Your Website Is the New Liability
What changed in 2026, and what to do about it
A two-part guide for ski area and travel operators, IT and web managers, and the marketing team. If you run a business with a website, this is for you too. The focus is for the ski industry because that is where the newest wave has hit, but the risk sits on almost every business website in the USA.
Part 1. Why this is happening now
The short version
Your website used to be a marketing tool. In 2026 it is now also a legal exposure. The pixels, cookies, chat widgets, booking engines, and analytics scripts that make your site work are now the exact things law firms and regulators are going after. Nothing about your site changed overnight. What changed is who is watching it and what they can do to you because of it.
There are really three things happening at once, and they are stacking on top of each other. A class-action lawsuit wave. A growing patchwork of state privacy laws. And a fight in Washington that will not rescue you any time soon. Here is how each one got here.
The lawsuit wave that kicked it off
If you have had a website for awhile, you may remember the news about ADA website lawsuits. A few years back, law firms flooded businesses, including hundreds of ski areas, with class actions claiming their sites were not accessible to people with visual or hearing impairments. A lot of those claims were thin. Businesses settled anyway because fighting cost more than paying. That same playbook is back, and this time it is aimed at your cookies.
The new claims run through California's Invasion of Privacy Act, or CIPA. That law was written in 1967 to deal with wiretapping and eavesdropping. Plaintiffs' firms have taken that old wiretapping language and pointed it at everyday web tech. The argument is that tracking pixels, session-replay tools, chatbots, and analytics scripts quietly capture a visitor's information and hand it to a third party, and that this adds up to illegal wiretapping. Several recent court rulings, including one at the Ninth Circuit Court of Appeals, have let these claims move forward, which is exactly the green light these firms were waiting for.
Here is the part that catches people off guard. You do not have to be in California. A California resident can visit your website from anywhere, and that is enough of a hook. Ski areas well outside California have already gotten demand letters and lawsuits. Reported settlements are running well above twenty thousand dollars each, and most businesses have no insurance coverage set up to defend this kind of claim. So, firms lean on that. They push for a fast settlement because fighting is expensive and the statutory damages are scary. Industry attorneys have called it close to legal extortion, and that is a fair description.
CIPA is not the only tool either. California's Consumer Privacy Act, the CCPA, is a separate law, and plaintiffs' firms are using it the same way, arguing that the same tracking tech illegally captures and shares personal information. Courts are letting CCPA claims proceed too. So you have two overlapping theories, both live, both being filed fast. The firms are rushing to get claims on file before California can change the law. The legislature tried to amend CIPA and that effort failed, so nothing is getting fixed in the near term, and any future fix is unlikely to erase claims that were already filed.
This is not only lawsuits. Regulators are writing checks too
If you think this is just opportunistic law firms, look at what state regulators have already collected. These are real enforcement actions, not theory:
- Healthline, 2025, about $1.55 million. Failed to honor opt-outs, including Global Privacy Control signals, and shared sensitive browsing data with ad partners.
- Honda, 2025, about $632 thousand. Problems with how it handled consumer-rights requests and third-party data sharing through connected services.
- Todd Snyder, 2025, about $345 thousand. A privacy portal that was misconfigured, opt-outs that were delayed, and too much data collected just to process a rights request.
- Sephora, 2022, about $1.2 million. Failed to disclose that its use of tracking pixels counted as a data sale, and failed to honor Global Privacy Control signals.
Notice the pattern. Almost every one of these comes back to the same handful of issues: not honoring opt-out signals, sharing data with ad partners without a clear basis, and a privacy policy that did not match what the site actually did. That last point is the one to sit with. A privacy policy alone does not protect you. The exposure is in what your website actually loads, tracks, and sends, not in the document you posted about it.
The state patchwork got a lot wider on January 1
While the lawsuits were ramping up, the underlying laws kept multiplying. More than twenty states now have comprehensive privacy laws on the books, and 2026 was a big year for both new laws and tougher versions of old ones.
