Tracking pixels have become an integral part of modern digital marketing, allowing your business or organization to gather valuable data about your users’ behavior and optimize your online marketing strategies. However, the benefits and insights offered by tracking pixels come with inherent cybersecurity and legal risks for your San Diego business. In this blog post, I explore the potential legal issues surrounding tracking pixels data exposure and shed light on the ominous threat of a potentially more significant lawsuit and financial penalties if this data falls into the wrong hands.
What is a tracking pixel?
Isn’t it creepy when you visit a website or Facebook and see an ad for something you were looking at elsewhere? Hmm, a weird fluke? But then you go to another page and see another targeted ad while you scroll.
You can place the pixel on a web page (sometimes an order confirmation page) or in the body of an email. When the user opens the email or page, the image is downloaded from the server, and the marketer receives the user’s valuable browsing and behavior data to optimize the marketer’s online strategies.
Tracking pixels are similar to cookies
You may have heard of cookies: “Cookies are small text files that a website stores on your computer via your browser. By themselves, cookies don’t do anything; they just store information that can be read later by a website to perform some kind of function” (Osana). Cookies can help a site’s shopping cart function by remembering login information, the items a shopper added, ads related to those products, and analytics for the site’s use.
How are pixels different?
Tracking pixels have many of the same functions. However, unlike cookies, which are saved on the user’s computer and can be easily blocked, pixels track user interaction with web pages and emails across multiple devices the user is logged in on.
All in all, tracking pixels are valuable marketing tools.
The two important types of tracking pixels
A marketer places retargeting (or remarketing) pixels on a website or landing page. It tracks and collects visitor data about interactions with ads or the webpages visited, products viewed, or actions taken, such as adding items to a shopping cart. Marketers can use this for retargeting campaigns. Other gathered data includes the visitor’s IP address, geolocation, operating system, screen resolution, type of device used, type of web browser, and installed plugins (Cookie Script).
When someone visits a website with a retargeting pixel and then leaves without making a purchase or completing a desired action (converting), the retargeting pixel allows advertisers to show targeted ads to those specific visitors on other websites or platforms they subsequently visit. Users of the brand or product are encouraged to return and complete the desired conversion.
A pixel tracking provider often provides a dashboard or interface to the marketer to track, test, and refine their settings. Using this interface, marketers can also perform A/B testing to see which headlines in an email or page better produce conversions (Digital Marketer, Comparitech).
A marketer can also place a “conversion pixel” on a website or landing page, but its purpose is to track and measure specific actions or conversions resulting from a marketing campaign. These actions can include purchases, form submissions, newsletter sign-ups, or any other predetermined goal or conversion event. Other gathered data includes website visits, time of visits, the best time of day for conversions, and if the user originated from paid search results on Google, YouTube, LinkedIn, Twitter, and Facebook (Cookie Script).
Various companies have custom pixels. Meta pixel–previously Facebook pixel–can collect conversion data from Facebook ads, optimize those ads, retarget audiences with future ads, and remarket to users who have interacted with your website (Comparitech). A LinkedIn tracking pixel tracks conversions and events of a LinkedIn Career Page. With the LinkedIn tracking pixel, you can segment your traffic and determine how many click-throughs and referrals come from LinkedIn to your site and how many came from other sources (Cookie Script).
In 2018, Meta (then Facebook) told Congress that it had more than two million pixels around the internet. The company gathered so much personally identifiable information (PII) that even its workers were unaware of the data’s destination. An internal leaked document by Meta privacy employees said the company did not “have an adequate level of control and explainability over how our systems use data” (The Markup).
There are various other pixels you can use for your marketing. Here is a suggested list of the top 11 pixels to use on your website.
When a visitor completes the desired action, such as purchasing, the conversion pixel records that action and sends the information back to the marketer. This method provides data to measure the effectiveness of marketing campaigns, track their return on investment (ROI), and optimize advertising strategies based on the conversion data collected.
In summary, a retargeting pixel tracks and targets users who have previously shown interest in a website or product but have yet to convert. In contrast, a marketer can use a conversion pixel to track and measure specific actions or conversions resulting from an advertising campaign (adQuadrant).
In addition to the types of information already mentioned, tracking pixels in emails can tell a marketer how many times the email has been opened, the device used to open the email, the user’s physical location (through their IP address), and whether the user has forwarded the email to anyone else (Nutshell).
Who uses tracking pixels?
Companies of different sizes have used tracking pixels.
In the US, Google, Facebook, Amazon, Twitter, LinkedIn, and Adobe use tracking pixels, including healthcare companies using pixels provided by Meta. British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Marks & Spencer, Asos, and the international company Unilever also use them in the UK.
The problem with tracking pixels
Tracking pixels sounds innocent enough, but gathering user data can have consequences.
The Federal Trade Commission is primarily responsible for enforcing consumer protection and privacy laws in the United States. It has broad authority to address unfair and deceptive practices, including those related to tracking pixels and online tracking technologies. The FTC reports that tracking pixels are an industry-standard tool. Academic and public reporting teams found that thousands of the most visited web pages have pixels and other methods that leak personal information to third parties (FTC).
Blocking third-party cookies may not entirely prevent tracking pixels from collecting and sharing information. Third parties can also be secretive about how they store tracking data; the type of data and where it is stored are ongoing concerns.
