The use of popular ad-tracking technology has come under recent legal and regulatory scrutiny. Here’s what you need to know.
Meta (Facebook), Google, and other providers of advertising technology are facing legal and regulatory scrutiny over their handling of personal information using pixel technology. Plaintiffs lawyers are bringing lawsuits against not only Meta and Google, but also companies that utilize pixel technology in their websites.
What Is Pixel Technology and Why Is It Used?
Here’s generally how a pixel works:
Once matched, the pixel tallies the visitor’s actions.
The pixel sends this data to the provider.
The provider uses the data to show relevant (targeted) ads.
Many organizations may not be aware of where or how tools such as pixels are being used on their web pages. Often these can be configured and deployed using third-party tools such as Google Tag Manager or another type of service such as a content management system (CMS).
Recent privacy issues stem from the fact that the data collected by ad tracking technologies may sometimes cross into the realm of sensitive data such as personally identifying information (PII) or protected health information (PHI). For example, in tracking visited websites, a pixel might transmit data showing that a user visited the patient portal of a particular health provider. This is further worsened when a user’s identity could be associated using cookies.
Because pixel technology can potentially measure the activity of individuals, it should be used thoughtfully and in consultation with the person or team responsible for your organization’s data privacy. Plaintiffs law firms have begun bringing lawsuits against the ad tech companies themselves (Meta, Google), but they have also brought class action lawsuits against healthcare entities, media companies, and other organizations that use pixel technology in a way that could impact consumers.
In addition to lawsuits, state and federal regulators are beginning to investigate. And at least one large healthcare entity has notified patients of a potential data breach based on use of pixel technology.
Read this article a deeper dive into The Privacy Pitfalls and Security Dangers of Internet Trackers.
Quick facts: what you need to know now
Pixel technologies are offered by many providers and are popular ad-tracking tools.
The use of pixel technology has come under recent legal and regulatory scrutiny due to issues with data privacy.
All organizations using pixel trackers should be thoughtful and purposeful about the use of pixel tracking.
Next Steps for All Pixel Tracking Customers:
Consider removing the pixel technology, keeping in mind it may be within the code on multiple pages of your website:
- If you installed the pixel through another service such as Google Tag Manager, you will need to consult your service’s instructions for removal.
- If you use a third party to manage your website, work with them to remove the code.
Depending on your line of business and the way in which you use pixel technology in your websites, there may be privacy considerations.
- We recommend discussing potential privacy implications with the person or team responsible for your organization’s privacy program.
- If you would like an introduction to a law firm that specializes in data privacy and has experience counseling clients on pixel technology, please email firstname.lastname@example.org or choose a law firm from your Vendor Marketplace in the Policyholder Dashboard.
If your organization determines that the benefits of pixel/ advertising technology outweigh the potential for liability, then we recommend a thoughtful approach to its usage (see recommendations below from Fortalice):
Discover where trackers are deployed. We have identified some situations in which a tracker, or code related to tracking functions, has been deployed on web pages unexpectedly.
Develop a process for vetting and approving the use of tracking and similar technology, including IT Security and Legal in the discussion.
When installing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.
If you have any questions, please reach out to the Risk + Response Team at email@example.com!