Media Center

Share

Capturing Online Data Can be Useful, but Costly. Know Your Risks and Protect Yourself

Everett Schneeberger and Jennifer Torrez November 1, 2024
Share

These days, the accumulation and sharing of personal data online is a common topic. Just about any company that uses a website or social media is looking to capture data to gain a better understanding of their clients’ needs.

However, that can have legal and insurance implications.

In recent years, a wave of litigation arising from the use of website advertising technology has hit companies hard. A primary target for these lawsuits is pixels, which have the capability to track a user’s interaction with a website, and to collect and transmit personal information to third parties.

The stakes are high. Decades-old wiretapping and anti-surveillance statutes with potentially crippling damage allowances have been dusted off and are being used in new ways. The uncertainty surrounding how courts will apply the law to modern technology has led to massive settlements of eight figures. Moreover, federal regulators are now homing in on the use of pixel technology and issuing hefty fines in enforcement actions.

Because website hosting providers often act as intermediaries, some companies are not even aware that pixels are used on their websites or of their related risks.

What is a pixel?

A pixel refers to an invisible line of code embedded into a website, which has the capability to track a user’s activity on and interaction with the website. For example, a pixel can track the time a user spends on the website, pages the user visits, links they click, and searches they make, among other things.

One of the most prominent (and frequently litigated) pixels is the Meta Pixel, a free and customizable tool developed by Meta, which website developers can insert directly into the source code on their websites. Once customized to track specific user behavior, that data is transmitted to Meta, which can link the user’s IP address with its platforms. Alphabet, Inc. (Google) developed a similar tracking technology.

It is easy to see the immense value in pixel technology. With the ability to analyze data gathered by pixels, companies have insight into the way visitors are interacting with specific webpages and can use that data to optimize user experience and target advertising to that specific user.

What is the issue?

Plaintiffs’ attorneys have seized on this technology, filing lawsuits claiming pixels surreptitiously collect and transmit sensitive data without the website user’s consent. Even more, plaintiffs’ attorneys claim that these pixels operate without the user’s knowledge. No industry is safe. Cases have been filed against pixel providers, medical providers, retailers, streaming platforms and educational institutions, to name a few.

These cases primarily rely on decades-old statutory schemes, which plaintiffs’ attorneys recently applied to this burgeoning technology. Attorneys claim that these technologies violate various wiretapping and anti-surveillance laws. Premier statutory vehicles for pixel litigation include the federal Electronic Communications Privacy Act (“ECPA”), the federal Video Privacy Protection Act (“VPPA”), the California Invasion of Privacy Act (“CIPA”), and the California Computer Data Access and Fraud Act (“CDAFA”).

The Electronic Communications Privacy Act

Most people have a vague familiarity with the concept of wiretapping and surveillance laws. The ECPA, passed in 1986, protects the privacy of communications. The statute pre-dates the internet, and the drafters clearly could not have imagined the application of these regulations to the technology we have today.

However, the statute protects from interception “any wire, oral or electronic communications.”

For a plaintiff to win a case using the ECPA, they must prove that the defendant intentionally intercepted communications using a device. Attorneys’ fees and costs, as well as up to $10,000 in damages, can be won.

The Video Privacy Protection Act of 1988

The Video Privacy Protection Act of 1988 was passed following the 1987 confirmation hearings for Supreme Court nominee Robert Bork.

A reporter obtained and disclosed Judge Bork’s rental history from a local video store, which included costume dramas and British films.  Fearing much more risqué exposures, Congress swiftly passed the VPPA.

The VPPA is still used today. Plaintiffs allege that pixels employed on websites capture and transmit information about their watch history in violation of the statute. The plaintiff must demonstrate that a video tape service provider knowingly disclosed personally identifiable information (PII) concerning a consumer.

The VPPA allows damages of $2,500 per violation or actual damages if proven.

The California Invasion of Privacy Act

Another common statutory violation in pixel litigation is CIPA. Like the ECPA, CIPA protects the interception of private communications and contains certain prohibitions against wiretapping.

“CIPA is violated when a person reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable.”

