THE RUNDOWN
- The trend: Small business lawsuits over website compliance and outdated legal paperwork have surged, driven largely by automated scanning tools that flag violations at scale.
- The cost: A single demand letter can run into the thousands before a business owner even understands what went wrong.
- The catch: None of the seven liabilities below come from bad intentions — they come from paperwork and systems that didn’t keep pace with a growing business.
- The fix: Every one of them is fixable in days, not months, once you know where to look.
On a Tuesday morning in early spring, a boutique furniture company in Ohio received a letter that would cost it eleven thousand dollars before lunch. Not from a supplier. Not from the IRS. From a law firm in Florida, on behalf of a client the owner had never met, alleging that the company’s website could not be used by someone who was blind.
The owner had never heard of the Americans with Disabilities Act applying to a website. He had built the site himself, three years earlier, with a template he found online. He had never been sued before. He would be sued four more times that year, by four different firms, each one having found him through the same automated scanning tools that now comb the internet looking for exactly this kind of oversight.
His story is not unusual. It is, in fact, close to routine.
Every year, thousands of small business owners are sued — not for the reasons they worry about at night, not for a bad product or a disgruntled customer, but for administrative and legal gaps most of them didn’t know existed. These are not exotic risks reserved for large corporations with sprawling legal departments and compliance officers. They are ordinary, quiet liabilities sitting in plain sight on nearly every small business website and employment file in the country — and the businesses that get caught rarely saw it coming.
What makes this particular category of risk so unsettling is how little it has to do with how well a business is run. The furniture company in Ohio was, by every conventional measure, a success story — profitable, well-reviewed, growing steadily for six years. Its owner had done everything he’d been told mattered: he’d found a niche, built a loyal customer base, kept his margins healthy. Nobody had ever told him that the website he’d built himself, the one customers praised for how easy it was to browse, was quietly accumulating legal exposure with every day it stayed unchanged.
That’s the uncomfortable truth sitting underneath most of these liabilities: they are invisible by design. A broken accessibility feature doesn’t show up in sales numbers. An outdated privacy policy doesn’t trigger a warning light. A contractor relationship that’s technically an employment relationship doesn’t feel any different day-to-day, right up until it does. These are the kinds of risks that only become visible the moment someone outside the business goes looking for them — and increasingly, someone is always looking.
What follows is not a scare tactic. It is a map. Below are the seven liabilities most responsible for the lawsuits that land on small business owners’ desks — what they are, why they’re so easy to miss, and what it actually takes to close the gap.
1. Website Accessibility (ADA Compliance)
The Americans with Disabilities Act was written in 1990, long before most businesses had websites. But courts have increasingly interpreted the law to apply to digital storefronts the same way it applies to physical ones — meaning a website that can’t be navigated by a screen reader, or a video without captions, can trigger the same legal exposure as a store without a wheelchair ramp.
This is now one of the most common lawsuit categories against small businesses in the country, driven in large part by law firms that use automated scanners to identify non-compliant sites at scale, then send demand letters — often before the business owner has any idea a problem exists.
What actually creates exposure: missing alt text on images, forms that can’t be completed using a keyboard alone, color contrast too low for visually impaired users to read, and video content without captions or transcripts.
How to close the gap: run your site through a free accessibility scanner (WAVE or similar tools), fix the flagged issues methodically rather than all at once, and revisit the audit any time the site is redesigned. This is not a one-time fix — it’s an ongoing standard, the same way fire code compliance isn’t something a business does once and forgets.
The businesses that handle this well tend to share one habit: they treat accessibility as a design requirement from the outset, not a patch applied after a demand letter arrives. It is considerably cheaper, and considerably less stressful, to build a form correctly the first time than to retrofit an entire site under the pressure of active litigation.
2. An Outdated or Missing Privacy Policy
If your website collects any personal information — an email address on a contact form, a name on a checkout page, even just analytics tracking a visitor’s behavior — you are legally required in most U.S. states, and virtually all international markets, to disclose what you collect and why.
