Technology impacts every aspect of our lives. From social media to biometrics or artificial intelligence, the world is changing at an astounding rate. Generally, technology makes life easier. It creates efficiency and enhances the ability to connect with others. However, technology also generates new risks, especially when companies deploy technology without fully considering the possible consequences, disadvantages, or how it may interact with the law.
The right to privacy is one such area where technology and the law intersect, and it’s a growing area of concern for many. Consumers, employees, and business partners have a right to privacy, and the government is taking steps in many places to protect that right. The advancement of new technology combined with a heightened effort to protect privacy has created new risks for many companies. If a business deploys advanced technology without fully understanding the risks and privacy issues involved, the potential for liability and litigation grows.
THE POWER AND RISK OF THE PIXEL
Anyone who has spent time online searching for a product or service can attest that it’s common to subsequently see an immediate uptick in ads for specific products or companies on search engines and social media. How does that happen? Why are ads for the same products and services visible across multiple unrelated websites? This ripple effect is driven by something called a pixel. A pixel is a piece of code that can be added to any website. The pixel identifies specific users when they visit a site. It then communicates that data back to a third party that manages advertisement displays.
One of the most widely used pixels comes from Meta, the parent company of Facebook and Instagram. The Meta pixel collects data on website visitors and stores it in the company’s Meta business manager dashboard. The business can then use the data to build specific audiences for their advertisements.1 The pixel is a powerful marketing tool allowing businesses to market directly to customers who have already researched their specific product or comparable products and services offered by competitors. These are typically consumers in the process of making a buying decision, and targeting these customers can be a highly effective way to drive sales. However, problems arise when pixels aren’t used in an ethical or compliant way. Businesses are required to disclose the use of pixels and advise that a visitor’s data is being collected. In addition, pixels shouldn’t be used to gather sensitive, personal data.
META PIXEL LAWSUITS
Unfortunately, Meta as well as several hospitals and healthcare networks face multiple class-action lawsuits based on how those companies used Meta pixels on their websites. The lawsuits allege hospitals installed pixels on their websites and applications that then collected confidential patient health information which is protected under the Health Insurance Portability and Accountability Act (HIPAA). In one lawsuit, Cedar-Sinai Health System and Cedar-Sinai Medical patients allege the hospital utilized pixels to collect sensitive, confidential data such as names, sex, location, and medical history details before passing that information to Meta for advertising purposes.2 In one instance, a girl with an eating disorder was exposed to ads her parents say furthered her body image issues and self-harm tendencies.5 Cedar-Sinai isn’t alone in facing possible damages for privacy violations. The University of Chicago Medical Center is named in a similar lawsuit for using Meta pixels to collect confidential information.3 Other healthcare systems have also come under fire, including one healthcare network that shared the sensitive data of more than 3 million patients.4 A Birmingham, Alabama law firm has filed multiple lawsuits across eight states on behalf of patients whose confidential data was passed to Meta.
HOW BUSINESSES CAN MINIMIZE PIXEL LIABILITY
The pixel and its misuse have created a whole new type of lawsuit for litigation attorneys. Since February 2022, nearly 50 class-action lawsuits have been filed against Meta, Google, and a wide range of other businesses for abuse of pixel data.6 There are likely to be many more. The good news is there are steps companies can take to protect customer data and minimize their liability risk. Before utilizing pixels, it’s wise to review the following:
- Compliance with privacy policies and correct pixel usage. Pixels are meant to collect very general information. They’re intended to gather information around what products or services a person may be interested in, rather than specific information like names, dates of birth, or private medical information. If a business utilizes pixels, it’s vital they be used only for their intended purpose and that the use aligns with the privacy policy shared with consumers. The policy should also inform customers of the use of pixels, what specific data is collected, and how it will be used while also allowing them to opt-out before their data is collected.
- Communicate with C-suite executives and legal. Some of these lawsuits have been generated due to a lack of communication about pixel use strategy between the marketing team and company leadership. The C-suite must know how pixels are utilized and develop policies to evaluate and approve their use. These policies should focus on determining what data is collected and tracked, confirm who data will be shared with, and provide advanced notification to consumers with an opt out procedure. Communication can bring everyone into alignment with the strategy so management, marketing, legal, and compliance can verify pixels are being used appropriately and that customers have the right to say no to collection of their data.
