The Darkside of Tracking Technology

I wanted to write a blog post on this as this is a topic I am frequently discussing in my job in cyber insurance. We are seeing increased litigation in what is known as “wrongful collection.”

So what exactly is wrongful collection?

Wrongful collection is when organizations collect, store, use, or share information on users without proper authorization or consent. This often comes about due to the commonplace nature of tracking technology in place on websites. Ever thought about a pair of socks and suddenly they popped up on your Facebook? What about that facial you were just talking to a friend about the other day suddenly showing up on your Instagram? These might seem like the work of a spy in your phone, and it sort of is!

Organizations are constantly looking to gather information on customers for marketing purposes to more effectively advertise to those people that might be interested in products and make sales. One of the most common examples of this kind of tracking technology is the Meta Pixel. This allows organizations to better target Facebook and Instagram ads to users who have engaged with their site. However, this can lead to privacy concerns for users if not properly disclosing and gaining proper user consent to use this data in this manner. Potentially sensitive data could be shared to outside parties. Let’s look at an example that shows how problematic some of these cases can be:

Wrongful Collection in Action

This legal case, Doe v. Regents of the University of California, was a class action lawsuit alleging that Regents of the University of California was using the Meta Pixel in patient facing applications such as their Mychart patient portal (https://www.classaction.org/media/doe-v-regents-of-the-university-of-california.pdf). The individual bringing suit claimed after using these systems she began receiving targeted ads for medications related to her medical history. This was reportedly without her knowledge or consent. This kind of technology can be problematic when sensitive information like healthcare information is exposed.

What Do Video Tapes Have to Do With This?

One of the most common ways these kinds of cases are being brought to court is through violation of the VPPA (Video Privacy Protection Act of 1988). This law actually came about because of the unauthorized disclosure and publication of Judge Robert H Bork’s video rental history during the Senate hearings for Bork’s Supreme Court nomination in 1987 (https://www.ebsco.com/research-starters/law/video-privacy-protection-act-vppa#:~:text=The%20Video%20Privacy%20Protection%20Act%20(VPPA)%20of%201988%20was%20passed,Court%20nomination%20in%20September%201987.) The reason? Journalist Michael Dolan obtained his video rental history from a video rental shop and decided to write about his findings in the city paper after learning the judge believed there was no guaranteed privacy granted through the Constitution. The law protects renters, purchasers, and subscribers of videos and other media from having their personally identifiable information released without their consent. This is being applied to cases with collection and disclosure of information via ad tracking technology like the Meta Pixel.

Why this Issue Persists

Many times people are just not aware of the kinds of technology in place on their websites. There can be a disconnect from the individuals who help build the website and those individuals involved with compliance or security. The legal landscape around privacy can also be complex and difficult to navigate.

Curious if your organization is using this kind of technology or if a website you are visiting is using this kind of technology? The website Blacklight (https://themarkup.org/blacklight) is an interesting tool to be able to use to see what kind of ad tracking technologies are in place on a website. Simply enter in the url of the site. Try looking at some sites you regularly visit to see just how pervasive ad tracking technology is. For example, the ESPN website is reported to have 23 ad trackers and 11 third party cookies. That is a lot of information being collected!

So What Can You Do?

Businesses:

• Make sure that your public facing sites are being designed with privacy in mind. Have open lines of communication between the technology people within your organization as well as legal / compliance staff.

• The legal landscape around this stuff can be difficult to navigate, so talk with an attorney that specializes in privacy law around proper notice and consent requirements

• Transparency = key! The bottom line is your users should know what of their data is being collected and who it is being shared with.

Individuals:

• Understand what kind of permissions you are giving websites around your data. The privacy popups that show up when you visit a site are actually telling you something.

• Use a third party tracking blocker to help prevent your information from being collected through these technologies.

• Use a browser that helps block tracking technology.