Why California Small Companies Get Sued Over Their Websites

California small businesses are increasingly hit with ADA website accessibility and privacy lawsuits because their sites don't meet legal standards. The good news: you can prevent most of these claims with a few practical fixes to accessibility, privacy disclosures, and consent tools. Here's what's happening and what to actually do about it.

The short version: what's actually happening

There's a steady wave of lawsuits and demand letters aimed at small and mid-sized California businesses over their websites. These claims fall into two main buckets. The first is accessibility, where a site can't be used by people relying on screen readers or other assistive tech. The second is privacy, where a site quietly collects visitor data through tracking tools without proper consent.

For years, big national brands took the hits. That's changed. Automated scanning tools let plaintiff firms check thousands of sites at once, and a small dental office or local retailer is just as scannable as a Fortune 500 site. You don't need a giant web presence to land on someone's list.

Why California businesses are a bigger target

California stacks state law on top of federal rules, which raises the stakes.

The Unruh Civil Rights Act sits on top of the federal ADA and allows statutory damages per violation. That means a plaintiff doesn't have to prove they lost money, just that the barrier existed. California's privacy laws (CCPA and CPRA) and its wiretapping statute (CIPA) add another layer, with CIPA claims now being used against common website tracking tools.

Then there are serial plaintiff firms running automated scans across huge lists of sites, looking for the same handful of fixable problems. And here's the part that surprises people: you don't need a physical storefront for any of this. Your website alone can trigger a claim.

The two lawsuit types you need to understand

1. Website accessibility (ADA & Unruh)

These claims target sites that assistive technology can't navigate. Common triggers include images with no alt text, poor color contrast, form fields with no labels, and pages that can't be used with a keyboard alone.

Most owners first hear about it through a demand letter from a law firm representing a plaintiff. The letter cites specific failures and offers to settle. What it means for you is a three-part cost: legal fees, the work to actually fix the site, and the reputation hit of being named in a complaint.

2. Privacy & tracking lawsuits (CCPA, CIPA "wiretapping")

This bucket is newer and catches a lot of people off guard. Chat widgets, session recorders, and ad pixels capture visitor behavior and data, sometimes before the visitor agrees to anything. Plaintiffs argue this amounts to intercepting communications without consent.

Add a missing or outdated privacy policy and a cookie banner that doesn't really do anything, and you've got the makings of a claim. The line "I just installed the Facebook pixel to track ads" is exactly the kind of thing that turns into a lawsuit.

Common red flags hiding on your site

Most of these are easy to spot once you know to look:

• Embedded YouTube or Vimeo videos that load third-party tracking cookies before a visitor consents
• Google Analytics or Meta Pixel firing the moment a page loads, with no consent gate
• Live chat or session-recording tools (like Hotjar) capturing visitors silently
• Contact forms with no labels and images with no alt text
• An outdated or template privacy policy that doesn't match what your site actually does
• A cookie banner that's decorative only, where scripts run whether someone clicks "accept" or "decline"
• Embedded maps, web fonts, and social feeds quietly sending data to third parties

None of these require a developer to find. A careful review of your own site, page by page, surfaces most of them.

What it actually costs your business

Let's keep this plain. Demand letters often seek settlements in the low thousands to low tens of thousands of dollars, depending on the firm and the claim. Add legal fees to respond, plus the cost of remediation work.

There's also the "do it twice" cost. Businesses that scramble to fix a site under deadline pressure often pay for rushed work, then pay again to do it right. And the quiet cost is your attention: time spent on this is time not spent running your business.

How to protect your website (practical checklist)

• Run an accessibility audit against WCAG 2.1 AA, the standard courts generally point to
• Fix the common issues: alt text, proper heading structure, color contrast, keyboard navigation, and labeled form fields
• Publish a clear, current privacy policy and a working cookie or consent banner
• Inventory every third-party script: chat, analytics, pixels, embeds, and fonts
• Use a real consent gate that blocks tracking until the visitor opts in (not a banner that does nothing)
• Document your remediation work, since a good-faith effort can matter
• Don't rely on an "accessibility overlay" widget as a one-click fix. They're widely criticized and have themselves been named in lawsuits

Where a managed IT / MSP partner fits in

This is where having a technology partner saves headaches. A good MSP coordinates the moving pieces: the audit, your hosting, and whoever does the developer fixes, so nothing falls through the cracks.

We inventory every third-party script and embed running on your site, keep your CMS, plugins, and security patches current (an outdated plugin is its own risk), and set up ongoing monitoring instead of treating compliance as a one-time project. Sites change. New tools get added. Monitoring catches the next pixel someone installs.

One honest note: IT handles the technical and operational side. For the legal interpretation of your specific risk, especially if you've received a demand letter, loop in an attorney. We work alongside them.

Quick-start action plan for busy owners

• This week: run a free accessibility scan and confirm you have a current privacy policy
• This month: audit your tracking scripts and embeds, then schedule professional remediation
• Ongoing: re-test after every site update or new tool you add

Frequently asked questions

Does my small business website really have to be ADA compliant?
In practice, yes. California's Unruh Act and federal ADA case law have been applied to business websites regardless of size, and a physical location isn't required to be targeted.

Will a cookie banner or accessibility widget protect me from lawsuits?
Not on their own. A banner that doesn't actually block tracking offers little protection, and overlay widgets have been criticized and even named in claims. Real fixes to the site matter more.

Are embedded videos and analytics really a legal risk?
They can be. Tools that collect or transmit visitor data before consent are the basis for many CIPA and CCPA claims. The fix is consent gating and a privacy policy that matches reality.

What do I do if I already received a demand letter?
Contact an attorney first, and don't ignore it. Then have your site reviewed so any settlement comes with a real fix, not a repeat problem.

If you'd like a second set of eyes on your site before someone else scans it, we're happy to help. Reach out and we'll walk through where you stand.