Data Sharing Through Tracking Pixels Leading to Unanticipated Liability
Introduction
While privacy has long been a legal concern, the prevalence of lawsuits against companies using data-collecting websites and apps has surged. Tracking technologies such as Meta’s Pixel and Google Analytics have become primary targets of international, federal, and state enforcement, as well as the plaintiffs’ bar. These tools, commonly used for analytical and marketing purposes, often collect more data than companies realize, especially when default configurations are accepted. Marketing teams may customize these tools further without consulting privacy counsel, exacerbating the issue. Recently, congressional Democrats asked the Department of Justice to investigate tax preparation companies for sharing extensive taxpayer data with Google and Meta. Meta had already faced scrutiny after reports revealed its tracking program on hospital websites, potentially violating federal health care privacy laws.
The Proliferation of Lawsuits
Numerous lawsuits have been filed across multiple states targeting companies that use tracking programs. State attorneys general have launched investigations, and federal agencies have warned health care providers about potential HIPAA violations if they use these technologies. These developments underscore the need for companies to understand not only the data they collect directly from consumers but also how third parties use that data. Often, marketing and product teams focus solely on the aggregated results without considering the data elements collected. With new state privacy laws, the definition of personal information has expanded beyond Social Security numbers and financial account information to include data like browser IP addresses.
Understanding Tracking Pixels
A tracking pixel is a snippet of JavaScript that loads when a user visits a website, opens an email, or engages in other online activities. It allows companies to monitor user behavior, web traffic, purchase conversions, and other metrics. These pixels enable targeted marketing efforts but can also inadvertently share user data. Tracking technologies are often free and easy to install by developers or through partner integrations. However, if not configured correctly, they may collect and share user data. Meta reported in 2018 that there were over 2 million tracking pixels on the web, a number that has since grown significantly.
Legal Actions and Regulations
In 2022, plaintiffs’ attorneys focused on health care companies that unintentionally shared patient information through tracking pixels. Class actions sought civil damages for unauthorized disclosures of personally identifiable information (PII) and personal health information (PHI). A notable case involving Mass General Brigham resulted in an $18.4 million settlement, prompting the Department of Health and Human Services to update its guidance on using tracking technologies to avoid HIPAA violations. Washington state's My Health My Data Act has also broadened the definition of health data to include any personal information linked to a consumer's health status.
Beyond health care, companies like Chick-fil-A, iHeartMedia, Bass Pro Shops, H&R Block, and Lee Enterprises have faced lawsuits for data sharing through Meta Pixel. These cases often allege violations of the Video Privacy Protection Act (VPPA), which prohibits video service providers from knowingly disclosing personally identifiable information without consumer consent. The VPPA has been interpreted to apply to websites streaming online videos, extending its reach to many modern digital services.
Navigating Legal Challenges
To mitigate risks, companies should take several proactive steps:
1. **Assess Tracking Pixel Usage:** Use tools to determine if your website uses tracking pixels. Have your website developer or webmaster review the HTML code and app functionality for tracking technologies like Meta Pixel or Google Analytics.
2. **Conduct a Cookie Analysis:** Determine what cookies are set by your code and adjust your cookie preference manager accordingly.
3. **Review Third-Party Agreements:** Ensure that your agreements with third-party plugins and partners are up-to-date and reflect your data-sharing practices.
4. **Align Privacy Policies:** Work with privacy counsel to ensure that your privacy policy accurately reflects your data collection and use practices. Ensure that any separate cookie statements are consistent with actual practices.
5. **Consider Removing Non-Essential Pixels:** Evaluate whether tracking pixels are essential to your business. Many companies have discovered that they can remove these pixels without impacting their operations.
Conclusion
Ignoring the issue of tracking pixels and data sharing can lead to significant legal and financial consequences. Companies must be diligent in understanding how their data is collected and used, ensuring compliance with evolving privacy laws. By taking proactive measures, businesses can protect themselves from unanticipated liabilities and foster trust with their users.
---
References
- For more information, visit [Brownstein Client Alert](https://www.bhfs.com/insights/alerts-articles/2023/data-sharing-through-tracking-pixels-leading-to-unanticipated-liability).
- Details on the Video Privacy Protection Act (VPPA) can be found [here](https://www.law.cornell.edu/uscode/text/18/2710).
- The Department of Health and Human Services guidance on tracking technologies is available [here](https://www.hhs.gov/hipaa/for-professionals/special-topics/tracking-technologies/index.html).
- Information on Washington state's My Health My Data Act can be accessed [here](https://www.atg.wa.gov/my-health-my-data-act).
Read more at: [Brownstein Client Alert](https://www.bhfs.com/insights/alerts-articles/2023/data-sharing-through-tracking-pixels-leading-to-unanticipated-liability).
POST A COMMENT