Pixel Advisory | November 2022

The use of popular ad-tracking technology has come under recent legal and regulatory scrutiny. Here’s what you need to know.

Background

Meta (Facebook), Google, and other providers of advertising technology are facing legal and regulatory scrutiny over their handling of personal information using pixel technology. Plaintiffs lawyers are bringing lawsuits against not only Meta and Google, but also companies that utilize pixel technology in their websites.

What Is Pixel Technology and Why Is It Used?

Pixel technology is an advertising analytics tool which tracks user activity to include what pages are visited, which links are clicked, purchases made, and data entered. The popular tool is a snippet of JavaScript code embedded on the backend of a website. It measures activities, tracks and seeks to identify users through cookies, then sends the data to the ad tech provider (such as Meta or Google). Organizations utilizing the pixel benefit by being able to track website traffic and measure the effectiveness of advertising campaigns. The provider (Meta or Google) likewise gains by using collected information in its own advertising. The pixel gets its name from the fact that its embedded code displays a 1x1 pixel graphic, so tiny that nothing appears to a user.

Here’s generally how a pixel works:

JavaScript code loads a small library of functions.
Functions use cookies to match website visitors to prior browsing activities and browsing data which can include things such as purchases, clicks, social media accounts, etc.
Once matched, the pixel tallies the visitor’s actions.
This data ties back to the specific pixel identifier embedded in the JavaScript code.
The pixel sends this data to the provider.
The provider uses the data to show relevant (targeted) ads.

[CYBERSECURITY DIAGRAM] Third-party Cookie Retargeting

Many organizations may not be aware of where or how tools such as pixels are being used on their web pages. Often these can be configured and deployed using third-party tools such as Google Tag Manager or another type of service such as a content management system (CMS).

Potential Impact

Recent privacy issues stem from the fact that the data collected by ad tracking technologies may sometimes cross into the realm of sensitive data such as personally identifying information (PII) or protected health information (PHI). For example, in tracking visited websites, a pixel might transmit data showing that a user visited the patient portal of a particular health provider. This is further worsened when a user’s identity could be associated using cookies.

Because pixel technology can potentially measure the activity of individuals, it should be used thoughtfully and in consultation with the person or team responsible for your organization’s data privacy. Plaintiffs law firms have begun bringing lawsuits against the ad tech companies themselves (Meta, Google), but they have also brought class action lawsuits against healthcare entities, media companies, and other organizations that use pixel technology in a way that could impact consumers.

In addition to lawsuits, state and federal regulators are beginning to investigate. And at least one large healthcare entity has notified patients of a potential data breach based on use of pixel technology.

Read this article a deeper dive into The Privacy Pitfalls and Security Dangers of Internet Trackers.

Quick facts: what you need to know now

Pixel technologies are offered by many providers and are popular ad-tracking tools.
The use of pixel technology has come under recent legal and regulatory scrutiny due to issues with data privacy.
All organizations using pixel trackers should be thoughtful and purposeful about the use of pixel tracking.

Next Steps for All Pixel Tracking Customers:

Consider removing the pixel technology, keeping in mind it may be within the code on multiple pages of your website:

1. If you installed the pixel by placing JavaScript code on the header of your website, you can remove it by deleting the pixel’s base code from the pages of your site where the pixel is deployed.
2. If you installed the pixel through another service such as Google Tag Manager, you will need to consult your service’s instructions for removal.
3. If you use a third party to manage your website, work with them to remove the code.
Depending on your line of business and the way in which you use pixel technology in your websites, there may be privacy considerations.
1. We recommend discussing potential privacy implications with the person or team responsible for your organization’s privacy program.
2. If you would like an introduction to a law firm that specializes in data privacy and has experience counseling clients on pixel technology, please email services@corvusinsurance.com or choose a law firm from your Vendor Marketplace in the Policyholder Dashboard.

If your organization determines that the benefits of pixel/ advertising technology outweigh the potential for liability, then we recommend a thoughtful approach to its usage (see recommendations below from Fortalice):

Discover where trackers are deployed. We have identified some situations in which a tracker, or code related to tracking functions, has been deployed on web pages unexpectedly.
Develop a process for vetting and approving the use of tracking and similar technology, including IT Security and Legal in the discussion.
When installing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.
Ensure your Privacy Policy clearly explains the use of tracking technology, and where required, provide a means for users to “opt-out” of tracking.

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!

Resources