Blog Post

Q&A: Pixel Tracking Sparks Litigation Under Unexpected Laws

Downtown

Andrew, pixel tracking matters have been a significant focus area for you over the last year. Can you provide some context around this new trend in U.S. data privacy enforcement?

Yes. There have been dozens of lawsuits filed in the last year dealing with data privacy violations around the use of advertising tracking, as well as some very high-profile Federal Trade Commission actions. Our team has worked with clients on more than 25 of these matters to date, and from what we’re seeing, I expect this to be a continuing upward trend in both civil litigation and regulatory enforcement.

For background, advertising analytics trackers and pixels collect information to support various digital marketing and advertising processes across many industries. In most common applications, trackers are embedded into the backend of websites to track, and send to third parties, a wide range of information, which may include personally identifiable information (PII), identifiable health information and/or protected health information (PHI).

In the first half of 2023, multiple digital health industry organizations were each issued large fines and consent decrees by the FTC for privacy violations in direct response to advertising analytics trackers collecting and sharing identifiable health information. The Department of Health & Human Services Office for Civil Rights also issued guidance in December of 2022 to address Health Insurance Portability and Accountability Act covered entity and business associate use of advertising analytics trackers and pixels.

So, most of the activity to date has been focused on health information and the health care industry. Do these issues apply to organizations that are not dealing in that space?

Absolutely. The plaintiff’s bar has recently employed various state health record laws, state Unfair or Deceptive Acts Practices laws, federal and state wiretapping acts and other legal theories (e.g., unjust enrichment, breach of fiduciary duty, negligence) to litigate the alleged improper use of advertising analytics trackers and pixels.

A recent and notable trend is that the plaintiff’s bar has begun dusting off a 1980s law, the Video Privacy Protection Act, to pursue class action litigation against companies in the media and entertainment industries. The law was initially intended to protect consumers from their video rental history being shared with other individuals or businesses. It is now being interpreted by some to mean that if an entertainment website (e.g., People.com, BuzzFeed, YouTube) has an analytics tracker that records what kind of content users view on their site (like a video about what a celebrity wore to an awards show) and shares that information for advertising purposes, that is a violation of the VPPA.

Notably, VPPA activity is not limited only to media and entertainment companies — any company that provides video content on its website could be potentially subject to this law. Recent activity under VPPA is following almost the same fact pattern as the actions in the health care space, but for different types of data and different use cases. The risk and potential exposure though, is very similar across the board.

Can you share some examples of what kind of activities are being scrutinized in these VPPA cases?

Where companies host video players on their websites, litigation risk may arise if video title, video viewer PII, and other related video viewing information is transmitted to third parties without consent. To that end, when we perform VPPA-specific reviews, we zero in on the video players.

Notably, where companies host videos on their websites, they may be able to reduce the risk of trackers inadvertently sharing video viewing data if they utilize “embedded video players” and/or “iframes” to host the video player. Doing so may limit and sometimes fully prevent trackers on a website from recognizing the activity being performed on the video viewer itself. Some embedded video platforms are more “privacy forward” than others.

What are some steps companies can take to reduce their risk of facing a case like this?

There are two sides to this on which we advise clients. One is the litigation work, where we help clients establish a defensible workflow to preserve evidence and ensure the right data is collected in a forensically sound way, to support evidence discovery for the matter. We’re also working with clients to get out in front of this proactively, but identifying which trackers are being used, what information they collect, and how and to which parties it is transmitted.

This technology can be difficult to govern. When we help clients with this work, we focus on reviewing websites and the trackers in use, as well as existing contractual agreements that may exist between the organization and outside providers of analytics trackers (which can impact exposure and the terms for how data is handled). Organizations should also deploy technical and procedural controls to monitor changes in the environment and assess privacy risk in advance of introducing new or modified advertising analytics and pixels onto the website. There’s a lot more under the hood, but those are the essential high level activities to start addressing this risk area.  

I would suggest clients perform a thorough review of their embedded video plays and the broader tracker functionality across their websites and platforms. Additionally, it may be a good idea to review your privacy notices, “Cookie Banner” language, and the company’s Cookie suppression functionality to further limit risk.

Is there anything else organizations should be watching for?

We’re currently in a period of both heightened enforcement and growing attention to data privacy as a right. These two issued combined have created a climate in which companies really can’t ignore their data privacy position. The more we see massive fines and large class actions around data privacy in the U.S., the more apparent it is that proactive data privacy adds tremendous value. Truly, a strong data privacy posture, which addresses explicit privacy regulation as well as adjacent issues such as pixel tracking enforcement, brings far more value to an organization than the cost of implementing policies and controls.
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.