violation. To a business owner that can sound like a stretch, but nobody cares. However it might feel, these suits are real, they are being filed in large numbers, and California in particular is a hotbed for them.
Other theories are in play too. The federal Video Privacy Protection Act, which carries damages of $2,500 per violation, has been used against sites that have video content and a Meta pixel, on the theory that viewing data was shared without consent. In Illinois, the Biometric Information Privacy Act allows $1,000 to $5,000 per violation and has driven a wave of claims over things like facial geometry and fingerprints.
Notice a pattern in those numbers? Privacy damages are often set per violation, meaning per affected visitor. Multiply a per-visitor figure by a month of website traffic and the exposure climbs quickly, which is exactly why these cases settle for real money.
What gets targeted is predictable: a missing or outdated privacy policy, tracking scripts that fire before anyone consents, and no record anywhere proving visitors agreed. When a plaintiff’s attorney or a regulator asks you to show that a given visitor consented to tracking, most small businesses have nothing to produce.
Are you actually at risk? A quick gut check
If several of these are true, you are exposed:
- Your website is more than a couple of years old and has never been checked for accessibility.
- You have never heard of WCAG, alt text, or keyboard navigation.
- You run Google Analytics, the Meta pixel, or any advertising tracking.
- Your privacy policy is missing, copied from another site, or has not been updated in years.
- You have no cookie consent banner, or one that does not actually hold scripts until a visitor agrees.
- You could not produce a record showing that a visitor consented to tracking.
- You assume your general liability insurance covers all of this.
Most small businesses check several boxes. We’re not saying you have cause to panic, but we do recommend taking action before a letter arrives rather than after.
The insurance conversation you need to have
This is the cheapest, fastest step on the entire list, and it is the one almost everyone skips. So let us spend real time on it, because the assumptions here are where owners get burned.
Why general liability usually does not cover this. A standard commercial general liability policy is built for physical-world harm: someone slips in your shop, you damage a customer’s property, or you face a basic advertising injury claim. Accessibility lawsuits and privacy claims are a different category, and many general liability policies contain specific exclusions that carve out access to or disclosure of personal information, and sometimes discrimination-style claims as well. So the owner who assumes “I have business insurance, I am covered” can find out, after a letter arrives, that the exact claim they are facing is the one their policy excludes.
Here is the coverage that actually tends to be relevant, and why.
Cyber liability. This is the policy built for digital risks. Good cyber policies can respond to data breaches and privacy-related claims, and often include regulatory defense and legal defense costs, which matters because defense alone can cost more than a settlement. If you collect any customer data through your site, this is the first conversation to have.
Media liability. This covers claims arising from your content and how you publish it, which can overlap with certain privacy and tracking claims depending on the policy. It is sometimes bundled into cyber coverage and sometimes sold separately.
Professional liability, also called errors and omissions. If you provide a professional service, this covers claims that your work or advice caused a client harm. It belongs in the conversation when you map your full exposure.
A blunt truth on accessibility specifically: ADA website accessibility claims sit in an awkward spot, and many standard policies do not clearly cover them. That doesn’t mean you should skip the call – it means that, once you make it, you should ask questions directly.
When you call your agent, ask three specific questions and do not accept a vague answer:
- If I am sued or sent a demand letter over website accessibility under the ADA, does my current coverage respond, including legal defense costs?
- If I face a privacy or data-tracking claim, under a state privacy law or a wiretapping statute, am I covered?
- Where are the gaps, and what would it cost to close them with a cyber or media liability policy?
Coverage varies widely by carrier and policy, and we are not insurance advisors, so treat this as the list of questions to bring, not a guarantee of what you have. Simply try to find out what you are actually covered for before a letter forces the answer.
How to protect your business
There is no magic button that makes you bulletproof; anyone who claims to be selling one is trying to sell you something else. Still, there is a huge difference between a business that has made a documented, good-faith effort to comply and one that has done nothing. That difference helps you avoid claims in the first place, and it helps you defend against one if it comes.
