Addressing the hidden privacy risk of ‘tracking pixels’

Law firms, regulators and insurers are beginning to turn their attention to privacy risks created by tracking pixels collecting user data. For businesses regularly deploying cookies on websites or using tracking pixels, it’s vital to have in place a transparent governance process to avoid facing legal action or regulatory intervention.

A tracking pixel is a very small and often invisible image containing computer code that captures information. It differs from a cookie in that it is neither placed in a browser nor does it rely on a browser to function. Instead, it’s usually placed on a website. Consequently, tracking pixels allow businesses to collect a wider variety of user information including email opens, digital ad impressions, sales conversions, website visits, and other types of online activity.

In a recent move, the Austrian Data Protection Authority (DSB) has declared (opens a new window) that Facebook’s tracking pixel violates the EU General Data Protection Regulation (GDPR) and the latest European Court of Justice (CJEU) decision on transatlantic data flows.

Organisations subject to GDPR are required to obtain consent before tracking the online activities of individuals. Otherwise, they may face regulatory investigations and fines.

With the above regulatory advance in mind, the risk of lawsuits and regulatory investigations related to the use of tracking pixels is clearly on the rise. While the urgency is more evident for industries that collect sensitive personal data, all organisations catering for the end consumer should be paying attention.

Businesses deploying tracking pixels may face legal action claiming that the responsible party allowed the tracking company to intercept private communications – the interaction between the website and the individual – which plaintiffs say they never consented to. To reduce the risk of attracting the attention of regulators and claimants, businesses deploying tracking pixels should consider the following actions:

Know your third-party tracking situation

Determine what cookies, pixels and other tracking technologies are actually running on your website.

Consider limiting third-party tracking on the most sensitive portions of your webpage

You know your websites and what website audiences care about. Consider whether to trim or eliminate third-party trackers from pages that arguably disclose more personal information or allow sensitive inferences to be drawn.

Prune unnecessary third-party trackers

Take inventory of your digital domain – be sure that all your tracking technologies have a clear and necessary purpose.

Use in-tool privacy choices to minimize the privacy impact of third-party trackers

Most third-party trackers provide the organizations using them with the power to limit data collection. For example, a switch in the controls may allow a website operator to anonymize IP addresses that are collected, making it more difficult for a third-party service provider to identify a website user. If your company does not need the tracker to collect certain information, set the controls accordingly.

Disclose third-party tracking

It is clear from the above that of the most rigorous disclosure will be required to ease concerns from data protection authorities, and protect against potential future legal action. This can include the following, some or all of which may be required in some jurisdictions:

  • A generic disclosure of use of tracking technology in a privacy policy;

  • A listing of specific third parties doing the tracking, and for what purposes, in a privacy policy;

  • A cookie banner disclosing deployment of cookies, pixels, and other third-party technology, with links to learn more; and

  • A just-in-time disclosure in connection with capturing keystrokes and/or interacting with a chatbot.

Give consumers a choice

This can include the following, some or all of which may be required in some jurisdictions:

  • Letting website users opt out of all third-party tracking for analytics and advertising purposes;

  • Providing that choice before any third-party trackers are deployed; and

  • Only dropping cookies for analytics and advertising purposes if consumers opt in affirmatively at the cookie banner or with the preference tool.

Taking the above risk reduction steps will put organisations in the best possible position to avoid problems arising from their online tracking practices. The possibility of litigation and regulatory investigations and enforcement, however, cannot be dismissed.

Insurance cover

Cyber policies generally cover the insured’s liability for breaches of private personally identifiable information (PII) and protected health information (PHI). Policies also usually cover losses resulting from violations of privacy laws. This coverage makes it likely that cyber insurers will defend and settle online tracking litigation. The same is true for regulatory investigations and enforcement actions. Most cyber policies contain privacy regulatory coverage that would be likely to respond in those situations and may extend to regulatory fines and penalties imposed.

Not every cyber insurer believes its policy covers online tracking claims and some policies exclude cover for losses arising from the allegedly wrongful collection of PII or PHI. A few insurers have informally suggested that claims concerning online tracking practices are based on the unauthorised collection of private information, not the breach of that information. If that interpretation is correct, some cyber policies may not cover these claims. It is possible that other insurance policies may cover online tracking litigation.

Lockton’s Global Cyber and Technology team can help you face the changing landscape of international regulation and data protection.

For more details on our products and services, please visit our Global Cyber and Technology page (opens a new window), or contact:

Jack Bassett, Assistant Vice President Global Cyber & Technology

T: +44 (0)20 7933 1610

E: (opens a new window)

Michael Kay, Head of Retail Practice Group

T: +44 (0)161 828 3304

E: (opens a new window)