Author: John Farley

Data collection risk has come into focus in recent months, and for good reason. Organizations that are alleged to have wrongfully tracked, collected or shared an individual's sensitive information have found themselves in the crosshairs of regulators and the target of class action lawsuits. Specifically, the use of pixels has been a source of concern, because of allegations that they were used to share millions of people's protected health data with external parties — including with social media platforms and other technology firms — without consent. In fact, as of this writing, four million people have been notified by three different organizations that their sensitive information may have been shared due to pixel usage.1
What are pixels and why are they risky?
Pixels are pieces of code embedded in a website and often used to gain insight into individuals by analyzing how they're using websites, with the goal of enhancing marketing efforts via targeted digital marketing.
Organizations that use pixels can find themselves in violation of a wide variety of compliance obligations including those specific to state, federal and international privacy laws. Violations may extend other requirements under HIPAA and other mandated compliance requirements. Liability for non-compliance may be imposed even if the sharing of this data to a third party was unintentional.
This exposure was illustrated in June 2022 when The Markup published an article stating that 33 of the top 100 hospitals were using data-scraping pixels on their websites.2 The report said that some of the hospitals had pixels installed inside their password-protected patient portals, which collected and shared sensitive patient information with a major social media platform without patient permission.
The current legal landscape
We saw significant pixel-related litigation in 2022 when a Third Circuit Court of Appeals decision held that the use of pixels to share an individual's search history with a third party for targeted marketing purposes violated Pennsylvania's wiretapping statute.3 Since then, more than 50 class action lawsuits making similar allegations against multiple defendants have been filed and we expect class action litigation to increase in 2023.
We also predict increased regulatory scrutiny by a variety of regulator-driven privacy regimes, which may include increased costs to respond to regulatory investigations, fines and settlements.
Mitigating data tracking liabilities: What to do now
The Office of Civil Rights (OCR), which is responsible for enforcing HIPAA Rules, recently issued guidance on using tracking pixels.4 Specifically, the OCR guidance addresses four key areas for regulated entities, including:
- Tracking on user-authenticated webpages
- Tracking on unauthenticated webpages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies
Leveraging Cyber insurance
Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by claims for wrongfully collecting and/or sharing information, either directly or indirectly through a vendor. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.
Organizations should also be aware of the rapidly evolving Cyber insurance products that may impact the scope of insurance coverage. The hardening 2023 Cyber insurance market has spurred cyber insurers to use various methods to reduce their cascading losses for regulatory risk, such as the issues unfolding around the use of data collection technology. Sub-limits and coinsurance are often imposed for certain cyber losses. In addition, some carriers have modified cyber policy language to restrict or even exclude coverage for certain incidents that give rise to costs incurred for regulatory investigations, lawsuits, settlements and fines.