A recent wave of litigation involving website tracking tools poses important questions about how much consumers should understand about this type of data sharing, what they should reasonably expect, and at what point helpful and welcome advertisements and shopping hints can become an invasion of privacy that may even be actionable.
These tracking tools—including pixels (or tags), chatbots, and session-replay software that stores users’ movements and interactions with websites—allow website operators to collect, store, and analyze user activity across one or more sites.
Most online businesses use some form of tracking to improve the user experience, facilitate and analyze customer interactions, and drive sales.
Companies such as Google, Meta, and Adobe all offer products that analyze website user activity to provide detailed insights on consumers, then direct advertising revenue to where it’s most likely to generate a return. This requires website operators to share, in some form, customer information with these third-party providers of website analytical tools.
The lawsuits challenge use of website tracking tools to collect and share this customer information. The lawsuits are typically brought under common law invasion of privacy theories and federal and state laws prohibiting wiretapping and eavesdropping. They have contributed to an important dialogue about what categories of information consumers can reasonably expect not to be shared.
The question often arises in the context of standing to sue. In response to some of these lawsuits, website operators have argued the individuals who brought them lack standing because the allegedly shared information doesn’t implicate a protectable privacy interest.
In other words, the operators argue that individuals can’t claim privacy violations without first establishing that the personal information at issue is sufficiently private or sensitive to support a right to sue in federal court. But what is sufficiently private or sensitive hasn’t yet been well-defined, and the particular statutes that plaintiffs have relied on to bring these lawsuits offer little guidance.
Health Information
Regulators and courts have determined the unauthorized disclosure of personal health information through website tracking tools should warrant legal relief. The Health and Human Services’ Office for Civil Rights cautioned health-care providers in December 2022 that pixel tools used to disclose personal health information to third parties may violate HIPAA.
The Federal Trade Commission then filed several enforcement actions against digital health companies that used such tools on their websites and mobile apps.
Numerous lawsuits brought by private litigants based on an unauthorized disclosure of health information through website tracking tools are also pending. In September 2023, a federal court declined to throw out a lawsuit alleging Meta collected, using its pixel, personal health information of five anonymous individuals who disclosed the information through their health-care providers’ patient portals.
In his ruling, US District Judge William Orrick of the Northern District of California noted that Meta’s own terms of service and privacy policy supported the plaintiffs’ claims that it promised to block the transfer of this sensitive information, but then failed to implement technologies to fulfill that promise.
Financial Information
Disclosure of financial information through website tracking tools has also been determined to violate a protectable privacy interest. In July, a group of congressional Democrats, led by Sen. Elizabeth Warren (D-Mass.), detailed Meta’s collection of financial information from online tax preparation companies.
The report alleged tax preparation companies shared, using pixels, taxpayers’ data with Meta, Google, and other companies for advertising purposes. The report further alleged the practice violated taxpayer privacy laws that prohibit tax-return preparers from disclosing tax return information without the taxpayer’s written consent.
Several of these online tax preparation companies were then named in class action lawsuits based on similar allegations. One of these lawsuits alleges Meta, Google, and a tax preparation company violated the Racketeer Influenced and Corrupt Organizations Act by conspiring to illegally collect and share tax data and use it for advertising purposes.
Other Personal Information
While health and financial information implicate a protectable privacy interest, courts haven’t agreed on what types of more mundane consumer information—including web searches and purchasing history—lead to the type of harm that deserves legal redress.
This has led to a larger debate of what consumers do, or should, understand about shopping online. On one hand, consumers should have the right to understand what information online retailers collect and use.
California, Colorado, Virginia, and other states enacted laws requiring exactly that. If consumers don’t understand the scope or scale of collection, then these lawsuits could help consumers make better-informed decisions about where and how to shop online.
However, consumers surely also understand that some disclosure of their information is needed to facilitate shopping or even just browsing online. And not all third-party sharing of a consumer’s preferences should land the retailer in court.
Even the one state statute that permits consumers to sue privately if their personal information is disclosed in a breach, the California Consumer Privacy Act, limits its private cause of action to certain types of information, such as credit or debit card numbers, health information, and social security numbers.
Complicating the issue is that many state statutes supporting this wave of lawsuits weren’t drafted to protect consumer privacy. California’s Invasion of Privacy Act and Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, for example, are old laws intended to address and penalize tapping telephone lines, including for industrial espionage, and not to police online commerce.
This leaves many courts attempting to curtail these lawsuits through concepts such as legal standing, rather than statutory language that should define what personal information consumers can expect not to be shared, and what information can support legal redress if shared without consent.
And while it’s unlikely these old statutes will be revised, interpreting the statues by reference to more recent consumer privacy laws may be a good place to start.
The cases are In Re Meta Pixel Healthcare Litigation, N.D. Cal., Docket No. 3:22-cv-03580, 6/17/22 and Hunt v. Meta Platforms Inc., N.D. Cal., Docket No. 5:23-cv-04953, 9/27/23.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s business litigation group, defending clients in data privacy litigation and regulatory proceedings.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.