Over the past year, we’ve seen privacy-related legal actions brought against companies from Federal, State, and Regulatory agencies, and private classes that focus heavily on data privacy violations related to website tracking. Law firms with data privacy practices are seeing a substantial uptick in questions from clients concerned with these topics, and clients who require defense against a pending legal action.
What is the adtech at the core of these issues, and why is it a concern?
As a quick refresher, let’s review what pixels, trackers, and session recording tools, which are the tools at the heart of these legal actions, actually do. Pixels are tiny, transparent, and often invisible graphical elements embedded in web pages or emails. Scripts attached to these pixels collect data for various purposes, such as measuring website traffic, understanding user behavior, and delivering targeted advertising.
Trackers similarly collect data for various purposes, including advertising, analytics, and personalization, but come in different forms, such as cookies, scripts, tags, and fingerprinting techniques.
Lastly, session recording tools (like HotJar, CrazyEgg, and Glassbox) capture and record user interactions and activities on websites or within applications. It involves recording user sessions, including mouse movements, clicks, keystrokes, and scrolling behavior, to analyze user behavior, improve website usability, and enhance user experience.
All these tools aim to measure engagement or personalize or improve the user experience by better understanding the users’ preferences, behaviors, and demographics. It’s important to note that often the website owner or the organization’s marketing department will place these trackers onto the website but are often unaware they are violating any regulations.
Although many of these technologies have been used for years, data privacy regulations are finally catching up. When The Markup reported in August 2022 that several hospitals were sharing patient data with Facebook via the “Meta Pixel,” it set off alarms among privacy regulators and plaintiffs’ attorneys. In December 2022, the Department of Health and Human Services Office of Civil Rights issued a memo warning against the use of tracking technology on healthcare websites as they may be sharing sensitive health data, clarifying that it violates HIPAA.
Hospital and healthcare websites have been hit hard since this clarification. Over 18 class-action lawsuits have been filed against hospitals and counting, alleging they are sharing health data via online trackers. The FTC fined GoodRx and Betterhelp for using online tracking technologies without explicit user consent, and the director of the Department of Health and Human Services' Office for Civil Rights recently clarified that it’s a priority of their office to crack down on those who violate the regulations on trackers.
Besides healthcare, we’ve seen plaintiffs’ attorneys bring class-action lawsuits related to sharing video streaming data from websites to Facebook via the Meta pixel under the Video Privacy Protection Act. Other class-action lawsuits have been filed under state wiretapping laws related to using session recording tools to record users’ web activities without their knowledge or consent.