The Meta Pixel, a complicated piece of data-collection technology, threatens to become the driver of the next wave of privacy and healthcare litigation.
What is the Meta Pixel?
The Meta Pixel is a piece of code embedded in the HTML code of a website. When a user visits the website, the Pixel sends Meta information about the user’s actions on the website.” The Pixel is customizable, allowing the website to track specific user characteristics by changing certain variables in the code. Some Pixel parameters allow Meta to link a user’s online actions with their offline purchases in physical stores.1About Conversions API, Meta, https://www.facebook.com/business/help/2041148702652965?id=818859032317965 (last visited Oct. 26, 2022). Many websites do not bother with customization, relying instead on Meta to set the appropriate parameters for the Pixel.
Think of the Pixel as a door installed in the website, with Meta on one side of the door and the user on the other. Depending on how the Pixel is configured, through the Pixel, Meta can gather data and see how the user interacts with the website: if they enter their email, if they click on a link, if they add something to their cart. Meta and the website can use this data to better target ads.2Facebook, Social Media Privacy, and the Use and Abuse of Data: Hearing Before the S. Comm. on Com., Sci., and Transp., 115th Cong. 168–69 (2018) (post-hearing testimony of Mark Zuckerberg). https://www.commerce.senate.gov/services/files/9d8e069d-2670-4530-bcdc-d3a63a8831c4, 16
An Onslaught of Litigation
The Meta Pixel has opened a door to data sharing and a gust of litigation is blowing in. Bloomberg has noted the proliferation of suits challenging this technology.3Skye Witley, Meta Pixel’s Video Tracking Spurs Wave of Data Privacy Suits (1), Bloomberg Law (Oct. 13, 2022), https://news.bloomberglaw.com/privacy-and-data-security/meta-pixels-video-tracking-spurs-wave-of-consumer-privacy-suits. A California district court has consolidated several cases “brought by individuals who allege that their sensitive health information and other personal identifying information was improperly intercepted by the Meta Pixel while they communicated with their healthcare providers.”4Doe v. Meta Platforms, Inc., No. 22-cv-04689, at 1–2 (N.D. Cal. Oct. 12, 2022) (order consolidating cases). Senator Mark Warner recently sent a letter to Meta, expressing his concern over the Pixel’s collection of health data and seeking answers about how Meta uses that data.5Sen. Mark Warner, Meta Pixel Health Data Letter to Mark Zuckerberg, U.S. Senate (Oct. 20, 2022), https://www.warner.senate.gov/public/_cache/files/2/7/272a94f9-6888-4646-98a0-0eec3fb4c995/637483F1C7E695E6F33FB7B98F7AFAB8.10.20.22-meta-pixel-health-data-letter.pdf.
In the first set of suits challenging websites’ use of the Pixel, plaintiffs have alleged violations of the Video Privacy Protection Act, 18 U.S.C. § 2710. The VPPA prohibits “video tape service providers,” from “knowingly disclos[ing]” consumers’ personal identifiable information (“PII”), including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”618 U.S.C. § 2710(a)(3). After journalists published Judge Robert Bork’s Blockbuster Video rental history, Congress enacted the law to give consumers the power to “maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”7S. Rep. No. 100-599, at 8 (1988).
Even though neither Meta nor the Pixel existed when Congress passed the VPPA, modern suits argue that the defendant-websites are “video tape service providers” under the law. In several putative class actions filed in 2022, plaintiffs have alleged that defendants, including video-hosting websites like HBO and BuzzFeed or even companies that happen to have videos on their website, installed the Pixel on their sites.8Complaint at 1–2, McDaniel et al. v. Home Box Office Inc., No. 1:22-cv-01942 (S.D.N.Y. Mar. 8, 2022); Complaint at 1–2, Wright v. Buzzfeed, No. 1:22-cv-04927 (N.D. Ill. Sept. 12, 2022). The Pixel allegedly captures users’ PII, including identifiers like email addresses, unique browser characteristics, and the user’s personal Facebook account.9Complaint at 18, Carter v. Discovery Commc’ns, LLC, No. 1:22-cv-02031 (S.D.N.Y. Mar. 11, 2022). It allegedly also collects data on the user’s viewing practices: the name of the video the user watched and the times when the user started and stopped viewing the video.10Id. at 17–18, 23. The Pixel sends this information to Meta, thereby allegedly violating the VPPA’s prohibition on disclosure.11Id. at 22–23.
