3 Key Takeaways: Website Tracking Tech as a Liability Risk
- Third-party involvement in website tracking tools—whether session replay, pixel technologies, chatbots, or any other—creates potential liability exposure for websites using them.
- Concern over tracking technology’s impact on privacy issues in healthcare, in particular, is helping drive a wave of large class action lawsuits.
- Cyber insurance underwriters can proactively ask several questions to mitigate insureds’ potential exposure to liability.
NetDiligence® President Mark Greisiger and Alfred J. Saikali, Chair, Privacy and Data Security Practice at Shook, Hardy & Bacon L.L.P. discussed website tracking technology, why it’s increasingly a focus of litigation, and how underwriters can assess and insureds can manage potential liability.
Read excerpts of their conversation (edited for clarity and length) below, and watch the full interview above, part of our continuing series of educational discussions with cyber risk management experts.
MG: The Meta Pixel has privacy liability implications. It’s a concern to clients and underwriters. It’s leading to a batch of class action lawsuits. What is Meta Pixel?
AS: There are actually three technologies causing problems.
One is session replay—code delivered from a website to a browser. It allows the website owner to understand how individuals interact with the site. Many retailers use it to learn how people click and move on their sites, to optimize marketing.
The issue plaintiffs bring up in lawsuits is [that] session replay requires a third party to receive information about individuals’ interaction with the website. Plaintiffs allege this information transfer violates state wiretap and other laws.
The second kind of technology are pixel technologies, primarily the Meta Pixel. A pixel is code embedded in a website to facilitate sharing information about site visitors.
When I became a Facebook user, it set up a Facebook pixel in my browser. Facebook downloaded a “c_user cookie.” It disclosed the fact that, as I travel around the internet, information about my visits to different sites will be shared with it.
So when I travel to site A, and site A has a pixel embedded in it, my c_user cookie tells that site’s pixel it can send information to Facebook about my visit. Site A pays Facebook to make sure I’m shown its ads the next time I go to Facebook. And those advertisements are shown to people like me—the same geographic area, age, gender, whatever. Pixel technology facilitates that website tracking and advertising.
The third technology is chatbots. You can’t go to a website without chatbots popping up in the corner. “Would you like assistance?” “How can I help you?” “Do you have questions?” A lot of these chatbots are provided, again, by third parties.
Third-party involvement connects everything. But there isn’t sufficient disclosure that these technologies are in place.
MG: What’s causing this wave of large class action lawsuits? Are they leveraging state law statutory damages? What’s enticing lawyers to get in?
AS: We’ve seen five to ten of these lawsuits filed per week. Three things are driving this wave.
First, an article in The Markup about privacy issues in healthcare disclosed pixel technology on different providers’ websites. It argued this technology shares protected health information (PHI) with third parties without informing individuals and having a business associate agreement.
Second, important court decisions allowed some wiretap cases to proceed past motions to dismiss. So plaintiffs said, “Now that we can get past motions to dismiss, we can sue a significant number of companies.” They’d already taken snapshots of websites to capture those sites using pixels.
Third, we started seeing early decisions in pixel cases on motions to dismiss that weren’t good for defendants. Courts denied the motions, leading to large settlements. The biggest, I think, was the Mass Brigham $18 million settlement.
MG: How serious a threat is this litigation for most companies? Are some more susceptible to it than others?
AS: It’s a serious threat for healthcare entities, which, under HIPAA, must protect healthcare data privacy. In addition to lawsuits, recent guidance from the HHS Office for Civil Rights at least creates a question about whether pixel technology has notice requirements.
But here’s the thing. Today, we’re talking about pixels, session replay, and chatbots. In six months, or a year or two, we’ll be talking about different kinds of AdTech.
Companies should think, “Is there communication between website visitors and the site itself being shared with third parties, in whatever form? Are we providing sufficient disclosure?”
MG: Large settlements are catching leading Cyber underwriters’ attention. In many ways, they’re more threatening to balance sheets than cyber risks like ransomware. What can Cyber underwriters do to evaluate potential insureds’ exposure? And how can the actual Cyber policyholder mitigate this exposure?
AS: If I were an underwriter, I’d ask applicants, “Do you use any technology that may share information about website visitors with third parties?” Insurance companies can also independently scan applicants’ sites.
If applicants answer, “Yes,” ask how the technology is configured. You can configure some pixel technologies in a more privacy-friendly way, minimizing the amount of identifiable information shared with third parties.
Ask about any agreement between the vendor of those tools and the applicant to find out about indemnification rights. If you, as the website owner, are sued, do you have some potential ability to seek indemnification from the vendor for that lawsuit?
Ask what disclosures are in place. If the applicant uses these website tracking technologies, ask, “What do you tell people? What does your privacy notice say about it?”
Here’s an important tip: You can’t bury this information in the privacy notice at the website’s bottom. Plaintiffs’ lawyers are pleading their way around it, saying, “The pixel started recording session replay the moment I hit the site.” If visitors wait until they get to the bottom to see the privacy notice, it’s too late. You need a pop-up right away, maybe containing a link to the full privacy notice.
Also, if I were a carrier’s head of underwriting, I’d ask, “What are we doing to educate existing insurers or clients about these risks?” If you can mitigate risks, imagine the potential millions of dollars in litigation you’ve saved.
MG: If you’re a risk manager buying the policy, you need to discuss this situation internally with your marketing and IT people, who know about their connection to Facebook, right?
AS: Right. Imagine if companies’ legal departments were asking, “What are you marketers using on the website that tracks visitors, and who’s it being shared with?” and you don’t say anything! That disconnect is part of the problem. Hopefully, risk managers are saying, “We need to create that bridge within the organization.”
If you want a turnkey way for your organization to document its data security posture and cyber risk readiness, get more information about QuietAudit® from NetDiligence.