Website tracking technologies have become the center of attention in privacy litigation, as the plaintiffs’ bar capitalizes on various privacy statutes and tort laws to file class actions, which have often resulted in significant multi-million-dollar settlements. In this two-part series, we explain:

• Part 1: Pixel tracking overview, related statutes and regulations and how they can be leveraged against companies.
• Part 2: Settlement value of cases, compliance considerations and potential implications for your cyber coverage.

What Is Pixel Tracking

Pixel tracking is a tactic widely used in advertising and analytics to measure user interactions and monitor online behavior to collect valuable consumer data. It is one of several types of website tracking that companies utilize (e.g., pixels, chatbots, session replay and video tracking). Tracking pixels can provide insight into email opens, page views, impressions, website clicks, sales conversions and other information that gives insight into users’ online activity. Unlike cookies, tracking pixels are not dependent on a browser for functionality and can operate independently to send information directly to web servers. Tracking pixels can provide more data than cookies because they have the ability to follow users across devices and cannot be easily disabled.

Meta Pixels are a retargeting pixel that tracks user activity through cookies to collect data on HTTP headers, button click metrics and user-specific data that is then shared directly with Meta. This data can then be used to create targeted campaigns and deliver personalized messaging. Meta Pixels have become the focus of data privacy litigation, resulting in at least one hundred class-action lawsuits in the past year. In addition to federal and state data privacy regulations, lawsuits allege intrusion upon seclusion, negligent misrepresentation, invasion of privacy, breach of contract, breach of fiduciary duty and more as causes of action.

Privacy Regulations and Litigation

The plaintiffs’ bar relies on several privacy statutes to limit the tracking of individuals’ activity on websites, regardless of the company’s industry. However, there is sensitivity and settlement value in healthcare, which is where these suits originated.

Health Insurance Portability and Accountability Act (HIPAA)

Numerous legal observers have noted that more than 50 class-action lawsuits were filed against hospitals and healthcare systems for HIPAA-related violations associated with pixel tracking in 2022 alone.¹ When a regulated business or entity subject to HIPAA uses pixel tracking technologies developed by a third party on their mobile app or website, such use may result in the collection and/or disclosure of personal health information to the third party. An investigation of healthcare and hospital websites found that 33 out of 100 hospitals in the United States use Meta Pixels on their websites.

Adding to existing concerns in the healthcare space, in December 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued a bulletin to give guidance on pixel tracking². The bulletin stated that regulated entities are prohibited from utilizing tracking technologies in a way that would lead to unauthorized disclosures of protected health information to tracking vendors or any other violations of HIPAA rules. The OCR further defined tracking technologies as a script or code on a website or mobile app used to gather information about users as they interact with the website or app (including cookies, tracking pixels, chat functions and any other tool that discloses information about the user to a third party).

Entities subject to HIPAA should conduct an audit of any tracking technologies used on their websites, web applications or mobile apps to determine if they are being used in a manner that complies with HIPAA. If it is discovered that the past or ongoing use of these technologies violates HIPAA, consumer notification may be required.

¹ McKeon, J. (2023, April 27). Data Breach Lawsuits Tied to Tracking Pixel Use On the Rise In Healthcare. HealthITSecurity. https://healthitsecurity.com/
news/data-breach-lawsuits-tied-to-tracking-pixel-use-on-the-rise-in-healthcare.

² U.S. Department of Health and Human Services (2022), Use of online tracking technologies by HIPAA covered entities and business associates. HHS.
gov. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.

Christopher Keegan

Senior Managing Director

Britt Eilhardt

Managing Director

Julia Krzeminski

Intern

Miles Crawford

Intern