A new wave of putative class actions allege that the Pixel collected and disclosed users’ private health information (“PHI”) to Meta. Many healthcare providers have allegedly added the Pixel to their patient portals. According to plaintiffs, the Pixel collected data on sensitive health information, including the user’s appointment schedule, health conditions, treatments and prescriptions, and the names of their medical providers.12Complaint at 17, John Doe v. Meta Platforms, Inc., No. 5:22-cv-03580 (N.D. Cal. June 17, 2022); Complaint at 12, Jane Doe v. Meta Platforms, Inc., et al., No. 3:22-cv-04293 (N.D. Cal. July 25, 2022). Plaintiffs state that HIPAA and other laws give them a reasonable expectation of privacy in this data.13Complaint at 16, Smigda v. Meta Platforms, Inc., et al., No. 2:22-cv-10231 (W.D. Pa. Aug. 25, 2022). The plaintiffs claim that Meta, among other things, breached the contract created by its privacy policies and invaded their privacy by intercepting their PHI without their consent.14Id. at 29 ¶138.
Healthcare providers also face suits over their use of the Pixel. The putative class actions cite an investigative report that found that 33 of the top 100 hospitals in the United States have the Meta Pixel installed on their websites.15Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, THE MARKUP (June 16, 2022), https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-fromhospital-websites.
Potential Defenses
Defendants have many defenses to shut the door to this litigation. Defendants should carefully consider the causes of action as many of them—like the VPAA—likely do not cover the conduct here. Plaintiffs will also likely encounter difficulty proving any case that requires a showing of intentionality or willfulness. Unlike Meta, which employs thousands of advertising account managers well-versed in the Pixel’s parameters, companies are often unfamiliar with the Pixel’s obscure processes. Providers that followed Meta’s instructions for installing the Pixel code were likely unaware that it would transmit such detailed data. Defendants may also be able to defeat class certification by explaining that many users take individualized steps to protect their data or consented to sharing their data. Some users configure their browsers differently, including by blocking data-tracking code.16See, e.g., Ghostery Ad & Tracker Blocker For Any Device, GHOSTERY https://www.ghostery.com/ghostery-ad-blocker (last visited Oct. 26, 2022)(“Behind every website visit or search you make, trackers are recording and transmitting every step you take. Ghostery neutralizes these trackers ensuring your peace of mind.”). Other users decline to accept a website’s use of cookies. By contrast, some users opt-in to data collection by agreeing to a defendant’s terms of service. The broadly drawn classes—seeking certification for a class of “[a]ll natural persons in the United States whose User Data was collected through the Meta Pixel”—should not be able to survive in the face of user diversity.17Complaint at 29, Jane Doe, No. 3:22-cv-04293.
We Are Positioned Well To Help
We are regularly called upon by clients to assist in litigation and investigations involving this Meta Pixel technology.
We can also storm-proof your security practices before any cause for litigation arises by conducting privacy audits and can advise specifically on how this technology can be used in ways that mitigate risk. We regularly conduct HIPAA compliant risk assessments, develop privacy and security compliance programs, and provide counsel on HIPAA and state-based privacy and security laws. We have counseled hundreds of healthcare clients in constructing effective and mature information security management programs that ensure our clients’ preparedness for the most current cyber threats.
Legal 500 recognized King & Spalding in “cyber law” in 2020 and 2021. Our firm has routinely been ranked in Global Data Review GDR 100. Our team members have also been named to the Cybersecurity Docket Top 40 Incident Response Attorneys in 2021-2022. We are perfectly situated to help clients close the door on this growing storm of litigation and inquiry.