chevron-down Created with Sketch Beta.

ARTICLE

Tracking Your Cyber Coverage: Pixel and Other Privacy-Related Litigation

Eric Jesse and Heather Weaver

Summary

  • In today’s technology-driven world, cyber insurance is arguably one of the most valuable spends for any business.
  • The legal environment surrounding pixels and similar tracking technologies is complex and rapidly evolving.
  • Plaintiffs are suing hospitals and health systems around the country, among others, for allegedly using pixel and other tracking tools.
  • Cyber and media liability insurance policies have evolved over the last several years, often including broad coverage for a variety of alleged data privacy violations.
Tracking Your Cyber Coverage: Pixel and Other Privacy-Related Litigation
pixdeluxe via Getty Images

Does it ever feel as though your every move on the internet is being monitored? That websites and social media platforms know all about your shopping habits, desired travel plans, hobbies, medical history, and more? They might, according to some plaintiffs’ lawyers. Unbeknownst to users, a tiny digital tool called a tracking pixel may be embedded on websites, which collect information about user behaviors and interactions. The data collected by the pixel and similar tracking tools can be invaluable to businesses, advertisers, and marketers, who use that information to target a tailored audience and accelerate sales. However, the benefits of this technology can come with privacy risks, a growing concern for many companies and, in turn, their insurers. As large privacy class action lawsuits arising out the alleged wrongful collection and distribution of personal information are filed in courts across the country, insurers are working to try to minimize their coverage obligations for these lawsuits.

This article discusses (1) the current legal landscape surrounding pixel and similar tracking technologies, (2) cyber insurance restrictions and limitations that are becoming more common in response to these privacy claims, (3) mitigation measures companies can take to be a more desirable risk to cyber insurers, and (4) a new area of growing concern in the privacy technology space that cyber insurers are monitoring closely. 

Pixel Litigation on the Rise  

The legal environment surrounding pixels and similar tracking technologies is complex and rapidly evolving. Over the last few years, there has been an explosion of privacy-based investigations and massive class action lawsuits. In 2023 alone, more than 250 lawsuits were filed raising various privacy concerns related to tracking tools, according to a Bloomberg Law docket search. These lawsuits primarily target two different defendant groups: (1) the providers of the pixel tools, including Google, Meta, and Adobe; and (2) companies that allegedly use these tracking technologies on their own websites or apps for data collection, such as hospitals and healthcare providers. While companies across a wide range of industries have been known to use these tracking tools, the healthcare and financial services industries are especially susceptible to such claims based on confidential and sensitive data that they handle.

The Meta pixel, while undoubtedly a powerful data-gathering tool, has exposed the company to potentially significant liability. For example, there is a putative class action lawsuit against Meta pending in California, which consolidates nearly 20 individual lawsuits. Plaintiffs allege, among other things, that Meta knew or should have known that its pixel tracking tool was being used on hospital websites to collect the private medical information of users. The collected data, which were allegedly sent to Meta, were then used to create personalized ads. According to the HIPAA Journal, at least 664 hospital systems and medical providers were sending patient data to Meta through the pixel tool. At a January 17, 2024, hearing on Meta’s motion to dismiss this class action, District Judge William Orrick in the U.S. District Court for the District of Northern California indicated that he is inclined to let the class action proceed because the privacy claims appear plausible, given the relationship between plaintiffs and the healthcare providers.

While Judge Orrick did not issue a decision at the hearing, this class action lawsuit could proceed on the heels of the final approval of a $725 million settlement of privacy claims against Facebook at the end of last year. According to plaintiffs’ counsel, the nearly 28 million claims received appear to be the largest number ever filed in a class action in the United States. And because the judge in that case awarded more than $181 million in legal fees to the plaintiffs’ lawyers as part of this behemoth settlement, it is no surprise that these privacy-related class action lawsuits have caught the attention of the plaintiffs’ bar. 

Meta is not the only tech giant garnering attention in this area. At the end of 2023, Google purportedly agreed to settle a $5 billion consumer privacy lawsuit claiming it secretly tracked the internet use of millions of people who thought they were browsing privately in “incognito” mode. This lawsuit covers millions of Google users and sought at least $5,000 in damages per user per violation of the federal wiretapping and California privacy laws. Google agreed to settle this lawsuit after its motion to dismiss was denied. While the terms of the preliminary settlement have not been disclosed, a looming February 2024 trial is on hold while the parties work toward finalizing a settlement.

Plaintiffs are also suing hospitals and health systems around the country, among others, for allegedly using pixel and other tracking tools on their own websites. In 2023 alone, class action lawsuits alleging privacy violations and distribution of millions of patients’ protected health data were filed against New York-Presbyterian Hospital, Cedars-Sinai Health System, the University of California Health System, IMB, Kroger, Costco, and Rite Aid, just to name a few. These class actions allege, among other things, that the tracking tools violate the Health Insurance Portability and Accountability Act (HIPAA) and other privacy standards by permitting third parties to collect information regarding patients’ interactions with their websites, including prescriptions, medical appointments, procedures, treatment options, and healthcare providers and facilities. This information is then allegedly shared with tech giants such as Meta and Google, allowing them to tailor ads based on patients’ medical history.

Insurer Response to Increased Tracking and Other Privacy-Related Claims

Cyber and media liability insurance policies have evolved over the last several years, often including broad coverage for a variety of alleged data privacy violations. Coverage for such claims can entail, among other things, defense costs, damages, and regulatory fines arising out of such claims. Also, class action lawsuits are typically expensive, and increasingly strict privacy regulations can lead to more significant fines. As the insurance market has faced an increasing number of claims, it is not surprising that insurers are looking for ways minimize their current and future exposure for these liabilities.

