Controversial usage of pixel technology has brought it into the spotlight, recently necessitating a breach notification to 3 million patients at 26 hospitals throughout the Chicago area. The problem at hand? Personal information and sensitive data are (arguably) being provided to third-party vendors, like Meta and Google, resulting in both regulatory violations and data privacy suits.
Recent guidance from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) even states: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [Protected Health Information (PHI)] to tracking technology vendors or any other violations of the HIPAA Rules.”
Pixel Technology, Explained:
Many of us are guilty of clicking “Accept Cookies” as quickly as possible to clear a mildly obtrusive website pop-up (we can thank privacy regulations and Acts, like the GDPR and CCPA, for giving us the option to do so). These small files are used by web servers for data collection to improve your browsing experience by storing username and passwords, online shopping carts, and other types of data related to your digital footprint. They also provide information to marketers so they can advertise more products and services they think you want.
In the past, companies could only identify you by the ID passed along to your browser from first or third-party cookies. With the introduction of pixel tracking technology, it gets a little more complicated. A company’s first party data is shared with third-party vendors, where they create interest-based user profiles that benefit advertisers looking to run targeted campaigns using customer data. These vendors, like Google and Facebook, are now getting a more comprehensive understanding of who you are and what you’re doing through your entire browsing journey.
While this may help market to niche audiences and data subjects, it also presents a plethora of privacy problems. For example, the Meta pixel knows your name, and other Personally Identifiable Information (PII), based on matching your digital ID to your Facebook or Instagram account. No profile? No worries; it’s standard practice for Meta to receive a bundle of data linked directly to your IP address.
LinkedIn and the latest social media behemoth, TikTok, are also driving the pixel tracking phenomenon. Data transmitted back to TikTok, for example, includes IP addresses, your clicks, and what you search. With no clear path for “opting out,” it’s no surprise your targeted ads really seem to get you.
The Problem with Pixel
Aside from just the obvious privacy concerns, tracking pixels have been found in places where they shouldn’t be, like password-protected patient portals. That’s why Community Health Network — an Indiana-based healthcare system — recently notified 1.5 million individuals of a data breach. This is a potential violation of HIPAA, the federal law responsible for protecting personal health information, and it’s not an isolated incident. One-third of the top 100 hospitals in the United States sent patient data to a third-party media platform. According to The Markup, data sent to hospitals included full names, descriptions of allergic reactions, and medication details. Search terms, like “pregnancy termination” and “Alzheimer’s,” were also sent as relevant information by pixel.
OCR has already opened investigations for the Community Health Network and Advocate Aurora Health data breach notifications.
On December 1, 2022, the OCR released guidance to regulated entities on the proper use of tracking technologies, advising they shouldn’t be used “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Privacy Class Actions
Over the past six months, a growing number of privacy class actions have hit Meta (as well as companies and healthcare entities using tracking technology), claiming that pixel is improperly collecting sensitive patient information without proper disclosure to patients. Earlier this year, Boston-based Mass General Brigham agreed to pay $18 million to settle a class action suit over their use of tracking tools (including Meta pixel), but denied any wrongdoing. Facebook argues that sensitive information is filtered out from their data and not used for marketing purposes, but several class action suits specifically reference advertisements targeted to the plaintiffs’ medical conditions.
Not Just Healthcare
While the potential collection of healthcare data by tracking technology vendors without consent and BAAs is understandably the leading story related to pixel tracking, all industries should be mindful of how they approach the use of this technology in regard to data privacy compliance. Since February, 47 proposed class actions allege that Meta pixel sent video consumption data from online platforms to Facebook without user consent, in violation of the Video Privacy Protection Act. Five states—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive consumer data security and privacy laws, and more state legislatures are expected to follow suit. Companies with an international footprint must also be mindful of the General Data Protection Regulation (GDPR) in Europe.
Next Steps for All Organizations
Organizations should review their websites for code relating to tracking technologies and determine if the technology is even being used from a marketing standpoint. If it’s not being used, remove the code while keeping in mind the following:
Google Tag Manager
If you installed the pixel through another service such as Google Tag Manager, you will need to consult your service’s instructions for removal.
If you use a third-party to manage your website, work with them to remove the code.
If your organization determines that use of tracking technologies is beneficial from a marketing standpoint, evaluate whether the benefits outweigh the regulatory or litigation risks (which could be the case for some industries). If the benefits of use outweigh the potential for liability, then we recommend a thoughtful approach to its usage (see recommendations below from Fortalice).
Discover where trackers are deployed
We have identified some situations in which a tracker, or code related to tracking functions, has been deployed on web pages unexpectedly.
Develop a process for vetting and approving the use of tracking and similar technology
Include IT Security and Legal in the discussion.
When installing and configuring tracking technology, run tests that emulate common website activities
Ensure only data appropriate for the task is collected and transmitted.
Provide a means for users to “opt-out” of tracking where/when required.
If your organization is a HIPAA-covered entity or business associate, even if you derive some benefit from using this technology, strongly consider removing tracking technology code if you cannot obtain a BAA with the vendor. The risks of use without a BAA likely outweigh any benefit to your organization.
How We're Working with Policyholders
We believe in a proactive approach throughout the entire policy period. With our non-invasive Corvus Scan, we’re able to view an organization’s public-facing web infrastructure, software vulnerabilities, and in this case, use of pixel tracking technology. Our Risk + Response team keeps a watchful eye on the evolving legal and regulatory landscape, so we promptly sent an advisory to all policyholders with websites utilizing pixel technology to provide next steps and guidance.
Any companies unsure of how best to proceed should start by consulting with privacy counsel. If you’re a Corvus policyholder, we can connect you for an initial free consultation.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.