- Obtain adequate insurance. Because cyber policies cover third-party privacy liability as well as regulatory proceedings, including those involving HIPPA, each insurer’s policy must be evaluated to determine if coverage is included for pixel- related claims. Coverage arising out of pixel use is not affirmatively provided, so careful reading of insuring agreements, definitions, and exclusions is required. If coverage is in doubt, the agent or broker should contact the insurer to affirm their position of coverage. Some insurers’ definition of a privacy breach or regulatory proceeding exclude such coverage and must be specifically endorsed. Other policies are broadly worded, and allegations of wrongful collection or unauthorized disclosure are not excluded. Some cyber insurers specifically exclude any wrongful collection of data by endorsement or by adding a specific pixel or code tracking exclusion to any risk where pixel ad tech is detected, nullifying any coverage.
Most cyber underwriters are well aware of the Meta pixel issue. Some are utilizing scanning technologies within the underwriting process to determine if pixels are in use. However, not all underwriters do so. Agents and brokers would be well advised to consult with their insureds to determine if pixels are in use and if coverage is needed. Some underwriters will require removal of the pixels from websites prior to binding. Others may require answers to a number of risk management questions surrounding the use of pixels before offering terms or deleting any specific exclusions restricting coverage. Industries of most concern to underwriters with regards to the use of pixels include healthcare, media, financial institutions, and online retail.
BIOMETRICS: A GROWING SOURCE OF RISK
Biometrics are another advancing form of technology that is increasing companies’ legal risks. Biometrics are unique physical characteristics used for quick and easy identification of an individual.6 Anyone who has ever used a fingerprint or facial scan to unlock a smartphone has used biometrics. Biometrics now include retinal scans, DNA scans, voice pattern identification, typing cadence analysis, and more.
Burlington Northern recently lost a landmark biometrics case in Illinois under the state’s Biometric Information Privacy Act (BIPA). BIPA is one of the strictest privacy laws in the nation, allowing consumers the right to sue businesses directly that violate it, and BIPA could become a template for other states seeking to protect privacy. Currently, nine states have biometric laws on the books, and 17 more states have proposed legislation. Under the law, companies must obtain written consent from individuals before using biometrics to identify or gather information.7 The jury found that Burlington Northern used biometrics to collect fingerprints from 45,000 truck drivers without obtaining written consent. It’s worth noting that the plaintiffs did not have to show that they had suffered damages. They only had to demonstrate that the company had identified the drivers via fingerprint without consent.7 In another case, Six Flags, a well-known amusement park, recently settled a BIPA lawsuit for $36 million after using fingerprint technology to identify guests at its Gurnee, Illinois park. The park argued it had provided disclaimers to guests advising that biometrics were being used; however, the plaintiffs alleged that a disclaimer differs from obtaining actual written consent.8
QUESTIONS TO ASK BEFORE USING BIOMETRICS
There’s no doubt biometrics offer exciting capabilities. Biometric technology will soon be widely used in the financial, healthcare, and law enforcement industries.10 However, it’s important for a company to complete due diligence before using biometrics to obtain data from employees or customers. They must also be aware of the specific biometric technology laws in place in the states they are domiciled and conduct business. Answering a few key questions can help organizations ensure compliant biometrics use.
What happens to the data? A company typically uses biometric data to identify an employee or a customer, but what happens to that data after it is used for identification purposes? Is it stored on a company server? Is it shared with third parties? Any company collecting biometric information should have a definitive policy in place and a plan for how the data will be stored, protected, and ultimately disposed of. Otherwise, they may open themselves up to substantial third-party privacy claim risks.
How are customers/employees notified that biometric data is being collected? It’s critical that employees, customers, and others are made aware when their biometric data is being collected, what it is used for, and provide their affirmative consent. Companies should not rely upon disclaimers.