- Three brand new state laws took effect January 1, 2026: Indiana, Kentucky, and Rhode Island. Rhode Island's version reaches smaller businesses than most and puts a specific notice requirement on commercial websites, regardless of size.
- Colorado's grace period is gone. The right to cure a violation before enforcement sunset at the end of 2025. Now penalties can move forward with no cushion.
- Connecticut is casting a wider net. It is dropping its threshold from 100,000 to 35,000 consumers, which pulls in a lot more mid-sized businesses, and it now covers any business that processes sensitive data at all.
- Universal opt-out signals are becoming mandatory. Colorado, Connecticut, and Oregon now require sites to honor browser-level opt-out signals like Global Privacy Control. This is the same signal that shows up in the enforcement cases above.
- Oregon is restricting precise location data, and California rolled out new rules on automated decision-making, risk assessments, cybersecurity audits, a 30-day breach notification clock, and a new data-broker deletion platform.
- Vermont just became the 23rd state with a comprehensive law. It does not take effect until 2028, but it adds first-of-their-kind pieces like AI training disclosure and health-data protections with no size threshold, which tells you where this is all heading.
The takeaway is not that you need to memorize 23 laws. It is that the ground keeps shifting under you, cure periods are disappearing, thresholds are dropping, and the safe assumption is that you are in scope for something, even if you were not last year.
Surveillance pricing is the next front opening up
Here is a newer one to keep on your radar. States are starting to ban what is called surveillance pricing, where a business uses a shopper's personal data to set an individualized price for that specific person. In June 2026, New York passed the One Fair Price Act, becoming the third state to ban the practice, after Maryland and Connecticut. New Jersey and California are looking at similar bills. If any part of your pricing, dynamic packages, or personalized offers leans on visitor data, this is a trend worth watching before it becomes your problem.
Do not count on Washington to save you
A lot of business owners are hearing about a federal fix and hoping it makes all of this go away. That is the SECURE Data Act. The pitch is appealing: one national privacy standard instead of the state-by-state mess, clear rules, and an end to the big-money lawsuits. It would also preempt almost all state privacy laws, which is the whole point for its backers.
But be realistic about where it stands. It went through a House subcommittee hearing in June 2026 and split straight down party lines. Supporters call it a small-business-friendly national standard. Critics, including consumer-privacy groups, call it weaker than the weakest state law and say it would wipe out stronger protections like biometric laws, kids' online safety rules, and the surveillance pricing bans that just passed. It is nowhere near becoming law, and even if it does pass, it is unlikely to erase the CIPA and CCPA claims that are already being filed against businesses right now. In other words, do not wait for it. Plan as if it is not coming, because for the next year or two, it effectively is not.
Why this hits resorts and travel brands especially hard
Ski areas, DMOs, and travel brands are close to a perfect target for this. Your sites are busy. You run booking and lodging engines, ticketing and ecommerce, retargeting pixels for your ad campaigns, email signup forms, CRM integrations, chat widgets, web cams, embedded maps and weather feeds, and years of marketing tags that got added by different people who have long since moved on. Nobody has a full list of what is running. That is not a knock on your team, it is just how resort websites grow. But every one of those scripts is a place where data leaves your site and goes somewhere else, and that is exactly what these claims and these laws are about.
And remember, the accessibility lawsuits never actually went away. So resorts are now facing two website threats at the same time. Privacy and data on one side, ADA and accessibility on the other. Same website, same exposure, two separate waves of demand letters.
Part 2. What to do right now
Your website is still one of the most important things your business owns. It is how people find you, book you, and buy from you. The goal here is not to be scared of it. The goal is to know what it actually does, fix the obvious gaps, and get the right people in the room before a demand letter shows up. Here is the order we would do.
Start with what your site actually does, not what you think it does
Almost every problem in this space traces back to the same root cause: nobody knows the full list of scripts, pixels, cookies, and vendors running on the site. So that is step one. Before you buy anything or write any policy, get an honest inventory. You cannot protect an asset you have not mapped. A low-cost scan and audit is the smartest first move because it turns a vague worry into a specific list you can act on.
