Pixel tracking technology
Pixel tracking technology involves placing small, invisible images on web pages that allow companies to track users’ online activity, including the websites they visit, the ads they click on, and the products they buy. Although pixel tracking technology has become ubiquitous in online advertising, companies using this technology must obtain proper user consent and be transparent about their data collection practices to avoid legal issues.
Two notable examples of companies facing legal and regulatory action are GoodRx and BetterHelp. In 2023, the Federal Trade Commission took enforcement action against each of these digital health platforms for allegedly sharing consumer health data with third parties for advertising. The FTC orders included restrictions on whether and how these companies could share user data with third-party advertisers and resulted in civil penalties of $1.5 million (GoodRx) and $7.8 million (BetterHelp).
Outside of healthcare, there have been notable class action lawsuits involving pixel tracking technology in the past five years, including cases against Google, Salesforce, Zoom, and Adobe. These cases illustrate the continued concern about the use of pixel tracking technology and the potential legal consequences for companies that fail to obtain proper user consent or disclose the use of the technology.
Session replay technology
Session replay technology involves recording user interactions with a website or mobile application, including keystrokes, mouse clicks, and other activities. Although this technology can provide valuable information about user behavior, companies must obtain proper user consent and limit data collection to avoid legal issues.
Several notable class action cases involving session replay technology have been filed in recent years. In 2022, Papa John’s International was sued for allegedly using session replay technology to record keystrokes and mouse clicks by users of the company’s website without their consent. The lawsuit alleges that Papa John’s violated federal wiretapping law and California’s invasion of privacy law by intercepting and recording users’ activities without their consent.
Several companies, including retailers and airlines such as Spirit Airlines, Alaska Airlines, Cabela’s and Ulta, were also sued in 2022 for allegedly using session replay technology to track and record users’ activity on their websites without their consent .
Mitigation measures to avoid lawsuits
To protect themselves from potential lawsuits related to pixel tracking and session replay technologies, companies can consider:
- Obtaining User Consent Before Using Technology
- Limiting the amount of data collected to only what is necessary
- Provide opt-out options for users
- Conduct regular audits of data collection practices
- Training employees on proper use of technology
Cyber insurance: Limits are becoming more common
Cyber insurance policies have evolved over the past decade to include coverage for a variety of data privacy breaches, including claims of unintentional unlawful collection of personal data (“wrongful collection coverage”). Coverage may include defense costs, damages, and regulatory fines and penalties arising from a lawsuit alleging wrongful collection of user data. This coverage is often not included in a standard cyber insurance policy form, but instead must be requested to have affirmative coverage.
These limits vary by policy, but some common examples may exclude coverage for:
- The use of pixel tracking and session replay technology,
- Breaches of certain privacy regulations (eg BIPA), or
- Any claim alleging that personal information was unlawfully collected.
Although coverage limitations are becoming more common, they can be avoided by demonstrating effective risk mitigation controls (see the Mitigation Measures section above). It is important for companies to articulate to their cyber insurers a clear understanding of the risk, outline how and where user data may be collected within the organization, and confirm that they are obtaining user consent. Without proper controls and a clear message, companies will not be able to maintain or provide insurance coverage for wrongful collection claims.
Take steps to reduce legal risks
As the use of pixel tracking technology and session replay technology becomes more common, companies should take steps to protect themselves from potential legal issues related to privacy violations. By implementing policies and processes that prioritize user consent and limit data collection, companies can minimize their legal risks, promote transparency and privacy for their users, and increase their ability to provide broad insurance coverage for data privacy breaches .