“The writing has been on the wall for five years,” says John Gilmore, head of research at privacy company DeleteMe.
But cookies are just one way companies track and share data on users. They also often use pixels, and their use of that technology could expose companies to privacy liability in ways general counsel might not be aware of, a Bloomberg Law report says.
“2023 is the year in-house counsel must pay attention to the websites,” David Straite of DiCello Levitt told the publication. “They must interact with the website developers and say, ‘what code are you putting on this website?’”
Pixels are a technology made available from Google and Meta, among other tech companies, that are built into the code as part of the way websites load after an address is typed into a browser.
“Once … trackers are loaded in your browser, they have a ton of ways to track you beyond just third-party cookies … and many of these mechanisms cannot be turned off because the browser needs them to properly function,” DuckDuckGo, a privacy-focused search engine, says in an analysis that’s been cited by the Federal Trade Commission in a report by its office of technology.
Because of the role of pixels in how websites interact with browsers, a company can put in controls around its use of data without those controls applying to data tracked and shared by pixels.
Even if, as in-house counsel, you work with others in the business to control how tracking data from pixels is used, your company could still face exposure from use of the data outside your company.
“Google and Meta can access and use data collected by the pixels,” attorneys told Bloomberg Law. That “impedes in-house’s ability to fine-tune collection controls and thereby limit litigation risk.”
In an early October analysis of federal court dockets, Bloomberg Law found that plaintiff’s lawyers are relying on a handful of federal laws, in addition to state laws, to file proposed privacy class actions against companies’ use of pixels.
These laws include the Health Insurance Portability and Accountability Act (436 cases filed), Video Privacy Protection Act (199 cases), Computer Fraud and Abuse Act (114 cases), Federal Wiretap Act (98 cases) and the Driver’s Privacy Protection Act (67 cases).
The Boston Globe recently settled a lawsuit over its use of Meta pixels that plaintiffs filed under the Video Privacy Protection Act. The company says it didn’t violate the law but it agreed to settle for $4 million to avoid the uncertainty and expense of litigation.
“The class action lawsuit accuses Boston Globe Media Partners, LLC of disclosing its subscribers’ personally identifiable information (“PII”) to Facebook via the Facebook Tracking Pixel without consent in violation of the Video Privacy Protection Act (the “VPPA”),” the company says.
Under the complaint, Boston Globe subscribers who also had Facebook accounts during a three-year period that ended earlier this year had personal information shared without their consent via the pixels.
As part of its settlement, the newspaper company agreed to suspend its use of the pixels on any pages on its website that both include video content and have a URL that substantially identifies the video content viewed.
“That’s where some companies who got sued have gotten in trouble — not having proper disclosures,” he said.