Tech Risks: How Pixels and Biometrics Lead to Privacy Claims

Technology impacts every aspect of our lives. From social media to biometrics and artificial intelligence, the world is changing at an astounding rate. Generally, technology makes life easier, creating efficiency and enhancing our ability to connect. However, technology also generates new risks, especially when companies deploy it without fully considering the possible consequences, disadvantages, or legal interactions.

The right to privacy is a growing concern where technology and the law intersect. Consumers, employees, and business partners have a right to privacy, and governments are taking steps to protect that right. The advancement of new technology combined with a heightened effort to protect privacy has created new risks for many companies. If a business deploys advanced technology without fully understanding the risks and privacy issues involved, the potential for liability and litigation grows.

The Power and Risk of the Pixel

Anyone who has spent time online searching for a product or service can attest to seeing an immediate uptick in ads for specific products or companies on search engines and social media. This ripple effect is driven by something called a pixel. A pixel is a piece of code added to any website, identifying specific users when they visit a site and communicating that data back to a third party that manages advertisement displays.

79% of websites use some kind of code to collect user data.

One of the most widely used pixels comes from Meta, the parent company of Facebook and Instagram. The Meta pixel collects data on website visitors and stores it in the company’s Meta Business Manager dashboard. Businesses can use this data to build specific audiences for their advertisements. The pixel is a powerful marketing tool allowing businesses to market directly to customers who have already researched their specific product or comparable products and services offered by competitors. However, problems arise when pixels aren’t used ethically or compliantly. Businesses are required to disclose the use of pixels and advise that a visitor’s data is being collected. In addition, pixels shouldn’t be used to gather sensitive, personal data.

Commonly Collected Data:

• User’s general location
• Number of web page visits & duration
• Browser & device information
• Browsing activity (e.g., user’s interests)

Meta Pixel Lawsuits

Unfortunately, Meta and several hospitals and healthcare networks face multiple class-action lawsuits based on how those companies used Meta pixels on their websites. The lawsuits allege hospitals installed pixels on their websites and applications that collected confidential patient health information protected under the Health Insurance Portability and Accountability Act (HIPAA). For example, Cedar-Sinai Health System and its patients allege the hospital utilized pixels to collect sensitive data such as names, sex, location, and medical history details before passing that information to Meta for advertising purposes. In one instance, a girl with an eating disorder was exposed to ads her parents say furthered her body image issues and self-harm tendencies.

Other healthcare systems have also come under fire, including one that shared the sensitive data of more than 3 million patients. A Birmingham, Alabama law firm has filed multiple lawsuits across eight states on behalf of patients whose confidential data was passed to Meta.

How Businesses Can Minimize Pixel Liability

The pixel and its misuse have created a whole new type of lawsuit for litigation attorneys. Since February 2022, nearly 50 class-action lawsuits have been filed against Meta, Google, and a wide range of other businesses for abuse of pixel data. The good news is there are steps companies can take to protect customer data and minimize their liability risk. Before utilizing pixels, it’s wise to review the following:

1. Compliance with Privacy Policies and Correct Pixel Usage: Pixels are meant to collect very general information. They’re intended to gather information around what products or services a person may be interested in, rather than specific information like names, dates of birth, or private medical information. If a business utilizes pixels, it’s vital they be used only for their intended purpose and that the use aligns with the privacy policy shared with consumers. The policy should also inform customers of the use of pixels, what specific data is collected, and how it will be used while also allowing them to opt-out before their data is collected.
2. Communicate with C-Suite Executives and Legal: Some of these lawsuits have been generated due to a lack of communication about pixel use strategy between the marketing team and company leadership. The C-suite must know how pixels are utilized and develop policies to evaluate and approve their use. These policies should focus on determining what data is collected and tracked, confirm who data will be shared with, and provide advanced notification to consumers with an opt-out procedure. Communication can bring everyone into alignment with the strategy so management, marketing, legal, and compliance can verify pixels are being used appropriately and that customers have the right to say no to collection of their data.
3. Obtain Adequate Insurance: Cyber policies cover third-party privacy liability as well as regulatory proceedings, including those involving HIPAA. Each insurer’s policy must be evaluated to determine if coverage is included for pixel-related claims. Coverage arising out of pixel use is not affirmatively provided, so careful reading of insuring agreements, definitions, and exclusions is required. If coverage is in doubt, the agent or broker should contact the insurer to affirm their position of coverage. Some insurers’ definition of a privacy breach or regulatory proceeding exclude such coverage and must be specifically endorsed. Other policies are broadly worded, and allegations of wrongful collection or unauthorized disclosure are not excluded. Some cyber insurers specifically exclude any wrongful collection of data by endorsement or by adding a specific pixel or code tracking exclusion to any risk where pixel ad tech is detected, nullifying any coverage.

