Pixel Trackers: Cyber Risk and Insurance Options

MAY 2, 2023

Pixel trackers have been a standard feature of corporate and commercial websites for decades, but they have recently gained the attention of government regulators and have become the subject of multiple class-action lawsuits due to personal and health data disclosures. When tracking pixels, healthcare providers and other organizations are held accountable for any data breaches they may cause, making pixel security a top business priority.

What Are Pixel Trackers?

Pixel trackers (sometimes called “pixel tags” or “spy pixels”) are imperceptible, transparent graphic files that contain small snippets of computer code. The code’s sole purpose is to collect information about a computer user’s actions on a particular website. The most common use of that data would be to create tailored advertisements to be presented back to that same user. For example, if a user clicks a link associated with garden tools, this information is tracked by the code, and then advertisers will know to direct ads about gardening products to that specific user.

Who is Most Susceptible to Pixel Tracking Risks?

Currently, the greatest risk is in the healthcare industry, but all organizations that possess employees’ healthcare-related information face some liability. In 2022, dozens of class-action lawsuits were filed against major hospitals after it became apparent that they were using a common version of this technology: the Meta pixel code offered by Facebook’s parent company, Meta. The suits allege, among other claims, that this data collection included information that was protected health information (PHI) as defined by federal regulations under the Health Information Portability and Accountability Act (HIPAA).

For example, patients might schedule an appointment online on a hospital’s website, and a pixel tracker could collect the physician’s name and expertise (such as “fertility specialist”). The tracker could then send that information back to an internet advertising company to sell for the purposes of the creation of a tailored advertisement — a potential HIPAA violation each time it occurred. One lawsuit alleges that the process can take place almost instantaneously, so that ads appear right after the user has finished visiting the hospital website.

In addition to the risk of a class-action lawsuit, healthcare providers must also be careful to heed the warnings of government regulators. In December 2022, the Department of Health and Human Services (HHS) issued a bulletin outlining the obligations of regulated healthcare entities when using this technology.

Precarious World of Privacy Regulations

From a regulatory perspective, all organizations face potential liability with pixel trackers from global, federal and local regulators. Legislation such as the Cares Act and Section 5 of the Federal Trade Commission (FTC) Act have created strict rules that make the practice of data harvesting through tracking pixels risky and controversial.

The challenge many providers are experiencing is the inherent disconnect between marketing departments and patient health departments. Not only are there at least 60 unfiled class-action suits in queue concerning pixel trackers, but virtually all privacy regulators are also focusing on the use of this technology. These regulators are most concerned with timing and disclosures, reasonable security measures, collection issues, and adherence to policies.

What Are the Emerging Risks?

While hospitals have been the current targets, the plaintiffs’ logic could also apply to smaller healthcare entities and other industries. Any company that has healthcare-related information, even if they aren’t technically a “covered entity” as defined by HIPAA, could find themselves accused of violating local, state or federal regulations (e.g. breaching the privacy of users on websites that use or have used pixel trackers).

Likewise, companies in other highly regulated industries — such as educational organizations, financial institutions, and public entities — should review their practices involving pixel trackers in anticipation of potential future risks.

4 Easy Steps for Protecting Your Organization

Fisher Broyles, a law firm partnering with USI, suggests four initial steps to help protect your organization from pixel-related threats:

1. Develop a privacy policy based on applicable laws regarding consumer rights. Train employees on the requirements of the policy and appropriate collection, use, sharing and handling of data — particularly sensitive data — throughout its life cycle.
2. Make sure to involve business, development, and marketing teams.
3. Assess the use of cookies and analytics tools used on websites, apps and consumer-accessible portals to ensure compliance.
4. Create accurate and compliant consumer notices written in clear and understandable language.