Executive Summary. In 2025, cybersecurity and privacy litigation are reshaping the legal and operational landscape for businesses of all sizes. While enterprise-level companies often dominate headlines, small and midsize businesses (SMBs) are increasingly at risk, both as targets of cyber incidents and as entities affected by evolving legal standards. This whitepaper outlines the most important current litigation in technology and privacy law, analyzes how they affect cybersecurity practices, and provides actionable guidance for SMBs.
Why This Matters for SMBs. Legal decisions stemming from Big Tech and government lawsuits are influencing the privacy expectations of customers, cyber insurance requirements, vendor risk management, third-party tracking tools, and incident response obligations. SMBs must align their security practices with these new standards or risk liability, regulatory action, or reputational harm.
Key Litigation Trends & Their Impact.
Alexa Recordings Case: Garner v. Amazon. This lawsuit claims that Amazon’s Alexa devices were recording people even when they didn’t say “Alexa.” In other words, the devices may have picked up private conversations in the background without the user knowing, and Amazon kept those recordings.
The plaintiffs argue that this kind of passive recording violates privacy laws, especially in states like Washington where you need consent from everyone in a conversation to legally record it. They also say Amazon used the recordings to improve its technology and possibly for advertising, without getting clear permission from users.
The judge didn’t throw out the case. In fact, the court said some of the claims are strong enough to move forward, especially the argument that users didn’t know Alexa was recording them without being activated. So the case is still active and could set some big legal standards in the future.
Why this matters to SMBs. If you run a business that uses smart speakers, voice assistants, or any always-on recording technology, in the office, in your app, in a product, or as part of your business’s management information systems, you need to pay attention to this case. Just having a smart device around people isn’t the same as getting their consent. You may be recording people without meaning to. If your tools collect voice or data in the background, you could be on the hook legally, even if you’re not using that data. Privacy laws are getting tougher, and “we didn’t know it was recording” won’t be a good excuse.
Location Data From Android Users: Rodriguez v. Google. This lawsuit claims that Google was collecting location data from Android users, even when they thought they had intentionally turned it off. In short, people believed that disabling location settings meant Google wouldn’t track them, but Google allegedly continued collecting certain location data in the background.
The plaintiffs say Google’s practices were misleading and violated privacy laws. They argue that Google made it too hard to fully disable tracking and wasn’t transparent about what was being collected and why. That lack of clarity is what landed Google in court.
The case is moving forward. In fact, Google already lost a related jury verdict in April 2025, and a major class-action trial is set for August. Courts are taking seriously the idea that tech companies must clearly tell users what data is being collected and how to stop it.
Why this matters to SMBs. If your business uses a mobile app, tracks users, or relies on third-party platforms like Google Analytics or Firebase, this case affects you. It’s no longer enough to bury data collection in your privacy policy, users need real, meaningful options to control what gets tracked. You must clearly communicate to your users what data you collect, when, and why. If your app continues collecting data after a user opts out (even by accident), you could be held liable.
Pegasus Spyware: NSO Group v. Meta. Meta sued NSO Group, an Israeli tech company that sells a powerful hacking tool called Pegasus. Meta says NSO used this spyware to hack into WhatsApp accounts without permission, targeting over 1,000 users, including journalists and human rights workers.
Meta claimed NSO violated U.S. laws about unauthorized access to computer systems and caused real harm by using WhatsApp’s platform to spread spyware. A U.S. jury agreed, and in May 2025, awarded Meta $167.7 million in damages. That’s a huge amount for a case involving hacking!
The court sided strongly with Meta, signaling that even powerful surveillance tools are not above the law. The ruling makes clear that companies involved in cybersecurity attacks, even those acting on behalf of governments, can be held legally and financially responsible.
Why this matters to SMBs. This case highlights the growing risk of sophisticated cyber threats and the legal exposure tied to offensive cybersecurity practices. Spyware and surveillance tools are under legal scrutiny. Even if you’re not using them, your systems could become a target, or a pathway, for abuse. You need to assume your business tools (especially communications platforms like email, messaging, or CRM systems) could be targeted by increasingly sophisticated attacks. If your company is ever involved in investigating, purchasing, or reselling surveillance or cybersecurity software, be aware: there could be real legal risks.
Pixel Tracking Lawsuits: Video Privacy Protection Act v. the World. Dozens of lawsuits have been filed against companies for using tracking pixels, tiny bits of code that collect information when people watch videos on websites. These lawsuits claim that websites are sharing users’ video viewing habits with platforms like Facebook or Google without user consent.
These suits are based on a decades-old law called the Video Privacy Protection Act (VPPA). It was passed in the 1980s, but it’s now being used against websites and apps that track what videos people watch and send that info to marketing platforms.