The mistake here is rarely malicious. It’s usually a privacy policy copied from a template years ago, never updated as state privacy laws multiplied, or in some cases no privacy policy at all, on the theory that a business “doesn’t really collect anything.”
What actually creates exposure: state-level privacy laws (California’s CCPA and its expansion, CPRA, being the most aggressively enforced) now require specific disclosures, opt-out mechanisms, and, in some cases, a visible “Do Not Sell My Information” link — regardless of whether the business is based in that state, if it serves customers there.
How to close the gap: treat your privacy policy as a living document tied to what your site actually does, not a boilerplate paragraph. Update it whenever you add a new tool, plugin, or tracking pixel — because each one is likely collecting data you’re now responsible for disclosing.
Many owners assume this obligation only applies to companies large enough to be a household name. It doesn’t. State privacy statutes are increasingly written around thresholds of data volume and revenue that a growing small business can cross without ever realizing it, which is precisely why this liability tends to catch fast-growing companies off guard — the business outgrows its original privacy disclosures long before anyone thinks to revisit them.
3. Terms and Conditions That Wouldn’t Hold Up
A terms and conditions page often exists more as a formality than a functioning legal document — copied from a competitor, generated by a free tool, or written once and never revisited. The problem surfaces the moment a business actually needs it: during a dispute, a refund disagreement, or a customer claiming they were never informed of a policy the business believed was standard.
What actually creates exposure: limitation-of-liability clauses that don’t match the business’s actual operations, refund and cancellation terms that contradict what the business tells customers verbally or in marketing, and — critically — terms that were never actually agreed to by the user in a legally enforceable way (a link in a footer that nobody has to click is weaker than a checkbox someone has to actively check).
How to close the gap: make agreement to your terms an active step in checkout or signup, not a passive footer link, and have the document reviewed against what your business actually does today — not what it did when the document was first written.
Courts have grown increasingly skeptical of what’s known as “browsewrap” agreements — terms a user is presumed to accept simply by using a site, without ever affirmatively agreeing to anything. The stronger, more defensible standard is “clickwrap”: a visible checkbox or button that requires deliberate action. The difference between the two has decided real disputes, and it costs almost nothing to implement correctly.
4. Cookie Consent and Tracking Compliance
Nearly every website uses cookies — small files that track visitor behavior, often through advertising pixels, analytics tools, or third-party plugins the business owner may not even realize are active. The legal requirement to disclose and, in many jurisdictions, obtain consent before tracking a visitor has expanded well beyond the European Union’s GDPR, into a growing patchwork of U.S. state laws.
What actually creates exposure: loading tracking scripts before a visitor has consented, vague or missing cookie banners, and — a subtler trap — installing a marketing or analytics plugin that quietly adds new tracking cookies without the business owner realizing the disclosure obligations changed.
How to close the gap: use a cookie consent tool that blocks non-essential cookies until a visitor actively opts in, and audit your site’s actual cookies periodically (browser developer tools can show you exactly what’s firing) rather than assuming your original disclosure still matches reality.
This is one of the fastest-moving areas of the seven, largely because advertising and analytics platforms update their own tracking behavior constantly, often without notifying the businesses using them. A cookie policy written to match your site as it existed a year ago may no longer describe what your site is actually doing today — not because you changed anything deliberately, but because the tools underneath it did.
5. Worker Misclassification
Few liabilities carry a bigger price tag than this one. Classifying a worker as an independent contractor when the law considers them an employee — based on how much control the business exercises over their schedule, methods, and tools — can trigger back pay, unpaid overtime, tax penalties, and, at scale, class-action exposure.
This liability tends to grow quietly. A business hires one contractor, then five, then twenty, all under the same informal arrangement, never revisiting whether the classification was correct in the first place — often because it worked fine until someone left on bad terms and filed a complaint.
What actually creates exposure: dictating a worker’s hours, requiring specific tools or software, prohibiting them from working with other clients, or treating them functionally like an employee while paying them as a contractor.
