By and , of Brownstein Hyatt Farber Schreck, LLP
While privacy is not a new legal concept, lawsuits against companies with websites and apps that collect data have never been more prevalent.
Tracking technologies like Meta’s Pixel or Google Analytics are some of the fastest-growing targets of international, federal and state enforcement as well as the plaintiffs’ bar. Used in most websites and apps for analytical and marketing purposes, companies that install these tools are normally not aware of the extent of data collection from these tools, especially if they accept the default configurations. Companies are more focused on the output from these tools to drive their analysis and marketing efforts. Also, your marketing team may be customizing these tools after installation to expand data collection without consulting privacy counsel. Recently, congressional Democrats asked the Department of Justice to investigate a group of tax prep companies for sharing “reams” of taxpayer data with Google and Meta, two of the biggest names in Big Tech. And before that, Meta was already facing scrutiny after a report last summer found its tracking program was used on hundreds of hospital websites, collecting patient data potentially in violation of federal health care privacy law.
Countless lawsuits are being filed in multiple states going after companies for their use of these tracking programs. Meanwhile, state attorneys general are launching investigations, and federal agencies are warning health care providers that if they use these tracking technologies, they may be in danger of HIPAA violations.
These lawsuits and investigations are a great reminder that privacy standards require companies to do more than understand data collected directly from consumers—they need to be concerned with what others do with data that they collect as well as understanding how their internal product and marketing teams are configuring these tools. All too often, marketing and product teams are only considering the end aggregated results without consideration of the data elements being collected to generate those results. Compounding this issue is a preconceived notion of which data elements are personal information. With the onset of new state privacy laws, the definition of personal information goes well beyond Social Security numbers, driver’s license numbers and financial account information. It is now easy for these analytical tools to snag “personal information.” For example, a browser’s IP address can be considered personal information.
What is a tracking pixel?
A tracking pixel executes a snippet of JavaScript that is loaded when a user visits a website, opens an email or otherwise engages in online activities. It allows the company using the code snippet to keep track of user behavior, web traffic, purchase conversions and numerous other metrics. They allow a company to retarget a particular customer with products. Many companies view this information as critical in converting consumers to purchasers. However, many companies may not even be aware that they are using tracking pixels and may not be accounting for them.
Most of these tracking technologies are available for free. It can be added to a company’s website by a developer or through a partner integration. If trackers are not configured correctly, they may not only be collecting user data but could also be sharing the data. In 2018, Meta reported to Congress that there were more than 2 million tracking pixels across the World Wide Web, but that number has grown significantly in the past five years.
The Lawsuits
In 2022, plaintiffs’ attorneys were focusing their lawsuits on health care companies that were incidentally sharing information about patients by using the pixel code. Health care providers were targeted in numerous class actions alleging the unauthorized disclosure of personally identifiable information (PII) and personal health information (PHI), and seeking civil damages for each disclosure.
At least one of these actions, involving Mass General Brigham, resulted in a class settlement of $18.4 million. This settlement, along with other actions, resulted in the Department of Health and Human Services in December 2022 updating its guidance on using tracking technologies. Specifically, the guidance said: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” And Washington state’s My Health My Data Act, which includes a private right of actions, has greatly broadened the definition of health data. Under the Washington act, consumer health data “means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
However, the lawsuits have gone well beyond health care. In January 2023, Chick-fil-A was sued in northern California for sharing data through Meta Pixel. Similar lawsuits have been filed against companies like iHeartMedia, Bass Pro Shops, H&R Block, Tax Slayer and Lee Enterprises, Inc. We are aware of numerous other demand letters that are not public, but this area is getting significant attention. Along those lines, state attorneys general are starting to investigate various companies and industries for their use of tracking pixels.
The Nature of the Claims
Many of these cases allege a violation of the Video Privacy Protection Act of 1988 (VPPA) by use of the Meta Pixel. The VPPA is a federal law that prohibits videotape service providers from “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider… .” Personally identifiable information is defined in the VPPA as “includ[ing] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” According to the VPPA, a “video services provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials …,” which has been interpreted in court cases as extending to websites streaming online video.
In 2013, Congress amended the VPPA to provide that disclosure of consumer data to third parties was not wrongful if the consumer elected to give informed, written consent in a form that is distinct and separate from any form setting forth other legal or financial obligations of the consumer at the time the disclosure is sought, or in advance for a set period of up to two years. There are further exceptions, including providing the consumer with the opportunity, in a clear and conspicuous manner, to prohibit the disclosure. Many states have created their own versions.
However, the claims are also frequently in violation of state and federal wiretap laws, invasions of privacy, eavesdropping, criminal manufacturing of spying devices as well as various other consumer protection statutes. Violation of some of these statutes carries fines on a per-violation basis, and many of these statutes also provide for the award of attorneys’ fees.
Courts are currently grappling with some of these issues. For example, in Stoudemire et. al v. Lee Enterprises, Inc., a U.S. District Court judge in Iowa denied Lee Enterprises’ motion to dismiss on July 20, 2023. In the U.S. District Court for the Northern District of California, Meta Platforms, Inc. filed its motion to dismiss on July 27, 2023, in response to a consolidated class action complaint.
As many states implement their new privacy laws this year, more and more businesses will be including pop-ups on websites asking customers whether they want to allow cookies or other tracking technology to be used while they visit a site. However, companies need to have policies in place to know where and how the data is being shared.
Successful Motion to Dismiss
On Sept. 27, 2023, the Southern District of New York dismissed a class action brought by plaintiffs who viewed NFL videos because the plaintiffs who subscribed to a newsletter were not consumers under the VPPA. Although courts have held that subscribers are consumers under the VPPA, Judge Carter wrote that plaintiffs’ “viewing of public content on the provider’s website is not enough to qualify as a consumer under the VPPA.” Notably, although plaintiffs in the health care-related suits have been given a chance to amend their complaints, in this case, the plaintiffs were denied leave to amend their complaint. This case turned on the facts, one of which was that the defendants had shared PII in violation of the VPPA. It appears that only the consumer factor saved the defendants.
Next Steps
- Don’t ignore this issue. Lack of knowledge may provide fodder for a legal defense, but lawsuits are still costly and time-consuming.
- Use a tool to assess whether your website uses tracking pixels. Because Meta Pixel can be set up through a Meta Events Manager or manually, ask your website developer or your webmaster to review your webpage html to look for the function calls to your analytical tools such as Meta Pixel or Google Analytics. If you have an app, also review the app. And as long as you are having your team do this analysis, you may also want to ask them to do a cookie analysis to determine what cookies are being set by your code for a full data risk profile and then adjust your cookie preference manager accordingly.
- Review your agreements with third-party plugins and transactional partners.
- Work with privacy counsel to make sure that your privacy policy data collection and use sections match your webpage reality. If you have a separate cookie statement, make sure that matches your cookie reality.
- Consider removing the pixels. In recent weeks, multiple companies looking into this issue have realized that they do not need the tracking pixels as they are not essential to their business.