All insights
Sector Risk AtlasJuly 2, 2026 8 min read

The Ecommerce Risk Atlas: Where Privacy, Wiretapping, and Accessibility Claims Concentrate

Online retail sits at the intersection of nearly every active website-litigation theory. A map of where the claims cluster — and the concrete page behaviors behind each.

Risk intelligence, not legal advice. The patterns below are indicators that have appeared in real litigation or enforcement — not proof of a violation, and not a substitute for counsel.

No sector absorbs more website litigation than online retail. The reason is exposure surface: an ecommerce site runs advertising pixels, captures search and checkout input, embeds product video, charges fees, sells subscriptions, and must be navigable by assistive technology — and each of those is its own active theory. This atlas maps where the claims concentrate and the page behavior behind each.

Accessibility is the volume leader

By sheer count, ADA website accessibility claims dominate, and retail is the bullseye. Roughly 3,900 website accessibility lawsuits were filed across courts in 2025 — up meaningfully over 2024 — and ecommerce and retail accounted for the large majority of them, with apparel and a handful of consumer-goods categories especially heavily represented. Federal filings alone made up a substantial share, and California's Unruh Civil Rights Act adds statutory damages of $4,000 per violation, which is what makes state-court filings there attractive to plaintiffs.

The barriers driving these suits are specific and recurring: unlabeled "add to cart" and icon buttons that screen readers announce as nothing, images of products without alt text, color contrast on sale badges and fine print below accessibility thresholds, carousels and modal dialogs that cannot be operated or dismissed by keyboard, and focus traps in mega-menus. Most map directly to WCAG 2.1 Level AA success criteria — the version the DOJ adopted in its 2024 Title II rule and the standard the great majority of settlements reference (WCAG 2.2 AA, which LawsuitGuard tests against, is a superset that adds newer criteria).

Wiretapping theories follow the checkout funnel

The same CIPA and ECPA theories driving privacy litigation broadly land hard on retail, because retail pages are dense with third-party tags and capture more input than most sites. Several distinct patterns recur:

  • Advertising and analytics pixels on product and checkout pages firing before any consent, transmitting the page URL, product identifiers, and platform cookies.
  • Session-replay scripts capturing checkout and account forms, where the masking question is sharpest because payment and contact fields are in play.
  • Live-chat and chatbot widgets, which plaintiffs frame as recording conversations without disclosure.
  • The search-bar theory, an extension of the pen-register and trap-and-trace framing, alleging that what a shopper types into site search is routed to a third party.

These are the same claims discussed in our litigation-signals coverage, but retail concentrates them on the pages where shoppers enter the most data.

Video pixels add a VPPA layer

Retailers increasingly embed product and how-to videos, and many run the Meta Pixel on those same pages. That combination is the exact configuration behind the wave of Video Privacy Protection Act claims — a title-bearing URL plus a platform identifier, transmitted to a third party. The law here is unsettled and split across circuits, with the Supreme Court set to weigh in on a threshold question in Salazar v. Paramount Global, but the underlying page pattern is common enough in ecommerce to be worth flagging wherever product video and advertising tags coexist.

Pricing and subscriptions are a regulatory front

Two more theories sit on the commercial mechanics of the store rather than its trackers.

The first is fees. The FTC's Rule on Unfair or Deceptive Fees took effect in 2025, requiring that the total price be shown upfront; while its core scope centers on live-event tickets and short-term lodging, state UDAP statutes reach hidden-fee and drip-pricing practices more broadly, and "total price" expectations are migrating across retail.

The second is negative-option and subscription flows — "subscribe and save," free-to-paid trials, and hard-to-cancel memberships. With the FTC's click-to-cancel rule vacated in 2025, enforcement shifted back to ROSCA and a patchwork of state automatic-renewal laws, several of which require clear disclosure of recurring terms and an easy online cancellation path. The exposure did not disappear; it relocated.

Reading the atlas for a single store

For any given storefront, the concentration of risk is observable page by page:

  • Product and category pages: advertising and analytics tags, pre-consent firing, product video plus pixel, image alt text, button labeling.
  • Site search: where queries are routed, and whether third parties receive them.
  • Cart and checkout: session-replay capture and masking, keyboard operability of the flow, total-price presentation, and fee disclosure.
  • Subscription and account flows: recurring-term disclosure, cancellation path, and accessibility of forms.
  • Consent layer across all of the above: whether anything fires before a choice, and whether "reject" actually withholds tags.

Retail's risk is not one problem but a stack of them, unusually colocated. The practical move is the same in each case: look at what the page actually does — what it loads, what it sends, and whether a person using a keyboard or a screen reader can complete the purchase — and prioritize from there.

Sources

See what your own pages do

The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.

Run a free scan

Keep reading