On January 5th, we hosted a webinar with Lynn Sessions and Paul Karlsgodt of BakerHostetler to discuss pixel tracking technology, the culprit behind the latest ad tech litigation and regulatory trend. Below isan exploration of prior and current website tracking litigation, and how it may impact non-regulated industries.
Lynn has handled over 800 healthcare data breaches, including several of the largest breaches reported to date. She provides counsel to healthcare providers and other covered entities (as well as business associates) on breach analysis, breach response, crisis management with patients, media and employees, and regulatory notification obligations to the Office for Civil Rights (OCR).
Paul Karlsgodt, Partner, BakerHostetler
Paul has served as lead defense counsel in class actions arising from many of the largest healthcare and payment card breaches in history. He currently serves as the leader of BakerHostetler’s Privacy and Digital Risk Class Action and Litigation team.
What's the big deal with pixel tech?
Ad tracking technology isn’t anything new. Businesses and marketers have been using browsing data for years to better understand consumer behavior and personalize the user experience. But a differentiator we’re seeing with Meta pixel (as well as other related technologies) is that users are identifiable by a digital ID that matches them to their personal Facebook or Instagram account when logged in. Which means third-party vendors, like Facebook or TikTok, are receiving far more personal information than what’s traditionally shared through browser cookies.
TheMarkup, an investigative outlet dedicated to big tech, jump-started the most recent trend of ad tracking litigation when they exposed the scale of information sent from hospital websites to Facebook through pixel technology. Exposés on the relationship between this technology and other industries with sensitive data, like higher education, weren’t far behind.
At the time of TheMarkup’s reporting, 33 of the top 100 hospitals in the United States were found to be using pixel technology. Outside of the healthcare industry, 30 percent of the top 100,000 websites featured pixel technology. Its usage is so expansive that some organizations have discovered it embedded on their website without any knowledge of why it’s there, left behind by employees or agencies that have come and gone.
“A lot of clients don’t know they have pixel, or it isn’t even being used for targeted marketing. But regardless of whether you’re using it or not, it’s instructing the user’s browser to send information to a third party just by existing,” says Paul Karlsgodt, who specializes as defense counsel in class action lawsuits stemming from data breaches.
Third-party vendors are receiving a variety of information — from IP addresses to information filled out in a form (allegedly) — and no one is sure what they’re doing with it. Meta claims a form of cryptography obscures this data, but this doesn’t prevent it from being linked to a user’s personal Facebook account and used for targeted ads.
To summarize, this tiny snippet of code has big implications for the websites that use it.
Website tracking litigation is evolving
For years, lawyers have tried to make successful cases in court against ad-tracking technology. In a country with few federal privacy protections, this has proven challenging. Early attempts typically centered around the Video Privacy Protection Act (VPPA), a law passed in 1988 after a Supreme Court nominee’s video rental history was leaked during the nomination process. The VPPA states that personally identifiable information regarding video purchases cannot be shared with anyone without the consent of the consumer.
An obvious caveat is that this law was introduced in the era of VHS tapes, not digital streaming services. Technology has a way of complicating things. A 2014 case claimed that Hulu violated the VPPA by sharing viewing history and personal information to Facebook. But without substantial proof that Hulu knew Facebook was combining the identity of Hulu users with the videos that they were watching, the case was dismissed.
On the healthcare front, this isn’t net new litigation either.
“Seven or eight years ago, there was a case against Facebook and hospital systems. The allegations were similar to what we’re seeing now, which is if you search for a medical condition, that information is sent to Facebook. But that case was dismissed, and the 9th circuit upheld it,” Karlsgodt says. “It looked like that wave of litigation, like the VPPA litigation, would go away. But over the past 5 or so years, we saw a dozen cases brought against hospital systems related to tracking systems. Then we hit this summer...”
We’re only at the beginning. Since the Markup’s article, there has been an eruption of cases, mainly tied to healthcare entities, but all industries should be prepared to at least start drafting updated privacy policies. For context of the sheer scale, BakerHostetler is handling 26 class action lawsuits alone, which is only a fraction of cases surfacing today.
A perfect storm to stir privacy concerns
The same week that the TheMarkup article dropped — which critically states Meta pixel makes it easier to identify patients — Roe v. Wade was overturned.
“It had a significant impact for a lot of our clients from a privacy standpoint,” says Lynn Sessions, a lawyer with extensive experience working with healthcare providers. “Think about [the] potential consequences of a woman seeking reproductive care in a state other than her own, and her movement being tracked on a hospital’s website. That is what I think is fueling a lot of the guidance coming from the government.”
The reveal that healthcare websites feature various tracking technologies put potential HIPAA violations in flashing, neon lights. This, and the consequential timing, led to an understandable media frenzy all about pixel.
While healthcare has the greatest reason for concern right now (in response to strict OCR guidelines and existing litigation), the risk for privacy litigation extends beyond the most obvious corners of regulated industries. People are worried about how their data is being used; organizations of all sizes and sectors should consider how they can take a more mindful approach.
What can organizations outside of regulated industries do to limit risk?
Determine the risk-benefit of ad-tracking technologies.
Is the return on investment high enough that it warrants the risk? If not, it may be time to reconsider your usage. Revisit this analysis at least quarterly, as the litigation landscape is rapidly changing.
Put a governance process in place that includes marketing, privacy, IT, and your legal department.
When one hand doesn’t know what the other is doing, your organization cannot properly assess risk. All parties being adequately informed and aligned reduces the odds that you’re implementing any of these technologies in places they shouldn’t be, like form pages.
Include notice of the tracking technologies that you’re using, and explicitly share how you’re using them.
For more information on pixel, you can watch thefull webinar here. Check back in soon for the next edition of our pixel conversation, which will focus on the regulatory landscape.