Online Pixel Tracking Technologies

It is certainly true that “the internet is not free because you pay for it with your data.” However, underlying that saying is the general rule that users “pay” with data that they choose to provide – after being informed about a company’s data collection and use practices. In theory, companies should be disclosing exactly what data they collect from you and how, in their privacy policies or terms of use.

Unfortunately, the law often struggles to keep up with advancements in technology. Nowhere is that truer than in the online surveillance space. Fundamentally, companies should only access and acquire the data that you affirmatively consent to provide to them, and they should not share that data without your explicit consent. That is often not the case.

Companies including hospitals, medical providers, telehealth companies, online pharmacies, mortgage and loan providers, insurance companies and e-tailers are coming under scrutiny for their practice of embedding invisible trackers like cookies and pixels and other spying software on their digital properties (websites, apps, portals, etc…).

These trackers can collect and share extremely private and confidential health, financial and other information with various third parties (like Google, Facebook (Meta), Microsoft, or TikTok) for marketing and analytics purposes, without the person’s knowledge or consent.

What is Pixel Tracking?

A pixel is an invisible snippet of JavaScript which, when added to website code, allows developers to track exactly what the user is doing on the website. According to Facebook’s 2018 response to congressional questioning, there were 2.2 million pixels installed on websites  across the internet. 

These pixels can be configured to automatically send your communications and actions on any website to third parties like Facebook and Google, which combine that information with the data they already have to create incredibly thorough consumer profiles that they can then sell to other companies.

They want to know all the details of our lives – what shoes or health supplements you are buying, what videos you are watching, and whether you or your loved ones are sick. And while some of this data collection can be relatively innocuous, too often it is extremely intrusive.

For instance, when patients visit their health provider’s website to schedule an appointment, chat with their doctor about their symptoms or request medication, they expect these communications to stay confidential. Yet, many hospitals have chosen to install hidden trackers like pixels on their websites, which capture patients’ private communications and disclose them to data brokers like Facebook and Google. Then, working with those third-party marketers, the hospitals (and other healthcare entities) use that data to target these patients with advertisements and to develop other marketing strategies to increase their revenue.

When these hospitals and telehealth sites are not informing their patients that their confidential health information is being shared with third parties, they may be in violation of federal and state laws such as HIPAA and the Electronic Communications Privacy Act. Many of these sites falsely represent in their privacy policies that they do not collect and share their patients’ and users’ private information without consent.

This practice is not limited to the healthcare industry as many companies chose profit over their users’ privacy and installed various hidden trackers to capture and disclose private (and often sensitive) information including your financial and tax information, video viewing habits, or highly sensitive information about your children collected through school portals.

And, distressingly, the technologies that companies use to acquire data continue to advance as the law struggles to keep up; developers are coming up with new ways to access and to collect user data from a device via certain software kits they can incorporate into their apps, collect user data including exact answers to questions from online intake forms, and even capture conversations in chat boxes. Even the most technologically advanced users cannot fully escape online tracking of their activities and behavior.

Information that Online Trackers Collect

Online tracking impacts privacy due to the incredibly broad swaths of information that these trackers, such as pixels (also called web beacons, web bugs, spying pixels or clear GIFs), can be configured to instantaneously collect including:

• Personal Identifiers: Unique personal identifiers used by third party data brokers to track users’ activities across the web, including names, email addresses, phone numbers, user’s IP address, browser and device information. 
• Browsing Habits and Behavior: Websites and webpages visited, exact text of search queries, actions taken on a website including where you click, tap or scroll and move to on a page, and information typed into online forms (like sign-ups and contact forms, appointment or price quote requests). This data often includes sensitive private medical or financial information.
• Demographic Information: Age, gender, race or ethnicity, interests and social media data.
• Location Data: Geolocation tracking.

This collected data can be used to build detailed and comprehensive digital profiles of users, enabling the tracking of users across different devices and creating a unified profile without their consent, and potentially allowing cross-platform surveillance. A user’s data can also lead to targeted attacks (e.g., phishing scams) or location-based profiling, where users are targeted based on their location or behavior. 

Potentials for Misuse and Privacy Violations 

The data collected by pixels and other tracking technologies can easily be exploited or mishandled. The risks include:

• Data Breaches: If data is stored improperly or if the third-party companies involved have weak security, it can be exposed in data breaches, leading to identity theft, financial fraud and other harms.
• Surveillance and Profiling: The aggregation of data from multiple sources (websites, social media and email) can lead to detailed profiles of individuals, leading to intrusive surveillance and even discrimination in the workplace or denial of insurance coverage.
• Unwanted Targeting: Tracking technologies may result in over-targeting users with ads that feel invasive or manipulative. It could also result in exclusionary practices that affect certain demographics more negatively, such as offering better deals to certain ages or genders.
• Cross-Site Tracking: Some pixels track users across multiple websites, creating a comprehensive digital footprint. This can lead to unwanted profiling or even targeted attacks.

Examples of Pixel Tracking in Action

In January 2022, a group of investigative journalists called The Markup announced an investigation into how tech giants like Facebook use their tracking codes such as the Meta Pixel to collect vast amounts of confidential and sensitive information from unsuspecting internet users without their knowledge or consent.

What they uncovered about the use of invisible online trackers has since led to several congressional investigations, FTC fines, and numerous lawsuits against companies in all sectors of the US economy. The “culprits” sharing sensitive data include giant hospital systems, telehealth providers, tax filing companies, mortgage brokers, suicide hotlines, college prep sites and even the federal Department of Education.

For example, The Markup has identified numerous hospital and telehealth websites that use various third-party tracking technologies to collect and share personal and protected health information without informed consent from their patients. Their initial investigation showed that a third of the top 100 hospitals in America were sharing patient data with Facebook by installing the Meta Pixel – not only on their public websites, but in some cases even inside patient portals.

They also uncovered that dozens of telehealth websites may track patient activity through pixels and other tracking plugins. Using Markup’s tool, ProPublica, found that various online pharmacies may share sensitive data about patients filling medications used to end pregnancies. Even medical providers of such highly sensitive services as addiction treatment have been found to disclose their patient information to data brokers.

In addition to the fact that all patients are entitled to security in their private and protected health information, there are very tangible consequences of these undisclosed data practices.

For instance, if private information regarding a person’s substance abuse or addiction treatment was collected and shared with Facebook, such information could be associated with the patient’s Facebook profile to create a very robust data profile for marketing purposes.

Similarly, a patient purchasing “morning after” medication from an online pharmacy should not have to be concerned that, depending on the state where they reside, such information could be subpoenaed and turned over to law enforcement to prosecute abortions or shared with anti-abortion activists to target the patient.

Consumers who visited these websites, portals or applications may have had their information unlawfully shared without their consent in violation of HIPAA and other privacy laws. Every keystroke you enter, every button you click and every piece of information you provide on a website or a mobile app can be tracked and recorded through tracking tools like SDKs (software development kits) and session replay technology. If you are concerned that your privacy rights have been violated, we encourage you to get in touch.

We are at the forefront of litigation regarding the use of tracking technologies by healthcare entities, financial websites, school portal websites, and other companies that are capturing and sharing your sensitive information without your consent.