Most cyber underwriters are well aware of the Meta pixel issue. Some are utilizing scanning technologies within the underwriting process to determine if pixels are in use. However, not all underwriters do so. Agents and brokers would be well advised to consult with their insureds to determine if pixels are in use and if coverage is needed. Some underwriters will require removal of the pixels from websites prior to binding. Others may require answers to a number of risk management questions surrounding the use of pixels before offering terms or deleting any specific exclusions restricting coverage. Industries of most concern to underwriters regarding the use of pixels include healthcare, media, financial institutions, and online retail.

Biometrics: A Growing Source of Risk

Biometrics are another advancing form of technology that is increasing companies’ legal risks. Biometrics are unique physical characteristics used for quick and easy identification of an individual. Anyone who has ever used a fingerprint or facial scan to unlock a smartphone has used biometrics. Biometrics now include retinal scans, DNA scans, voice pattern identification, typing cadence analysis, and more.

Burlington Northern recently lost a landmark biometrics case in Illinois under the state’s Biometric Information Privacy Act (BIPA). BIPA is one of the strictest privacy laws in the nation, allowing consumers the right to sue businesses directly that violate it, and BIPA could become a template for other states seeking to protect privacy. Currently, nine states have biometric laws on the books, and 17 more states have proposed legislation. Under the law, companies must obtain written consent from individuals before using biometrics to identify or gather information. The jury found that Burlington Northern used biometrics to collect fingerprints from 45,000 truck drivers without obtaining written consent. It’s worth noting that the plaintiffs did not have to show that they had suffered damages. They only had to demonstrate that the company had identified the drivers via fingerprint without consent. In another case, Six Flags, a well-known amusement park, recently settled a BIPA lawsuit for $36 million after using fingerprint technology to identify guests at its Gurnee, Illinois park. The park argued it had provided disclaimers to guests advising that biometrics were being used; however, the plaintiffs alleged that a disclaimer differs from obtaining actual written consent.

Over 75% of Americans have used biometrics, and the biometric technology market is expected to hit $55 billion by 2027.

Questions to Ask Before Using Biometrics

There’s no doubt biometrics offer exciting capabilities. Biometric technology will soon be widely used in the financial, healthcare, and law enforcement industries. However, it’s important for a company to complete due diligence before using biometrics to obtain data from employees or customers. They must also be aware of the specific biometric technology laws in place in the states they are domiciled and conduct business. Answering a few key questions can help organizations ensure compliant biometrics use.

• What happens to the data? A company typically uses biometric data to identify an employee or a customer, but what happens to that data after it is used for identification purposes? Is it stored on a company server? Is it shared with third parties? Any company collecting biometric information should have a definitive policy in place and a plan for how the data will be stored, protected, and ultimately disposed of. Otherwise, they may open themselves up to substantial third-party privacy claim risks.
• How are customers/employees notified that biometric data is being collected? It’s critical that employees, customers, and others are made aware when their biometric data is being collected, what it is used for, and provide their affirmative consent. Companies should not rely upon disclaimers.
• How is the company protected against privacy claims? Even if a company feels it is protected against biometric privacy claims, the cases of Burlington Northern and Six Flags illustrate this may be an incorrect assumption. A cyber policy may protect against biometric-related claim allegations. As with the pixel issue, underwriters are taking a closer look at this exposure and responding accordingly. Many are adding Biometric Data exclusions on all policies or will consider the exposure only if the insured can provide acceptable answers to their questions. Depending on the policy form itself, coverage may be included or excluded by the coverage wording. A thoughtful review of the insuring agreements, definitions, and exclusions is in order. If the policy has a wrongful collection of data exclusion, it is likely the scope of such an exclusion would also proscribe any coverage for biometric claims.

Bottom Line

Technology is creating amazing new opportunities for businesses to serve their clients while boosting the bottom line. It’s also generating new risks and threats. Fifteen years ago, few could have predicted that something called a pixel would lead to class-action lawsuits. Technology will continue to evolve rapidly, meaning new risks and liabilities will arise over time. Is it too far-fetched to imagine that an Artificial Intelligence (AI) exclusion may be the newest exclusion on a cyber policy? Go ask your favorite AI platform for an answer to this question!

This means the way businesses protect themselves must also evolve. Partnering with a knowledgeable and experienced insurance broker can make all the difference when it comes to obtaining the right cyber coverage to address emerging technology exposures. DOXA is home to brokers with the market insights and experience needed to help you find a policy that covers the unique risks your clients face. Reach out to DOXA today for more information.