<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

12.09.22

Lauren Winchester

Tracking Pixel: Everything You Need To Know

A 1x1 graphic (about the size of a grain of sand) embedded on your screen goes unseen as you catch up on the news, online shop, or browse recipes for dinner inspiration. Powered by a bit of Javascript code, a tracking pixel — found on 30% of the web’s 100,000 most popular destinations — is responsible for the targeted, flashy banner advertisement that’s followed you across your entire digital to-do list.

Controversial usage of pixel technology has brought it into the spotlight, recently necessitating a breach notification to 3 million patients at 26 hospitals throughout the Chicago area. The problem at hand? Personal information is (arguably) being provided to third-party vendors, like Meta and Google, resulting in both regulatory violations and data privacy suits. 

Recent guidance from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) even states: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [Protected Health Information (PHI)] to tracking technology vendors or any other violations of the HIPAA Rules.”

Pixel Technology, Explained:

Many of us are guilty of clicking “Accept Cookies” as quickly as possible to clear a mildly obtrusive website pop-up (we can thank privacy regulations and Acts, like the GDPR and CCPA, for giving us the option to do so). These small files are used by web servers to improve your browsing experience by storing username and passwords, online shopping carts, and other data related to your digital footprint. They also provide information to marketers so they can advertise more things they think you want.

In the past, companies could only identify you by the ID passed along to your browser from first or third-party cookies. With the introduction of pixel tracking technology, it gets a little more complicated. A company’s first party data is shared with third-party vendors, where they create interest-based user profiles that benefit advertisers looking to run targeted campaigns. These vendors, like Google and Facebook, are now getting a more comprehensive understanding of who you are and what you’re doing through your entire browsing journey. 

While this may help market to niche audiences, it also presents a plethora of privacy problems. For example, the Meta pixel knows your name (and other identifiable information) based on matching your digital ID to your Facebook or Instagram account. No profile? No worries; it’s standard practice for Meta to receive a bundle of data linked directly to your IP address. 

LinkedIn and the latest social media behemoth, TikTok, are also driving the pixel tracking phenomenon. Data transmitted back to TikTok, for example, includes IP addresses, your clicks, and what you search. With no clear path for “opting out,” it’s no surprise your targeted ads really seem to get you. 

[BLOG] Small Businesses - How to Improve Your Security on a Budget

The Problem with Pixel

Regulatory Violations

Aside from just the obvious privacy concerns, tracking pixels have been found in places where they shouldn’t be, like password-protected patient portals. That’s why Community Health Network — an Indiana-based healthcare system — recently notified 1.5 million individuals of a data breach. This is a potential violation of HIPAA, the federal law responsible for protecting personal health information, and it’s not an isolated incident. One-third of the top 100 hospitals in the United States sent patient data to a third-party media platform. According to The Markup, data sent to hospitals included full names, descriptions of allergic reactions, and medication details. Search terms, like “pregnancy termination” and “Alzheimer’s,” were also sent as relevant information by pixel. 

OCR has already opened investigations for the Community Health Network and Advocate Aurora Health data breach notifications.

On December 1, 2022, the OCR released guidance to regulated entities on the proper use of tracking technologies, advising they shouldn’t be used “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.” 

According to the OCR, identifying use of tracking technology in a website or app’s privacy policy is not enough. Healthcare entities must also have a business associate agreement (BAA) in place with the tracking technology vendor. In addition, entities must provide breach notification to affected individuals of an impermissible disclosure of PHI to a tracking technology vendor when there was no permission to disclose PHI and no BAA with the vendor. OCR stated there is a presumption of a breach unless the entity can demonstrate a low probability that the PHI has been compromised.

Privacy Class Actions

Over the past six months, a growing number of privacy class actions have hit Meta (as well as companies and healthcare entities using tracking technology), claiming that pixel is improperly collecting sensitive patient information without proper disclosure to patients. Earlier this year, Boston-based Mass General Brigham agreed to pay $18 million to settle a class action suit over their use of tracking tools (including Meta pixel), but denied any wrongdoing. Facebook argues that sensitive information is filtered out from their data and not used for marketing purposes, but several class action suits specifically reference advertisements targeted to the plaintiffs’ medical conditions.

Not Just Healthcare

While the potential collection of healthcare data by tracking technology vendors without consent and BAAs is understandably the leading story related to pixel tracking, all industries should be mindful of how they approach use of this technology. Since February, 47 proposed class actions allege that Meta pixel sent video consumption data from online platforms to Facebook without user consent, in violation of the Video Privacy Protection Act. Five states—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive consumer data privacy laws, and more state legislatures are expected to follow suit. Companies with an international footprint must also be mindful of the General Data Protection Regulation (GDPR) in Europe.

Next Steps for All Organizations

Organizations should review their websites for code relating to tracking technologies and determine if the technology is even being used from a marketing standpoint. If it’s not being used, remove the code while keeping in mind the following:

  • If you installed the pixel by placing JavaScript code on the header of your website, you can remove it by deleting the pixel’s base code from the pages of your site where the pixel is deployed. 

  • If you installed the pixel through another service such as Google Tag Manager, you will need to consult your service’s instructions for removal.

  • If you use a third party to manage your website, work with them to remove the code.

If your organization determines that use of tracking technologies is beneficial from a marketing standpoint, evaluate whether the benefits outweigh the regulatory or litigation risks (which could be the case for some industries). If the benefits of use outweigh the potential for liability, then we recommend a thoughtful approach to its usage (see recommendations below from Fortalice).

  • Discover where trackers are deployed. We have identified some situations in which a tracker, or code related to tracking functions, has been deployed on web pages unexpectedly. 

  • Develop a process for vetting and approving the use of tracking and similar technology, including IT Security and Legal in the discussion.

  • When installing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.

  • Ensure your website and app Privacy Policy clearly explains the use of tracking technology, and where required, provide a means for users to “opt-out” of tracking.

If your organization is a HIPAA covered entity or business associate, even if you derive some benefit from using this technology, strongly consider removing tracking technology code if you cannot obtain a BAA with the vendor. The risks of use without a BAA likely outweigh any benefit to your organization.  

How We're Working with Policyholders

We believe in a proactive approach throughout the entire policy period. With our non-invasive Corvus Scan, we’re able to view an organization’s public-facing web infrastructure, software vulnerabilities, and in this case, use of pixel tracking technology. Our Risk + Response team keeps a watchful eye on the evolving legal and regulatory landscape, so we promptly sent an advisory to all policyholders with websites utilizing pixel technology to provide next steps and guidance.

Any companies unsure of how best to proceed should start by consulting with privacy counsel. If you’re a Corvus policyholder, we can connect you for an initial free consultation.

This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.

[RELATED POST] The Privacy Problem: A Conversation on Pixel Tracking with Experts from BakerHostetler

The Privacy Problem: A Conversation on Pixel Tracking with Experts from BakerHostetler

On January 5th, we hosted a webinar with Lynn Sessions and Paul Karlsgodt of BakerHostetler to discuss pixel tracking technology, the culprit behind the latest ad tech litigation and regulatory trend. Below is an exploration of prior and current website tracking litigation, and how it may impact non-regulated industries. 

[RELATED POST] Insurance’s Watershed: Lean Into Cyber, or Fade into Irrelevance

Insurance’s Watershed: Lean Into Cyber, or Fade into Irrelevance

At its best, insurance helps businesses manage and mitigate the risks they worry about most, and helps make everyone safer along the way. The data insurers have on effective interventions — and the lever of pricing to guide policyholders’ actions — are a powerful combination. Over time, the insurance industry has helped make buildings, work sites, and transportation safer – the key uncertainties people cared about.