There are a lot of tools in this space, and you may already have come across some of them. On the accessibility side, the names you see most are overlay products like accessiBe and UserWay, alongside expert-driven platforms like Level Access and Deque. For legal policies, generators like Termly and iubenda are common. For cookie consent, you will run into everything from OneTrust at the enterprise end to Cookiebot and CookieYes for smaller sites. Some of these are solid. Others are the one-line widget approach that the data shows getting businesses sued anyway.
We demoed dozens of them. After careful consideration, here are the three we assembled into the stack we call Site Safeguard, and why we chose each one.
Accessibility, handled by AudioEye. Rather than a one-line overlay, AudioEye combines automated monitoring with expert human testing and custom fixes, which is the approach that actually holds up. According to AudioEye’s own data, pairing automation with human expertise delivers up to 300 to 400% more legal protection than widget-only solutions, and keeps their valid legal claim rate under 10%, far below the industry norm. It monitors your site continuously, scans new pages as they go live, and works through remediation of your existing site. The piece that matters most if a claim ever comes is the documented response: every site gets a Legal Action Response Plan your attorney can use immediately, and AudioEye’s team will respond line by line and work to get frivolous claims dismissed.
Legal policies, handled by Termageddon. Termageddon generates and maintains your privacy policy, terms of use, and cookie disclosure, and updates them automatically as state laws change, so you are not manually tracking new regulations. The founder is a licensed attorney who chairs the American Bar Association’s ePrivacy Committee, and the policies are hosted and updated in the background so your site always reflects current requirements.
Cookie consent and tracker management, handled by Usercentrics. Usercentrics installs a consent banner that holds non-essential tracking scripts, like Google Analytics and the Meta pixel, until a visitor opts in, and it stores a consent record for every visitor as documentation if anyone ever asks whether you were collecting data lawfully. It is Google-certified and supports Google Consent Mode, so your ad and analytics tools can still model data from users who decline, which means your marketing does not go blind when someone opts out.
Alongside the stack, do the two things only you can do. Call your insurance agent and have the conversation above. And talk to an attorney about your specific situation, because the laws differ by state and by the facts of your business.
FAQs
Am I really legally required to do this? Accessibility obligations come from how courts have applied the ADA, and there are differences in how various courts have ruled, so the precise answer depends on where you are and the facts of your business. Privacy obligations come from a patchwork of state laws that turns largely on where your customers live. What is not in dispute is that businesses are being sued and sent demand letters right now, more than 26,000 accessibility filings in 2025 alone, regardless of how settled the underlying law feels. An attorney can tell you where you specifically stand.
I am a small local business. Why would anyone come after me? Precisely because you are small! You do not have a legal team or a compliance officer, so you are far more likely to settle quickly than to fight, and the firms sending these letters count on exactly that. A large company is an expensive, drawn-out battle. A local shop is a fast check. The model runs on volume, and small operators are the volume.
What do these settlements actually cost? The risk looks different for accessibility versus privacy. On the accessibility side, most small-business cases settle in five figures within months, commonly in the range of $25,000 to $50,000 per case, plus roughly $20,000 in legal fees and the cost of fixing the site anyway. Choosing to fight instead can go much higher. When Fashion Nova fought a 2020 accessibility claim, it turned into a five-year battle with more than 200 court filings and a $5.15 million total cost, the second-largest accessibility settlement on record. Those figures come from AudioEye’s 2026 report 1. On the privacy side, the math can be just as punishing because several laws set damages per violation, meaning per affected visitor. California’s wiretapping statute (CIPA) allows up to $5,000 per violation, Illinois’s biometric law (BIPA) allows $1,000 to $5,000 per violation, and the federal Video Privacy Protection Act allows $2,500 per violation. Multiply any of those by a month of website traffic and you can see how fast it adds up 5.