Specifically, the wiretapping provision of CIPA notes:

Any person who, by means of any machine, instrument, or contrivance, or in any other manner … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to lawfully do, or permit, or cause to be done any of the acts or things mentioned above.

In short, if someone intentionally intercepts electronic messages, they could be in violation of CIPA.

Plaintiffs commonly claim aiding and abetting. The theory is that companies aid or conspire with the third-party pixel provider to intercept private communications.

The California Computer Data Access and Fraud Act

CDAFA protects against hacking. CDAFA creates a private cause of action against any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or take or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”

Those impacted can receive damages for any expenditure reasonably incurred.

Other causes of action

Pixel litigation is not limited to the foregoing statutory causes of action. In fact, plaintiffs’ counsel are drawing from a sizeable playbook of copy-and-paste claims. Pixel lawsuits often assert various claims under state wiretapping laws, as well as common law claims such as negligence, invasion of privacy, unjust enrichment, and breach of fiduciary duty, among others.

What defenses exist?

There are multiple avenues for defending claims in pixel litigation, but none are surefire winners, and many lawsuits are clearing the motion to dismiss hurdle. Moreover, defenses have been applied inconsistently. For example, depending on the jurisdiction, a court may or may not agree with an argument that the information collected by pixels qualifies as contents of a communication within the definitions of the ECPA and CIPA.

If applicable, defendants can also argue that they obtained consent to use pixel technology through disclosures in website privacy policies. But even this may not be enough. In a case filed earlier this year, Meta argued that a lawsuit should be dismissed due to the plaintiff’s agreement to data collection in a privacy policy. The plaintiff argued that the policy was ambiguous, and the court held that dismissal for consent was not appropriate at the motion to dismiss stage due to the need for additional facts.

What about settlement?

Because courts have been allowing the class action lawsuits to survive motions to dismiss, and because there is legitimate uncertainty surrounding how a court will ultimately apply these antiquated laws to contemporary technology, many defendants settle pixel cases — often for staggering amounts. The statutes allow recovery of up to $5,000 per person, and if the class encompasses every visitor to the website, the potential liability could be enormous.

For that reason, many defendants are opting not to take the chance with litigation and are instead settling for significant sums. In 2022, a health care organization settled a pixel case for $18.4 million. Just last year, a large media company settled a similar case for $16 million.

Another pricey risk: Regulatory actions

If the prospect of costly litigation weren’t enough, regulatory action is also a very real threat. The Federal Trade Commission (FTC) is zeroing in on companies using pixels and other tracking technologies on their websites. In 2023, the FTC took regulatory action against two digital health companies for sharing sensitive user data with third parties via pixels. The companies paid $1.4 million and $7.8 million in fines.

The FTC also recently sent letters to five electronic tax-filing services warning against using consumer data for purposes not explicitly requested or for advertising purposes without affirmative express consent.

Increased exposure to cyber risks

If your company tracks users of its website, there’s a chance you could be sharing client information unlawfully. Ranging from small businesses to global enterprises, many organizations do not recognize a less-than-best practice until they are confronted with a lawsuit that alleges wrongful collection of data. Alongside legalities, consider your risk exposure.

Data-heavy industries are prime targets for cyber criminals. For example, health care organizations rely on a vast amount of information to function, including sensitive records composed of patient medical history and financial information. Dozens of lawsuits based on tracking technologies have already been filed, with several involving health care organizations.

In addition to litigation, unauthorized access or disclosure of information in general presents opportunities for bad actors to prioritize ransomware and extortion demands. The reliance on real-time data in health care means that downtime can be life-threatening. If a system is compromised, it can disrupt patient care and critical operations. As a result, health care organizations are more likely to pay ransoms quickly to restore access to IT infrastructure and information systems.

There have been multiple allegations of other companies sending user data to Facebook. Organizations of all types, including small and middle market businesses that may not rely as heavily on data, are often targeted by cyber criminals. In fact, this market segment can frequently be seen as low-hanging fruit for several reasons.

