Pixel tracking: the invisible cyber exposure
An announcement in March by Cerebral – a US mental health provider startup – that data for more than three million of its users had been shared with third parties was one of the latest privacy breaches related to pixel tracking in what appears to be a growing problem area. It follows similar reports in 2022 that a major healthcare system in Wisconsin and Illinois had shared the personal data of three million of its patients via pixel tracking, and another US healthcare provider had exposed 1.3 million patients through its use of Meta Pixel.
“The problem for many organisations particularly in sectors such as healthcare and retail,” says Joe Packwood – Cyber Underwriter for Hiscox London Market, “is that marketing teams and website owners are using pixel tracking tools and are often unaware that the data collected is being shared with third parties. It is an issue that highlights the need for businesses to do more to make sure they are aware of the potential issue of sharing confidential – and often sensitive – client information with third parties when it comes to the use of pixel tracking.”
“The problem for many organisations particularly in sectors such as healthcare and retail,” says Joe Packwood – Cyber Underwriter for Hiscox London Market,
Pixel tracking places small, invisible images – pieces of code – in webpages and emails to collect user information such as where they go on a particular website, how long they spend browsing, and other data including IP addresses, geo location and whether a user comes from a paid link on a search engine. The practice of pixel tracking has been around for a long time and was initially used in email marketing to simply indicate whether an email has been sent. But more recently, pixel tracking tools have been developed to help businesses understand how customers interact with their websites.
The big problem is – often unbeknown to many organisations and their customers – data collected through pixel tracking can be shared with a third party without their customers’ consent, which is leading to an increased risk of litigation. “It will be in the pixel tracker user’s agreement that tech giants, or any other pixel tracker provider – is allowed to pull the data, but if the organisation using the pixel tracker has not told their end customers that they’re sharing personal information with Meta and other third parties, then they could face a possible class action,” says Packwood.
“It will be in the pixel tracker user’s agreement that tech giants, or any other pixel tracker provider – is allowed to pull the data, but if the organisation using the pixel tracker has not told their end customers that they’re sharing personal information with Meta and other third parties, then they could face a possible class action,” says Packwood.
Law firm BakerHostetler’s 2023 Data Security Incident Response Report says that over 50 lawsuits have been filed in respect of third-party tracking used by hospital systems since August 2022 and that figure is likely to rise. It’s not just healthcare that’s under the spotlight either. Recent media reports found the UK’s Metropolitan Police force had been using pixel tracking to collect information “about people using its website to report sexual offences, domestic abuse and other crimes”. This information was then shared with Facebook which could, in turn, use it to send targeted advertising on its own site.
Joined up thinking required
Many businesses are simply unaware, says Tim Andrews, Cyber Line Underwriter at Hiscox London Market, that they are effectively giving customer data to a third party without obtaining their customers’ consent. “The issue is businesses readily accept the terms and conditions for the use of a pixel tracking tool without fully understanding the implications. It’s often a lack of joined-up action between a business’s marketing and legal/privacy teams that means the business might be unaware that confidential data can be shared with a third party. It’s why it is vital for marketing to work closely with legal teams to make sure a business is fully aware of its responsibilities from a privacy perspective when it comes to the collection and use of data via pixel tracking. This could or will avoid a potential and serious liability exposure from a privacy breach.”
From a cyber insurance perspective, a business will generally be covered if it’s found to have breached its customers’ privacy via pixel tracking. “If you are sued, cyber coverage could apply in terms of legal costs and any compensation/damages,” says Andrews. “There won’t generally be other costs such as IT forensics that you might normally get in a breach situation.”. “Pixel tracking feels like the new kid on the block in the wider problem area of the wrongful collection of data, and is reflective of the increasingly creative ways in which claimants are bringing actions against businesses.”
“If you are sued, cyber coverage could apply in terms of legal costs and any compensation/damages,” says Andrews.
“It’s why we’re questioning clients – and their brokers – around awareness of pixel tracking and what they’re doing to make sure they’re not unwittingly sharing confidential customer information without their customers’ consent. No business – whether insured or not – will want to deal with the potential cost to their brand and balance sheet of a privacy breach caused by pixel tracking,” concludes Andrews.