The nine-step checklist you can start this week
- Scan the site for every cookie, pixel, tracker, and third-party script that loads. Get the real list, not the list you remember setting up.
- Identify which of those vendors actually collect or receive personal data, and what they do with it.
- Confirm whether your site honors Global Privacy Control and other universal opt-out signals. This is now required in several states and it shows up in the biggest enforcement cases.
- Add or fix cookie consent based on where your visitors are, so non-essential trackers do not fire before someone agrees to them.
- Make it easy to locate your Do Not Sell or Share and privacy-rights links easy to find, not buried in the footer nobody clicks.
- Read your privacy policy against the scan results and see if it actually matches reality. If it describes tools you removed or skips tools you use, fix it.
- Write down your vendor responsibilities and data flows, so you know who touches what and you have agreements in place.
- Set up a simple internal process for handling deletion, access, correction, and opt-out requests when they come in, so you are not scrambling.
- Re-scan after you add a new plugin, launch an ad campaign, swap booking tools, or drop in new marketing tags. This is not a one-time project, it is a habit.
Who you need in the room
This is not a problem any one person or vendor solves alone. It sits at the intersection of legal, insurance, and technical, and the mistake most businesses make is treating it as only one of those. Here is who to call and what to ask each of them.
A privacy lawyer, not just your general counsel
You want someone who actually knows CIPA, CCPA, and state privacy law, because this is a specialty now. Ask them:
- Are we exposed under CIPA or CCPA even though we are not based in California?
- What consent standard do we actually need for the states our visitors come from?
- Should we add arbitration and class-action-waiver language to our website terms and consent flow, and what should it say? There is real language being used for this, and it should come from a lawyer, not a template, not an AI like ChatGPT.
- If we get a demand letter, what is our response, and what should we absolutely not do?
Your insurance broker or carrier
This is the call people skip, and it is the one that hurts the most later. A lot of businesses assume their cyber or general liability policy covers this. Many policies specifically exclude privacy and wiretapping claims. Ask them, in writing:
- Does our current policy cover privacy litigation, CIPA or wiretapping claims, and statutory damages?
- What exactly is excluded, and is there a rider or endorsement we need to add?
- If we got a demand letter today, would you defend it, and up to what limit?
A web and marketing-tech specialist
This is where the actual fixing happens, and where an agency like ours lives. Whoever owns your site needs to be able to:
- Run the scan and give you the real inventory of scripts, pixels, and vendors. Learn more about scans.
- Put a proper consent management platform in place and configure it so trackers are blocked before consent, and set up tag governance so nothing new slips in unmanaged.
- Confirm the site honors Global Privacy Control, wire up your opt-out and privacy-rights links, and make sure your privacy policy matches what the site does.
An accessibility specialist for the other wave
Since the ADA and accessibility lawsuits are running in parallel, handle both while you are in there. Someone who knows WCAG can tell you where your site falls short and fix it, and as a bonus, better accessibility also helps your search ranking, your visibility in AI search, and your conversions. It is the rare compliance task that also makes you money.
What not to do
- Do not rush to settle. A fast settlement feels like making the problem go away, but it can paint a target on you for the next firm (especially if the issues were not addressed) and, in a tight-knit industry, it can make the whole problem worse for everyone. Talk to your lawyer before you pay anyone a dime.
- Do not let an AI tool write your consent and legal language. Using AI to draft a blog post is fine. Using it, or a generic plug-in, to auto-generate the binding consent language that is supposed to protect you legally is not. That language needs a lawyer's eyes. Getting it wrong can create a bigger problem than the one you were trying to solve. Never forget, AI can not walk into a court room with you.
- Do not lean on your privacy policy as your shield. It is necessary but it is not enough. The exposure is in what the site actually does.
- Do not wait for a demand letter to find out what is on your site. The whole point of the scan is to know before someone else tells you. Once a letter arrives, your options get more expensive and more stressful.
