Pixel Litigation: How Security Professionals Can Assist with Risk Mitigation
It may not be readily apparent, but a rapidly evolving risk and compliance issue—pixel litigation—is bringing security practitioners into remediation efforts that are a surprise to them.
Websites are naturally part of an organization's security risk and compliance plan. Some compliance issues for websites include: compliance with the Americans with Disabilities Act for accessibility; transparent disclosures in the website privacy policy for compliance with Section 5 of the Federal Trade Commission Act; obtaining consent for collection of certain data, including keeping an eye on the Telephone Consumer Protection Act; protection of data submitted by consumers and compliance with state data security laws; and (as applicable) compliance with the California Consumer Privacy Act and other state privacy laws. Oversight of, or involvement with, the security of an organization's website tends to be assigned to security professionals.
Why Pixels Matter
A new issue involving websites is pixel litigation, which is catching organizations by surprise. Pixel litigation has grown substantially during the past year. The list of entities that have been sued and have settled pixel litigation cases is growing exponentially.
The allegations in pixel litigation cases vary, but primarily allege that organizations collect, use, and disclose personal information of consumers who browse their website without their consent. When consumers browse a website, website tracking and analytics technology can track the browsing session, including exactly which pages are viewed, how long the user spends on each page, and if using cookies or pixels can continue to track the user's view of other websites during the session. The data is then shared with other organizations that can link the IP address with their platforms.
Often, IT professionals are not consulted by sales and marketing teams when new technology is used for a sales and marketing function.
Two widely used pixels are the Meta (Facebook) and Google pixels. Also called “ad tech,” these pixels and tracking technologies, if activated by an organization, attach computer code to the user's activity and share it with Meta and Google. That activity is then allegedly used for targeted advertising to the IP address of the user.
The tracking technology is useful to organizations’ sales and marketing functions to enhance the content on their websites, understand which part of the organization is of interest to consumers, and to develop new products and services based on the interest shown by consumers when viewing the website.
But the sharing of the analytics with Meta, Google, and others is being attacked in litigation as disclosing consumer data without consumer consent in violation of wiretapping and privacy laws. Defenses to these allegations include, but are not limited to, that consumers are well aware that they are being tracked when they visit a website, that the browsing of a website does not collect or disclose “personal information,” and that the collection of clicks of a consumer on a website is not a “recording” as that term is defined in wiretapping laws—nor is it the type of “wiretapping” that wiretapping laws were designed to prohibit.
When legal action is brought, some organizations do not even know whether they have applied tracking technology to their website and it has not been flagged as a legal, compliance, or security risk. Ad tech is ubiquitous, has been used for years, and the addition of tracking technology for analytics on a website is often an add-on feature offered by the website hosting vendor, which is agreed to by the sales and marketing professionals in the organization. When that occurs, sales and marketing professionals, who are unaware of the legal and compliance risks associated with the ad tech, view its addition as a value to the organization, and are not communicating the add-on to the legal, compliance, or security professionals.
If an organization is sued, it can be caught off guard if communication channels within the business are not open. Often, IT professionals are not consulted by sales and marketing teams when new technology is used for a sales and marketing function. After a suit is filed alleging an issue with technology, IT professionals are consulted to determine whether the allegations have merit. At this point, sales, marketing, and IT professionals must work together to investigate the allegations.
In some instances, neither the sales and marketing nor IT professionals were aware of the use of the technology or its functionality. In this case, the organization will first have to determine what tracking technology is being used, for how long, what it is capturing, and whether pixels or other ad tech is disclosing data to Meta, Google, or others. When this happens, security professionals are brought into the conversation to assist with fact gathering.
Data security is a team sport. Collaboration is key to reducing risk for the organization.
Next Steps for Security Pros
To get ahead of the swell of litigation in this area, there are several things legal, compliance, and security professionals can consider doing now to assess the risk of pixel litigation:
- Work with sales and marketing professionals to determine whether tracking technology is used on your website, including Meta and Google pixels.
- Determine how ad tech is used on your website, what it gathers, and what information is being disclosed to third parties.
- Assess whether the pixels or other tracking technology, (depending on the answer to the bullet above), is worth the risk. If so, determine what mitigation steps to implement to reduce the risk. If not, determine how to disable the tracking technology.
- If ad tracking, pixels, and cookies are used, review the website’s privacy policy to determine whether it should be updated to be more transparent about the use of tracking technology, what it is capturing, and to whom the data is disclosed.
- Provide mechanisms for consumers to opt-out of the use of tracking technology when they visit the website, including a pop-up that gives consumers options to opt-out as soon as they arrive (also known as “cookie banners”).
- Establish a rapport and process with sales and marketing professionals about the use of evolving technology in the organization so there is an awareness of the need to evaluate new technology before it is deployed.
- Establish internal procedures so security professionals are included in the evaluation of new technology to help assess risk.
Data security is a team sport. Collaboration is key to reducing risk for the organization. Keeping security professionals closely apprised of the use of any new technology or proposed “add-ons” can be critical for reducing data security risks to the organization.
Unfortunately, new technology is only going to get riskier as more vendors embed artificial intelligence (“AI”) tools into their products. Similar to ad tracking technologies, business teams are not current regarding how AI tools are used by technology offered by vendors, nor of the risks posed by the use of AI, including bias, data privacy and security, leakage of data and collection, and use of intellectual property by AI tools. Developing solid lines of communication and processes within an organization about the use and evaluation of new technology, including AI tools, may reduce future risk so nothing falls through the cracks.
Linn Freedman is chair of the Data Privacy + Cybersecurity and AI Teams at Robinson & Cole, LLP. Freedman focuses her practice on compliance with all state and federal data privacy and security laws and regulations, as well as emergency data breach response, mitigation, and litigation.
© Linn F. Freedman