Because users aren’t being told this tracking is happening, and they never gave permission. Many websites embed video players or use tools that send data about viewing habits to Meta, TikTok, or YouTube for advertising. That kind of behind-the-scenes tracking is being challenged as an illegal invasion of privacy under the VPPA.
Some courts are letting these cases go forward, while others are more skeptical, creating a legal split that might go all the way to the Supreme Court. But for now, a lot of companies are settling or scrambling to remove these tracking tools to avoid the expense of these lawsuits.
Why this matters to SMBs. If your business uses videos on your website, especially hosted through third parties, and you also run ads or analytics through platforms like Facebook, you may be affected. Even if you’re not doing anything shady, if your site automatically shares video watch data with a third party, you could be sued. SMBs are often unaware this is happening, many plugins and marketing tools install these trackers by default. The penalties under VPPA can be steep, and each viewer could be a separate violation.
Child Privacy Lawsuits: TikTok v. the World. TikTok is facing lawsuits across the U.S. and internationally for allegedly collecting children’s personal data without proper consent. In some cases, kids under 13 were using the app, and TikTok allegedly gathered data like device identifiers, browsing activity, and even facial recognition data, all without getting permission from parents. Governments are cracking down. Multiple states, including Texas, Arkansas, and Indiana have filed their own lawsuits. Meanwhile, in Europe, TikTok is facing billion-dollar class actions for the same issues.
In the U.S., there’s a federal law called COPPA (Children’s Online Privacy Protection Act) that says websites and apps must get verifiable parental consent before collecting data from kids under 13. TikTok is being accused of ignoring or sidestepping that law.
Some courts are allowing these cases to move forward, and TikTok has already agreed to settle similar lawsuits for hundreds of millions of dollars. The message is clear: regulators and judges are not letting big tech off the hook when it comes to protecting kids’ privacy.
Why this matters to SMBs. You might be thinking, “We’re not TikTok. Why does this matter to us?” If your business has an app, game, or website that attracts a young audience, you must follow strict privacy laws like COPPA. Using tools like cookies, analytics, location tracking, or ad targeting can trigger legal risk if underage users are involved.
Washington’s “My Health My Data Act (MHMDA). Washington State passed a groundbreaking law called the My Health My Data Act (MHMDA), which took effect in 2024. It’s designed to protect personal health-related data, even for companies not covered by HIPAA (the federal health privacy law). This law targets businesses that collect data like location information, fertility tracking, mental health searches, and fitness habits, even if the company isn’t a hospital, doctor, or health insurer. If a business handles anything that feels health-related, it might be covered.
This is one of the strongest consumer privacy laws in the U.S. for health data. It gives consumers broad rights, including the ability to sue companies directly (called a private right of action) if their data is misused. That’s rare, and risky for small businesses.
While MHMDA hasn’t reached the Supreme Court yet, it’s already being used in lawsuits. One of the first cases, Maxwell v. Amazon, claims the company illegally collected health-adjacent location data without consent. Courts are now wrestling with how broadly to interpret what counts as “health data.”
Why this matters to SMBs. This law could apply to many more businesses than you’d think, not just clinics or wellness startups. If your company collects anything about a person’s location near a health facility, mental health resources, fitness activity, or pregnancy tracking, you might fall under this law. You may be using third-party tools (like analytics or marketing platforms) that collect health-related behavior without you realizing it. You can be sued directly under this law, which means real financial and reputational risk.
Overall Takeaways for SMBs.
Privacy isn’t just a legal checkbox anymore, it’s a business differentiator. Today’s customers care about how their data is handled, and regulators are enforcing privacy violations more aggressively than ever. For SMBs, this means that ignoring data protection is no longer an option, it’s a risk to your brand, your bottom line, and your ability to grow.
But the good news? Businesses that prioritize cybersecurity and transparency are gaining an edge. When you show customers that you take their data seriously, by being upfront about what you collect, limiting what you store, and responding quickly when something goes wrong, you earn their trust. And trust is what drives repeat business, referrals, and resilience when something goes wrong.
Taking privacy seriously also protects you from legal landmines. The same best practices that reduce your risk of getting sued under laws like the VPPA, COPPA, or the My Health My Data Act also help you meet insurance requirements, close deals faster, and build stronger partnerships.
In short: privacy-savvy businesses aren’t just playing defense, they’re positioning themselves to win.
Black Swamp InfoSec helps small and midsize businesses build practical, affordable cybersecurity and privacy compliance programs. We understand the unique challenges SMBs face, limited time, tight budgets, and growing regulatory pressure, and we offer tailored support that makes sense for your business.
