Are Website Trackers and Pixels Exploiting Your Customers’ Privacy?
Companies are facing legal action for violating the privacy of millions, or even billions, of web users. Some companies aren’t even aware of these violations. Here’s what you can do to protect your company -- and your customers -- from illegal data collection on your website.
- By Ian Cohen
- October 24, 2022
We’ve seen numerous lawsuits in the last month alleging major privacy violations for millions of people related to website trackers and pixels (tiny bits of code that collect information about a website’s users). First, it was Facebook’s parent company, Meta, which has been slapped with a class-action lawsuit related to the unauthorized collection and sharing of sensitive health data using the Meta pixel, often without patient consent.
A second class-action lawsuit quickly followed, this time against The UCSF Medical Center and San Francisco–based Dignity Health for placing the Meta pixel on their websites, which allowed the unauthorized tracking of patient health data. One complaint alleges more than 600 hospitals or medical providers deploy the tracking technology and may be sharing personal health information (PHI), which is protected by HIPAA, with Facebook. It’s important to note that it is likely the case that these hospitals weren’t aware of what the pixel was doing.
What This Mean for Consumers
Although Facebook and Oracle are the targets of these initial lawsuits, other social media sites that use pixels (such as Twitter, TikTok, Snapchat, and LinkedIn) function similarly.
For example, when a company installs a social media pixel on its website, it is enabling the collection and combination of information found on the users’ social profiles (demographic data, interests/topics followed, topics posted about, etc.) with behavioral data gathered from the users’ interactions with that company’s website.
Let’s use the hospital and Meta pixel example. The Meta pixel can collect and send the following information back to Facebook and its advertising partners:
- The user typed “brain tumor treatments” into the hospital website’s search bar
- The user spent over an hour on the hospital website viewing pages related to treatment options for brain tumors
- The user completed an appointment request form from the web page related to brain tumors
- The user searched for a list of medications and their side effects
Additionally, if the user is simultaneously logged into the social media site with a tracker on the web page of the hospital, they are no longer anonymous -- they are linked to their social media account and everything that platform knows about them. Collecting that information and using it for targeting purposes could be a violation of privacy laws. It’s certainly a violation of commonsense web hygiene and user trust perpetrated by the social media companies.
Beyond the big social media companies, there are hundreds of other data brokers competing to get their hands on your data. Though this tracking produces annoying and often creepy ad tracking and spam, there are far more serious issues to consider.
The True Scale of Tracking
LOKKER (the company I founded and lead) wanted to better understand the true scale of how many healthcare providers and financial services companies are using these pixels because they both deal with sensitive, protected data. We scanned more than 5,000 U.S.-based healthcare and hospital sites and 3,500 financial services websites and found pixel use shown below:
Percent of Healthcare and Hospital Websites Using
Percent of Financial Services Websites Using
The scope and scale of these trackers extends far beyond what has been identified in the initial lawsuits.
Why Is This Happening?
From the consumer side, we’re seeing an uptick in legal action because people feel violated. Beyond the annoyance of spam and creepy ads, there are serious consequences to oversharing this data including ID theft, phishing attacks, and simply not knowing who else has access to this data (from thieves to hostile nation states).
From the company side, without the right tools it can be nearly impossible to manage all the trackers and data sharing that’s happening. Many times, website functionality is built by an outside agency or by a marketing team that doesn’t fully understand the privacy ramifications of the trackers and cloud software. Also, web design and construction are implemented outside the purview of the privacy specialists.
Beyond that, and perhaps more concerning, much of the third-party software used to build websites and measure their performance uses third-party software themselves. These fourth parties use other software, which then become fifth parties, and so on. We’ve seen this chain go over 20 layers deep, so the oversharing grows exponentially and is therefore increasingly difficult to manage.
Protect Your Company and Your Customers
Depending on where a company operates, it may have to comply with a patchwork of state, federal, and international laws. The smartest way to stay in compliance is to tackle the problem at the source by tracking only what you need.
- Treat each tag you place on the site as a potentially harmful asset and assign a business owner to that tag.
- Retire trackers on a regular cadence. We often see trackers that are many years old. They are still collecting your users’ data.
- Publish a full readout of all your trackers once a week.
- Be careful about any third-party assets on pages that collect form data. This is where we see companies getting into the most trouble.
Companies should treat every browser as an endpoint. On average, more than 70 percent of the code loaded into our browsers comes from third parties rather than from the sites we visit. Moreover, the enterprises operating these websites are unable to see most of this activity, let alone control it.
It’s important for organizations to invest in web privacy tools that work for both marketing and privacy professionals. They should provide complete visibility and control over unauthorized web applications and automatically block data from being shared with unauthorized third, fourth, and Nth parties. Moreover, they should do this without negatively impacting the web user experience.