Scrutiny on Tracking Pixels Signals Shift for Data Collection

A widely employed online tracking tool is creating headaches for in-house counsel, with decades-old laws being revived to litigate individual privacy battles and regulators homing in on new commercial surveillance norms.

Pixels, the technology in question, are pieces of tracking software that businesses embed on their websites to better assess the success of advertising campaigns on those platforms. They are provided for free by companies including Alphabet Inc.'s Google and Meta Platforms Inc. But unlike cookies, another type of tracking software, they can’t as easily be blocked with privacy software.

Thanks to a wave of lawsuits and the Federal Trade Commission’s increasingly stern position on how the technology collects and shares consumer data, the potential consequences for improper use have gotten larger than ever. And with lawmakers showing increased interest in privacy topics, companies are taking stock of their own reliance on pixels.

“2023 is the year that in-house counsel must pay attention to the websites,” said David Straite, a partner at DiCello Levitt, an internet tracking plaintiffs litigator. “They must interact with the website developers and say, ‘what code are you putting on this website?’”

A core argument buttressing pixel consumer class actions has been the plaintiffs’ lack of express consent to share their personal data with the third parties that made the tech, Straite said. Litigants are most active against healthcare providers and businesses that host videos online, according to a Bloomberg Law analysis of federal court dockets.

Meanwhile, the FTC has announced two enforcement actions this year against telehealth companies allegedly transmitting sensitive medical data to adtech giants like Google and Meta. The agency is also eyeing online tax preparation companies, including H&R Block, as it finalizes regulations curtailing commercial surveillance.

Of the two main pixel products, the Google Tag has remained popular, while usage of the Meta Pixel started dropping in 2021 for the first time after rising steadily for eight years, according to data compiled by e-commerce data and usage analytics firm BuiltWith.

Coordinating with departments that use these tools, such as sales and marketing, would help balance the incentives of using pixels for targeted advertising and the risks of improper collection, attorneys told Bloomberg Law.

But that’s not the whole story. The fact that Google and Meta can access and use data collected by the pixels impedes in-house’s ability to fine-tune collection controls and thereby limit litigation risk, attorneys said, as there’s little visibility about what the two tech giants are doing with that data.

Meta informs advertisers that they shouldn’t share sensitive data and that Meta’s system is designed to filter out “potentially sensitive data it is able to detect,” spokesperson Emil Vazquez said in an email to Bloomberg Law. “We educate advertisers on properly setting up business tools to prevent this from occurring,” he said.

Google didn’t respond to requests for comment.

Pixels can collect and distribute a variety of personal data, including what someone has typed or purchased on a website, according to the FTC. Pixels are almost undetectable, and pixel tracking “can still occur even if cookies are disabled, as tracking pixels do not always rely on cookies to function,” the FTC notes.

The Information Technology & Innovation Foundation, a non-partisan think tank, argued in a September report that collecting the data doesn’t harm consumer privacy, and that restricting the practice could “lower ad effectiveness at a cost of $33 billion a year to the U.S. economy.”

Spreading Litigation

The number of federal statutes serving as vehicles for pixel-privacy lawsuits is expanding. State privacy laws—like wiretapping protections—are also popular candidates for litigation.

Plaintiffs’ attorneys are also pursuing common law privacy claims where statutes lack a private right of action, namely the Health Insurance Portability and Accountability Act, which establishes health privacy standards for medical providers.

“As a result of this litigation, companies are being way more specific, so that if a consumer reads the privacy policy, then they will have a little more idea of how pixel technology is being used,” said Linn Freedman, a partner at Robinson & Cole LLP and former Rhode Island assistant attorney general.

HIPAA and the Video Privacy Protection Act of 1988, meant to protect disclosure of consumers’ video-viewing histories, have driven the newest wave of privacy cases. Other frequently-litigated statutes included the Computer Fraud and Abuse Act, Federal Wiretap Act, and Driver’s Privacy Protection Act of 1994, Bloomberg Law’s docket analysis found.

The businesses named in the lawsuits range from hospitals and brick-and-mortar retailers to news publications. One of the first cases to allege pixel privacy issues under the VPPA, against the Boston Globe, recently concluded in a $4 million settlement.

Those developments come as counsel adjusts to privacy obligations curtailing the collection of health data and location tracking popping up in states like Washington, Connecticut, and Nevada.

Cases are increasing across industries, indicating a shift in public perspective about which data are truly sensitive, with plaintiffs the most wary of sharing information that they can’t change easily or at all—such as their Social Security numbers and biometric data, said Straite of DiCello Levitt.

Data that the marketing or sales teams consider de-identified and safe to collect may still fall under the purview of one of the statutes, so it’s important that general counsel is consulted whenever a company wants to implement new data-collecting technology, said Molly Arranz, a partner at Amundsen Davis LLC and defense attorney in consumer privacy class actions.

“If a law’s got a statutory amount in it, especially if it’s got attorneys fees that are recoverable, and especially if it’s older and hasn’t been well-developed previously, it’ll be pulled into these sorts of cases,” Arranz said.

She highlighted the California Privacy Rights Act of 2020 as the “north star” for in-house counsel implementing privacy disclosures and obligations at their companies.

Pixel Regulation

Health technology companies GoodRx Holdings Inc. and Betterhelp paid a respective $1.4 million and $7.8 million in fines to the FTC earlier this year, resolving claims the companies shared sensitive user data with third-parties for advertising.

The FTC also sent letters warning against misusing taxpayer data to five major electronic tax-filing services, including Intuit Inc., in the wake of a July congressional report that alleged the tax companies were disclosing the data of millions of taxpayers to big tech.

The consumer protection agency isn’t the only one eyeing health data collection—the US Department of Health and Human Services’ Office for Civil Rights has identified it as an area of concern it’s monitoring.

“When both the FTC and the OCR come out with guidance, general counsel should be looking at that guidance, because it provides some idea of how regulators are looking at this,” Freedman said.

Federal agencies work with limited resources, so when one like the FTC takes a position on pixel privacy, they plan to remain active in that space, Straite said.

The FTC has said that it’s developing rules to protect consumers from “harmful commercial surveillance” over concerns including data retention security and addictive algorithms.

With new regulations coming and litigation risks growing, careful disclosures are in-house counsel’s best line of defense, according to Greenberg Traurig LLP Shareholder Darren Abernethy. Abernethy previously served as senior counsel for TrustArc, a data privacy compliance software company.

“Make sure your privacy policy is descriptive in disclosing all of these things, that’s sort of one of the golden rules here in this space: Do what you say you’re going to do in your privacy policy, or don’t do things that you don’t say you’re going to do in your privacy policy” he said.

“That’s where some companies who got sued have gotten in trouble—not having proper disclosures.”