In recent months, digital privacy risks stemming from tracking pixels and other web technologies have caught the attention of law firms, regulators and insurers. The increasing awareness of data collection and website tracking by businesses – whether intentional or not – has become a critical factor in determining risk levels for security leaders. As context, tracking pixels are used across a spectrum of advertising technologies to understand consumer behavior. Different from browser cookies, pixels can send more personal information to third parties, such as Meta or Google, potentially making users of those platforms identifiable and follow user activity across different devices to target ads in multiple channels. This often happens with the Meta Pixel, which is present on more than 30% of popular websites.
The potential for class action lawsuits and regulatory investigations is growing by the day, so it’s critical for organizations to have conversations about tracking technology now, bearing in mind industry considerations since all business models are different. Although the urgency is more evident for industries like healthcare, all organizations should be paying attention.
Healthcare’s Privacy Data Spiral
In June 2022, The Markup published a report stating that one-third of the top 100 US hospitals were sending sensitive data to Facebook via website pixels. This report led to a flurry of class action lawsuits against healthcare providers, as well as data breach notifications by health systems that used website tracking on sensitive website pages like patient portals. This uptick in data privacy concerns has become a key aspect in how risk strategies have evolved for healthcare organizations.
Following the report and lawsuits, the US regulator responsible for the healthcare sector, the Department of Health and Human Services Office for Civil Rights (OCR), issued guidance in December 2022. The OCR guidance essentially instructs healthcare entities to stop using tracking technologies to the extent it could provide protected health information (PHI) to third parties without a business associate agreement. It also instructs healthcare entities that have or had website tracking in place to assess whether a data breach has occurred and respond accordingly. The OCR outlined what is needed for regulated entities to comply with HIPAA while using tracking technologies, but it will prove extremely difficult in practice. As a result, many healthcare privacy and security leaders will deem the risk of using tracking technologies too great and seek to remove the code from their websites.
The Ripple Effect Across Other Industries
While some plaintiff firms focus solely on healthcare, others branch out to other industries. We anticipate that highly regulated industries like financial services will be targeted and see this trend already coming to fruition with lawsuits against tax preparation software providers that use Meta pixel in their websites.
But beyond regulated industries, plaintiffs’ firms view any website hosting videos with tracking technology as potential targets for Video Privacy Protection Act (VPPA) claims. For example, Chick-Fil-A was recently hit with a class action lawsuit related to the use of Meta pixels on a website they used to provide children’s videos to customers. In addition to VPPA claims, recent cases have also alleged Meta pixel constitutes eavesdropping or wiretapping under federal and state wiretapping laws. With the potential for statutory damages, I anticipate more lawsuits will be filed asserting such claims.
Security Leaders Need a Game Plan
Some security leaders have attempted to limit their risks by putting a governance process in place that includes marketing, privacy, IT and legal departments – with the aim of reducing the odds that organizations are implementing tracking in places they shouldn’t be. However, many organizations appear unaware that they are using pixel-tracking technology in the first place (or other tracking technologies, such as session replay).
As a first step, security leaders should review all company websites to determine what tracking technologies are currently in use. The review process should also involve marketing, legal and privacy team members – whether those are internal or external functions. Then, for organizations using tracking technologies, those stakeholders must determine whether significant benefits are derived from their use and whether those benefits outweigh the risk of litigation or regulatory inquiry. Moreover, this cost-benefit analysis is not a one-and-done. The group should meet at least once a quarter to assess whether the legal and regulatory landscape has shifted significantly enough to warrant a change to the website tracking strategy for the company.
Where companies determine website tracking benefits outweigh the current risks, the legal or privacy team should review website privacy policies and terms and conditions to make sure the use of the technologies is explicit. Organizations should also consult with outside counsel specializing in data privacy compliance to ensure website terms and consent put your team in the best position to defend against a lawsuit.
Ad-tracking usage will remain in the spotlight in future years, with government agencies continuing to crack down on organizations that misuse consumer data. Security leaders, privacy experts and cyber insurers must work together to adjust to the changing liability landscape in alignment. I encourage all organizations to keep a watchful eye on how the conversation grows and ensure communication across all departments for long-term success and safety.