How is the company protected against privacy claims? Even if a company feels it is protected against biometric privacy claims, the cases of Burlington Northern and Six Flags illustrate this may be an incorrect assumption. A cyber policy may protect against biometric-related claim allegations. As with the pixel issue, underwriters are taking a closer look at this exposure and responding accordingly. Many are adding Biometric Data exclusions on all policies or will consider the exposure only if the insured can provide acceptable answers to their questions. Depending on the policy form itself, coverage may be included or excluded by the coverage wording. A thoughtful review of the insuring agreements, definitions, and exclusions is in order. If the policy has a wrongful collection of data exclusion, it is likely the scope of such an exclusion would also proscribe any coverage for biometric claims.
BOTTOM LINE
Technology is creating amazing new opportunities for businesses to serve their clients while boosting the bottom line. It’s also generating new risks and threats. Fifteen years ago, few could have predicted that something called a pixel would lead to class-action lawsuits. Technology will continue to evolve rapidly, meaning new risks and liabilities will arise over time. Is it too far-fetched to imagine that an Artificial Intelligence (AI) exclusion may be the newest exclusion on a cyber policy? Go ask your favorite AI platform for an answer to this question!
This means the way businesses protect themselves must also evolve. Partnering with a knowledgeable and experienced insurance broker can make all the difference when it comes to obtaining the right cyber coverage to address emerging technology exposures. CRC Group is home to brokers with the market insights and experience needed to help you find a policy that covers the unique risks your clients face. Reach out to your local CRC Group producer today for more information.
CONTRIBUTORS
- Mike Edmonds is an Assistant Vice President with CRC Group’s Seattle office where he specializes in Cyber & Technology, E&O, Healthcare, and Management Liability as part of the Seattle ExecPro Team.
- Mark Smith is Senior Vice President and a Professional Liability Broker with CRC Group’s Seattle office. He is an active member of the ExecPro Practice Group and a member of the Cyber Specialty Team.
END NOTES
- The Facebook Pixel: What It Is and How to Use It, Facebook, February 5, 2021. https://www.facebook.com/gpa/blog/the-facebook-pixel
- Lawsuit accuses Cedar-Sinai hospital’s website of sharing patient data with Meta, Google, ABC News, February 15, 2023. https://abcnews.go.com/Health/lawsuit-accuses-cedars-sinai-hospitals-website-sharing-patient/story?id=97080170
- University of Chicago Medical Center sued over Facebook tracking tool, Becker’s Health IT, November 2, 2022. https://www. beckershospitalreview.com/healthcare-information-technology/university-of-chicago-medical-center-sued-over-facebook-tracking-tool.html
- Advocate Aurora, WakeMed get served with class action over Meta’s alleged patient data mining, Fierce Healthcare, November 4, 2022. https://www.fiercehealthcare.com/health-tech/report-third-top-hospitals-websites-collecting-patient-data-facebook
- Montgomery’s Beasley Allen law firm launches lawsuit against Facebook, Instagram owner Meta, Montgomery Advertiser, June 14, 2022. https://www.montgomeryadvertiser.com/story/news/2022/06/14/montgomery-alabama-beasley-allen-law-firm-facebook-instagram-owner-meta-lawsuit/7614972001/
- Biometrics, U.S. Department of Homeland Security, December 14, 2021. https://www.dhs.gov/biometrics
- Biometric Privacy Perils Grow After BNSF Loses Landmark Verdict, Bloomberg Law, October 14, 2022. https://news.bloomberglaw.com/privacy-and-data-security/biometric-privacy-perils-grow-after-bnsf-loses-landmark-verdict
- Six Flags Great America agrees to $36M settlement over use of fingerscan entry gates, The State Journal-Register, June 15, 2021. https:// www.sjr.com/story/news/courts/2021/06/15/amusement-park-agrees-36-m-settlement-over-alleged-bipa-violations/7700999002/
- Website Tracking: Why and How Do Websites Track You?, CookiePro, November 16, 2020. https://www.cookiepro.com/blog/website-tracking/
- Biometric Trends and Statistics to Keep an Eye on in 2022, Image Ware. https://imageware.io/biometric-trends-and-statistics/
- California Consumer Privacy Act (CCPA), State of California Department of Justice, May 1, 2023. https://oag.ca.gov/privacy/ccpa#:~:text=This%20landmark%20law%20secures%20new,them%20(with%20some%20exceptions)%3B