A marketer can also use information collected from a pixel to identify user social media profiles through matching information such as a user’s email address that automatically connects a user to their social media account on the platform if they have one (FTC).
As I mentioned, tracking pixels can gather extensive user information without their knowledge and violate privacy. Their use is frowned upon by consumer advocacy groups and regulatory agencies.
Spammers can also use the pixels to access the personal data of site visitors (Digital Marketer), even with the marketer “hashing” (scrambling) the data. The FTC has said hashing may be inadequate in some cases since it can be reversed or used to access data across databases.
To send the point home, marketers who use tracking pixels have encountered legal issues with the FTC. The FTC sued Meta and two digital healthcare platforms, GoodRx and BetterHelp, for violating patient HIPAA (the Health Insurance Portability and Accountability Act of 1996, which regulates the use of patient data) privacy with their pixel (The Verge). The problem was that these companies shared user health data with third parties for advertising.
In the GoodRx and BetterHelp suits, the FTC included strong bans and limits on user information for advertising. Both companies were banned from sharing health information for advertising. The BetterHelp case also banned using data for retargeting (FTC).
In the business of tax filing, H&R Block, TaxSlayer, and TaxAct are among the companies that have used the Meta pixel to send their customer tax information to Facebook. The IRS has not yet commented or answered questions about possible enforcement actions against those companies. However, organizations should be vigilant against violating FTC or IRS regulations where sensitive user data is exposed.
The bigger problems loom large
If unauthorized individuals gain access to the data collected through tracking pixels, the consequences can be severe and far-reaching. The threat of a more significant lawsuit emerges if this data falls into the wrong hands.
Class Action Lawsuits: A group of affected individuals may together file a class action suit against your organization if you are found responsible for a breach. You may be subject to significant financial liability.
Regulatory Compliance Issues: If you are responsible for a data breach, regulatory bodies like the FTC can focus their consumer protection eyes on your organization. Expect stiff fines and significant penalties.
Reputation Damage and Customer Loss: Beyond legal penalties, a data breach can severely damage your organization’s reputation. Your customers could lose trust in your ability to protect their data, leading to your customers fleeing, your sales decreasing, and your brand suffering long-term damage.
Extended Liability: In some instances, your third-party service providers involved in data collection and storage may also face legal consequences if they are found negligent in protecting the data or facilitating the breach.
Current user protections
There are over forty data privacy laws across the world (Osano). In Europe, the General Data Protection Regulation(GDPR) requires organizations to inform users of tracking and notify them that they can reject or opt out of tracking. In the US, the California Consumer Privacy Act(CCPA) provides similar protections in California; users have the right to be notified of any “categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared.”
What kind of actions can the FTC take to track pixel abuses?
The FTC aims to protect customers and enforce the law. “Companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and your privacy promises to consumers” (FTC).
This warning also extends to the third provision of the FTC’s Safeguards Rule: “Design and implement customer information safeguards that control risks identified through a [financial entity’s] risk assessment.” If there is a financial aspect to your consumer/business relationship, the Safeguards Rule may apply to you. Under this provision, the FTC can penalize your organization for negligence, poor security, or willful sale of your customer’s tracking pixel data to advertisers.
The FTC can investigate organizations that use tracking pixel data, issue cease and desist orders for their use, negotiate a consent decree (which outlines the actions your organization must take or issue penalties if violated), impose civil penalties and fines on organizations that violate consumer protection laws, or, in more severe cases, seek an injunction to halt ongoing misuse of tracking pixels. (See our eBook on the FTC Safeguards Rule here.)
Questions you should ask regarding your use of tracking data
What advantages does pixel data collection offer your organization?
What privacy issues and customer issues could you face with your use of pixel tracking?
How does your pixel data gathering compare to other methods you use?
What do you do with the data gathered? How is it used and monetized?
How long do you retain customer data that you gather?
How are your users notified of the data’s use and safekeeping?
Follow best practices to avoid legal issues with tracking pixel use
As your San Diego IT services and cybersecurity provider we suggest that:
– You give your users their privacy and ask if they want to opt out of tracking. Make clear to visitors the possible benefits to their user experience by using tracking pixels.
– Your pixels should be quality ones: place them only on the pages and for the users you want to target.
– You should also be aware of your site performance for users since pixels can slow down your pages and user experience (Digital Marketer).
Tracking pixels are valuable for acquiring user data and guiding your organization’s marketing. But you should know the correct and incorrect ways to use them. You can find more about the FTC’s rulings and policies on tracking pixels on their website. The FTC educates businesses and consumers about most privacy and consumer protection issues, providing guidelines and educational resources to help your organization understand best practices for using tracking pixels lawfully and ethically.
Your company may also be sending PII data without knowing it. Businesses are over volunteering data, and a few in the know are taking advantage of that data. Meta doesn’t even know what it’s receiving.
Want to use tracking pixels and cookies to push your marketing to the next level? We can help your business succeed with this marketing tool.
Tech Kahunas is your San Diego IT services and cybersecurity provider. When it comes to the security of your data and website, you need our KahunaVision Cybersecurity Assessment: we look at your assets, expose your vulnerabilities, determine the threats and costs of a compromise, and then suggest actions to take to reduce your risk.
Tech Kahunas helps you Defend Your Island.