How to close the gap: have an employment attorney review your actual working relationships — not just your contracts — against your state’s specific classification test, since these tests vary significantly and some states apply far stricter standards than federal law does.
It’s worth being direct about the scale of exposure here: misclassification cases are rarely resolved as a single, contained dispute. When one worker successfully challenges their classification, it frequently invites scrutiny of every other worker classified the same way, turning what looked like a single disagreement into a pattern the business now has to answer for across its entire roster.
6. Copyright and Trademark Infringement
A stock photo pulled from a Google image search. A font downloaded from an unfamiliar site. A jingle that sounds a little too much like a song the owner grew up with. These small, often innocent choices are responsible for a steady stream of small business lawsuits, frequently initiated by stock photography companies whose entire business model is monitoring the internet for unlicensed use of their images.
What actually creates exposure: using any image, font, or piece of music found online without confirming its license explicitly permits commercial use, and choosing a business name or logo without checking whether it conflicts with an existing trademark.
How to close the gap: use only licensed stock photography (or original photography) with documentation of the license kept on file, and run a basic trademark search before finalizing a business name, logo, or tagline — a modest cost compared to a rebrand forced by a cease-and-desist letter.
Photographers and stock agencies have become notably more sophisticated at detecting unauthorized use, often through reverse image search technology that flags infringement automatically, at scale, across thousands of small business websites simultaneously. What once required a person to notice a stolen photo now requires nothing but time.
7. Data Breach and Cybersecurity Negligence
Even a small business holding minimal customer data — names, emails, payment information — carries legal responsibility for protecting it. When a breach occurs, the resulting lawsuits increasingly hinge not on whether the breach happened, but on whether the business took reasonable, demonstrable steps to prevent it.
What actually creates exposure: storing customer data without encryption, using outdated software with known vulnerabilities, failing to have a documented incident response plan, and — most commonly — simply not knowing what customer data the business is even holding or where it lives.
How to close the gap: conduct a basic data inventory (what you collect, where it’s stored, who has access), keep software and plugins current, and put a simple written incident response plan in place before you need it — the absence of a plan is often treated by courts as evidence of negligence in itself.
The businesses that fare best after a breach are rarely the ones who prevented every possible vulnerability — an impossible standard for any organization of any size. They’re the ones who can demonstrate, clearly and with documentation, that they took reasonable precautions and responded promptly once the breach was discovered. Reasonableness, not perfection, is the actual legal standard — but it has to be demonstrable, which means it has to exist on paper before the moment it’s needed.
The Pattern Underneath All Seven
None of these liabilities come from recklessness. They come from a gap most business owners never notice until it’s tested — a website built once and never revisited, a policy copied years ago, a contractor relationship that quietly outgrew its original terms. The businesses that get sued are rarely the ones cutting corners on purpose. They’re the ones who built something real, moved fast, and never circled back to check whether the legal scaffolding kept pace with the business itself.
That’s the actual throughline: legal exposure isn’t usually a sign a business is doing something wrong. It’s a sign a business grew faster than its paperwork did — which, if anything, is a symptom of success outrunning maintenance, not misconduct.
The fix, in every case above, follows the same shape: know what you actually have, compare it against what the law actually requires today, and close the gap before someone else finds it first. That last part matters. In an era of automated scanning tools and firms that specialize in finding exactly these gaps at scale, the businesses that get caught aren’t unlucky — they’re simply the ones who hadn’t looked yet.
THE BOTTOM LINE
- None of these seven risks require a legal department to fix — just an honest audit and a few hours of cleanup.
- The businesses that get sued aren’t the least careful. They’re the ones who haven’t looked lately.
- Fixing all seven is cheaper, every time, than fighting even one of them in court.
This article is intended for general informational purposes and does not constitute legal advice. Laws vary by state and jurisdiction, and the specifics of your business may change how these liabilities apply. Consult a licensed attorney before making decisions based on the information above.