For example, many cyber insurance carriers have started to try to restrict coverage for privacy claims by, among other things, specifically excluding media-related exposures or any wrongful collection of data, or by adding a specific pixel or code tracking exclusion to their policies. Even carriers that are not entirely excluding coverage for these claims often specify a sublimit to minimize their exposure or agree to provide defense-only coverage.

Another way that insurers are responding to the risk of these privacy-related claims is by adjusting the policy terms. For example, insurers are increasingly seeking to more narrowly define certain key terms within these policies—for example, “covered media material,” “media wrongful act,” “personally identifiable information,” and “confidential information”—which may put some of these claims outside the scope of a policy’s coverage. In these circumstances, the coverage limitations might not be as apparent on the face of the policy—the “devil is in the details” and the “fine print” matters. However, an experienced broker or coverage counsel can help identify such restrictions and try to negotiate broader coverage on behalf of the policyholder. Finally, some carriers are also increasing premiums for policies that cover these privacy-related risks or increasing the relevant deductibles (or both).

Steps Policyholders Can Take to Minimize Risk and Maximize Coverage

In today’s technology-driven world, cyber insurance is arguably one of the most valuable spends for any business. While many cyber insurers are trying to scale back what their policies cover given the increase in privacy claims, companies with strong controls and compliance still have options in the cyber insurance marketplace. Insurers will generally work with applicants on a case-by-case basis to determine if they are diligent and informed regarding any data collection and sharing before issuing coverage. To maximize their chances of procuring coverage on favorable terms, policyholders must work closely with their experienced brokers, coverage counsel, and knowledgeable individuals within their companies leading up to and during the underwriting process.

Companies can expect insurance carriers to closely scrutinize their security practices and assess the types of data they collect and how the data are used. Insurers may even require supplemental applications to address how policyholders collect personal data. Such applications often contain technical questions regarding a company’s website configurations and data-processing activities. Policyholders may also be asked whether they share user data with or sell user data to any third parties prior to notifying users or obtaining their consent. Insurers will also want to ensure that there is a process in place to evaluate, approve, and disclose the use of tracking pixels and other website technologies.

Some cyber underwriters have gone a step further by using scanning technologies within the underwriting process to determine if pixels are being used on the prospective policyholder’s website. Some underwriters may even require removal of the pixels from websites prior to issuing a policy, while others may require answers to a number of risk management questions surrounding the use of pixels, before offering terms or deleting exclusions restricting coverage. Cyber carriers will, of course, also consider prior claims history, so it is important to maintain a clean record, not only from a business and finance perspective but also from an insurance procurement perspective. Insurance companies will consider this information collectively to assess legal risks, set premiums, and determine the scope of coverage that they are willing to provide.

Companies are often overwhelmed by the thought of this grueling underwriting process, and understandably so. Experienced brokers and coverage counsel can help navigate this process by working with their clients’ internal legal, marketing, and technology teams, by obtaining quotes, and by negotiating policy terms and conditions on their clients’ behalf. One key piece of advice is to start the process early. Companies should not wait until the expiration of their cyber policy is approaching before reaching out to their broker or coverage counsel and starting to gather the necessary information internally.

In addition to preparing for the underwriting process, companies are also making changes internally on the business and technology side to minimize risk. For example, some companies have proactively removed tracking technologies from their websites in response to the wave of claims. However, to the extent that companies do not want to remove tracking tools from their websites for business reasons, companies can take steps to minimize legal risk and provide comfort to prospective insurers. For example, companies should make available their privacy policies informing customers of the use of any tracking technologies on their websites and specify what types of data are being collected and how the data will be used. Companies should also allow website users to opt out before their data are collected. Many companies have incorporated an opt-out option as a pop-up when users log onto their websites.

Of course, an important way a company can ensure that cyber coverage remains accessible and affordable is to improve its security. Working with a broker or coverage counsel (or both) who know the ins-and-outs of the industry and can direct the company through the underwriting process is also critical to ensuring that the company is procuring insurance that contains favorable terms that are likely to cover a potential claim.   

Biometrics: The Cyber Risk to Watch

Companies are increasingly using biometric data, such as fingerprints and retinal scans, as a method of improving security. For example, American Airlines is one major company taking advantage of biometric technology in the United States, by implementing a one-step facial recognition program and eliminating the need for boarding passes. Disney is another major corporate company that uses biometrics, specifically fingerprints, to confirm identification for entry to the theme parks. In a first for the financial industry, global banking chain Barclays developed a one-touch fingerprint access and has since expanded its biometric strategy to include voice-enabled biometrics. This technology enables Barclays bank contact centers to identify customers from the first few words that are spoken on their call, which eliminates the need for traditional security passwords. Many employers are also making the switch from traditional forms of security and access control to biometric technology for their own employees to access their company’s computer systems. As we have seen with tracking technologies, however, along with the benefits of these advancing forms of technologies come legal risks and coverage considerations.

Insurance carriers are keeping a close eye on biometrics as the Illinois Biometric Information Privacy Act (BIPA) is one of the strictest privacy laws in the nation. BIPA allows consumers the right to sue directly businesses that violate it (e.g., by obtaining biometric information without obtaining written consent). Currently, at least nine states have biometric laws and more than a dozen others have proposed legislation. As the use of biometrics continues to become more widespread, and strict biometric privacy laws continue to be enacted across the country, the legal risks will increase. In turn, we will see insurers seeking to limit their risk by adding to their policies exclusions and other restrictions for BIPA-related claims.

This will undoubtedly become another hot topic in the cyber insurance market as companies seek to obtain coverage and protection for potential claims arising out of their use of biometrics technology. To avoid the risk of coverage gaps, companies that use or are considering using biometric technologies should consult with their insurance brokers or coverage counsel (or both) regarding the availability of cyber and other insurance in the marketplace to cover such risks.

    Authors