The bottom line
Privacy compliance is no longer a legal-document problem you can hand to counsel once and forget. It is a live website problem tied to what your site loads, tracks, and collects, and it changes every time someone adds a tag or a plugin. Hiding in today’s AI driven world is not an option. The businesses that get ahead of this are the ones that treat their website like the critical, valuable asset it is: they map it, they fix it, they insure it, and they keep an eye on it. The ones that wait are the ones writing the settlement checks.
If you want a starting point, run a scan of your site and get the real list of what is on it. That one step turns all of this from a vague fear into a to-do list. That is usually the moment the whole thing stops feeling overwhelming and starts feeling manageable.
Quick answers
I am not in California. Why would a California privacy law affect my business?
Because a California resident can visit your website from anywhere, and that can be enough to bring your site under CIPA or CCPA. Businesses well outside California have already received demand letters and lawsuits over their website tracking.
Isn't having a privacy policy enough?
No. Almost every recent enforcement case came back to a mismatch between what the privacy policy said and what the website actually did, or a failure to honor opt-out signals. The real exposure is in the site's behavior, the pixels, scripts, and vendors, not the posted document.
What is Global Privacy Control and why does it keep coming up?
It is a browser-level signal that tells a website a visitor is opting out of having their data sold or shared. Several states now require sites to honor it, and failing to honor it is behind some of the largest privacy settlements to date, including Sephora and Healthline.
Will the federal SECURE Data Act fix all of this?
Not any time soon. As of mid-2026 it has only had a subcommittee hearing and it split along party lines. Even if it eventually passes, it is unlikely to erase the claims already being filed. Plan as if it is not coming.
What is the single most useful first step?
Scan your website to get the real inventory of every cookie, pixel, tracker, and third-party vendor running on it. You cannot fix or protect what you have not mapped, and that one list makes every other decision easier.
Sources
Where the numbers and legal developments in this piece come from:
- Baker Donelson, Privacy Laws Ring in the New Year: State Requirements Expand Across the U.S. in 2026. New 2026 state laws (Indiana, Kentucky, Rhode Island), Colorado cure-period sunset, Connecticut threshold drop, Oregon location rules, California ADMT and breach-notice changes, and universal opt-out requirements.
- Baker Donelson, U.S. Consumer Data Privacy Law Guides. State-by-state reference on comprehensive privacy laws.
- Frankfurt Kurnit Klein & Selz, Vermont Enacts Comprehensive Privacy Law. Vermont as the 23rd state, AI training disclosure, and health-data provisions.
- EPIC, New York Becomes Third State to Pass Surveillance Pricing Ban. New York One Fair Price Act, following Maryland and Connecticut.
- StateScoop, House subcommittee splits on SECURE Data Act that preempts state privacy laws. Status of the federal bill and its preemption of state laws.
- Kingsport Times News, SECURE Data Act offers clear, enforceable privacy rules without the big money lawsuits. The case supporters make for the federal bill.
- National Ski Areas Association risk and regulatory briefing (Dave Byrd) and the Ski California privacy compliance webinar. Source for the CIPA and CCPA class-action wave, the Ninth Circuit rulings, reported settlements above twenty thousand dollars, and the enforcement figures for Healthline, Honda, Todd Snyder, and Sephora.
About nxtConcepts. We are a full-service digital marketing and web development agency with more than 23 years of work in ski resorts, travel and tourism, DMOs, and ecommerce. We help resorts and destination brands close the gap between what a website says it does and what it actually does.
nxtConcepts is not a law firm and does not provide legal advice or legal representation. Any recommendations we make are for informational and self-help purposes only and are not a substitute for the advice of a licensed attorney. Whether a particular law, such as California's privacy rules (CCPA/CPRA), the EU's GDPR, or others, applies to you, and the exact language those laws require, depends on facts that only a qualified attorney can assess. nxtConcepts strongly recommends that businesses have their own attorneys review all Terms of Service, privacy, and cookie documents before they are relied upon.