Smaller businesses may not have as many resources available to dedicate to Cybersecurity. They are often less equipped to handle any legal or financial fallout or the aftermath of a breach, including reputational damage and customer attrition. Attackers often utilize automated tools to scan for vulnerabilities, and they choose targets based on size and difficulty of compromise. Indiscriminate attacks can result even with the assumption of an operation not being worth the attention of a bad actor.

While pixel and tracking technologies can offer valuable insights for businesses and drive efficiencies, they also introduce complex cyber liability risks. To mitigate these presented risks, organizations should implement robust data protection measures, including transparent privacy policies with consent mechanisms, regular security audits, assessments and data minimization practices. Adopting a proactive approach can help to demonstrate due diligence to insurers and regulators.

Regardless of organization size or industry, any business that utilizes technology should consider buying a cyber liability insurance policy as part of their comprehensive risk management strategy. Understanding the available insurance coverages and compliance requirements is crucial as organizations look to leverage these technologies while protecting themselves against financial losses and legal liabilities.

The role of cyber insurance

Website tracking is a developing area and there is continued uncertainty over whether a cyber liability policy will affirmatively respond to these lawsuits. As regulatory guidelines continue to develop, cyber insurers will attempt to keep up in the wake of pending lawsuits with unknown resolutions.

One quality of the cyber insurance market is its lack of standardization. We have seen insurers handle emerging risks with different strategies. When it comes to unlawful collection and the use of tracking technology, this theme has continued, and we do not expect that to change.

Ambiguities and potential coverage gaps

Emerging technologies such as pixel and tracking tools present significant implications for cyber liability insurance. As insurers look to manage capacity, we have seen wording specific to these technologies make their way into cyber insurance policy forms.

Traditional unlawful collection exclusions may outright exclude coverage, or more favorable instances may provide coverage for defense only. Insurers may impose exclusions or limitations on coverage for incidents specifically involving tracking technologies, especially if they are used in ways that infringe on user privacy rights or violate regulations like General Data Protection Regulation (GDPR), Biometric Information Privacy Act (BIPA), or California Consumer Privacy Act (CCPA).

Underwriting guidelines based on risk assessment or industry class may increase wording that would exclude any actual or alleged use of web beacon or tracking pixel that wrongfully acquires, collects, tracks or shares an individual’s activity, information or data.

Companies relying heavily on these technologies may face challenges in obtaining comprehensive coverage. While cyber insurance remains crucial in managing the associated risks, the traditional cyber policy may not provide full coverage for the emerging liabilities brought with the use of tracking technologies.

While the degree of materiality may vary for a given organization, businesses that rely heavily on online advertising tools may find these exclusions especially problematic. In the event of a claim arising out of a lawsuit or potential regulatory action, we could find companies without coverage in instances where a violation took place.

Organizational awareness

Businesses and risk managers should work closely with their insurance brokers to ensure the negotiation of favorable terms in the evolving digital marketing landscape. They should also take advantage of third-party risk management tools and other industry resources to best position themselves when requesting coverage.

In looking at tracking technology, insureds may be unaware of its presence in the first place. The use of a scanning tool capable of identifying the presence of these technologies on an organization’s website can be eye-opening. There may be dozens of instances in which a website utilizes ad trackers, web beacons and pixels to track user behavior, unbeknownst to other management. Identifying these use cases is a crucial first step to properly managing them.

Further, the typical cyber insurance application will include questions about how the organization handles data. As this environment heats up, underwriters will put increased emphasis on data practices and will require more granular information to accurately assess a risk. In preparing to answer these questions, organizations should review their privacy policies, confirm the types of data they collect and know the implications of sending user data to third parties.

What can we do?

Website tracking technology will not subside any time soon. For this reason, it is crucial that every company with a website understands the risks associated with these technologies.

Companies should establish robust communication among marketing, IT, and legal departments to ensure awareness of the technology being used so any risk can be appropriately identified and addressed.

Privacy policies should be reviewed proactively, especially with respect to the scope of user consent, so pixel tools can be configured accordingly. Businesses should carefully evaluate how third-party vendors are collecting and/or disclosing user data to ensure compliance with the law.


Oswald can help your organization wade through these difficult waters. For more information, please contact us below:

Property & Casualty - Specialty Risk | Cleveland
First
Last

Signup