Author: Stephanie Snyder Frenier
What is website tracking?
Website tracking is the use of code — including pixels, cookies, log and scripts — to capture data about how users interact with a website. This data may include demographic information on the user, behavioral data on the use of the website, information on the type of device used to access the website or referral data on how the user arrived at the website. Nonprofits may use this information for marketing, user experience, personalization or performance monitoring.
Why does website tracking matter?
Website tracking data is subject to privacy and compliance requirements. Website tracking litigation has been on the rise over the last decade, but has increased significantly within the past five years.
Beyond state privacy laws, older regulations that didn't anticipate today's technology when enacted — such as 1967's California Invasion of Privacy Act, 1968's Federal Wiretap Act and 1988's Video Privacy Protection Act — carry statutory penalties ranging from $250 to $10,000 per violation.
Should my nonprofit be concerned about website tracking litigation?
Nonprofits aren't immune from this litigation trend, and healthcare providers and organizations have been a more recent target for this type of litigation given the compliance around HIPAA-regulated data.
In 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin that stated that information collected on a website constituted HIPAA-protected information — even if there's no relationship between the website user and the owner of the website, and even if no billing or medical information was collected.
Even though a federal court vacated a portion of this bulletin in 2024 — effectively invalidating the portion of the bulletin that applied HIPAA requirements to tracking technology on public facing websites — the plaintiff's bar continues to pursue website tracking litigation using other regulations as a basis for privacy violations.
How can my nonprofit reduce the risk of website tracking litigation?
Nonprofits should take steps to protect themselves from website tracking litigation to maintain trust with donors and beneficiaries. Nonprofits should consider the following strategies:
- Understand the privacy laws that may apply to the data.
- Conduct a privacy audit to review tracking technology, map data flows and evaluate the use of any third-party tools.
- Implement consent management — use cookie banners, provide consent options and provide options for users to opt-out of tracking.
- Update privacy policies to include use of website tracking.
- Limit data collection to what's necessary.
- Ensure appropriate security protections for the data.
- Confirm that third-party vendors comply with applicable privacy laws.
- Purchase a cyber insurance policy and confirm affirmative coverage for website tracking litigation.