Which states see the most lawsuits? Filings are heavily concentrated. New York accounts for about 43% of U.S. accessibility cases, followed by Florida at 19%, Illinois at 17%, and California at 10%. The bigger shift is that roughly 77% of 2025 lawsuits were filed in state courts rather than federal court, and state laws carry their own penalties. California’s Unruh Civil Rights Act sets a minimum of $4,000 per violation, and New York’s Human Rights Law allows civil penalties up to $50,000 for a first offense and $100,000 for repeat violations, both on top of attorney’s fees. And do not take too much comfort in your home state being quieter. Privacy laws in particular can reach you based on where your customers live, not just where you operate.
Does this guarantee I will not get sued? No, and we will not pretend otherwise. Nothing makes you immune. What this does is two things. It sharply reduces the issues an automated scanner would flag, which is what most of these letters are built on, and it documents a good-faith effort to comply, which is exactly what helps when you have to respond to a demand letter.
Does an accessibility overlay widget take care of it? On its own, no. In 2025, 38.5% of businesses that got sued already had a solution like this in place. As mentioned before, automated tools alone catch only about two-thirds of accessibility barriers and fix only about half, leaving the issues that actually drive lawsuits untouched. A widget that changes font sizes is not the same as a remediated site plus a documented plan for responding to a claim.
Can’t my web designer just fix it once and be done? Not really, for two reasons. First of all, accessibility is not a one-time fix. Every time you add a page, a photo, a form, or a new service, you can reintroduce problems. Secondly, privacy laws keep changing, so a policy that is compliant today can be out of date in a few months. That is why this is set up as ongoing protection rather than a single project.
My website is brand new. Am I safe? Newer is better, but new does not mean compliant. Plenty of modern templates still fail on alt text, contrast, and keyboard navigation, and a brand-new site can still be loaded with trackers that fire before consent. The only way to know is to check.
Will any of this slow down my site or break my Google Analytics? Done right, no. A properly configured consent setup supports Google Consent Mode, so your analytics and ad tools keep modeling data even when a visitor declines tracking, and the accessibility tools are built to run without dragging down your load time.
What do I actually do if a demand letter shows up? Do not ignore it, and do not panic and pay on the spot. Forward it to your attorney, and if you are on a managed plan, to us, because the accessibility platform provides a response plan your attorney can use right away. The worst outcomes tend to come from owners who either toss the letter or write a check before getting advice.
Is this a one-time cost or ongoing? Both. There is an upfront setup to get everything in place and remediate your current site, then an ongoing monthly piece, because the monitoring, the policy updates, and the consent records only protect you if they are kept current. We are happy to send a full quote and breakdown if you want the numbers.
Where we land on this
We did not go looking for this topic. It came looking for the businesses we work with, and once a few of them opened those letters, we could not in good conscience stay quiet about it. The numbers tell the story on their own. Filings have more than doubled in five years, the targets have shifted from big national brands to ordinary local businesses, and the quick fixes most owners reach for are not holding up in court.
If you take only one thing from this guide, make the insurance call this week and take an honest look at your own website. If you want help getting the accessibility and privacy side handled, that is what Site Safeguard is for, and we are glad to walk you through it. Either way, the worst move is the one most people make, which is assuming it will not happen to them.
Disclaimer
The information in this article is provided for informational purposes only, and should not be construed as legal advice on any matter.
Sources
1 AudioEye’s 2026 Web Accessibility Litigation Report
3 The Rising Tide of ADA Website Accessibility Litigation: 2025 Insights
4 FTC Approves Final Order Requiring accessiBe to pay $1 Million
5 ADA Website Lawsuits Statistics 2025
Litigation volume, state-by-state breakdown, common barriers, settlement figures, and the Fashion Nova case are drawn from AudioEye’s 2026 Web Accessibility Litigation Report, based on accessibility lawsuits filed January through September 2025 and AudioEye’s scan data across more than 100,000 websites. Privacy damage figures reflect the statutory amounts in the California Invasion of Privacy Act, the Illinois Biometric Information Privacy Act, and the federal Video Privacy Protection Act.
