For all the time cybersecurity leaders have spent protecting data at rest and creating consent processes for the data that websites collect, a recent spate of lawsuits focus attention on an entirely different part of the tech stack — the data that websites collect, and more specifically, how this data is collected from users’ browsers.
Tracking the web trackers has been a blind spot for many companies. Gaining access just to see the full extent of what’s happening between third parties and users’ browsers is hard enough; monitoring and protecting this vastly expanded attack surface requires new tools and a new outlook altogether.
When does this tracking cross the line and become actionable? Three recent lawsuits are helping security executives and privacy experts to answer that question.
In June 2022, Meta was sued for violating patient privacy with its data tracking pixel. Marketers use the pixel to hone and track the effectiveness of ad campaigns, but when this tracker starts inadvertently collecting data about medical symptoms or medications, the stakes are raised. The suit claims the Meta pixel is sharing protected health information (PHI) with Facebook without patient permission, which is a HIPAA violation. A related lawsuit was then filed on July 25, 2022 against the University of California San Francisco Medical Center and Dignity Health, since they served the Meta pixel that shared the information. While it’s likely that these hospitals didn’t know the extent of what the pixel was doing, that’s really the problem. The extent of what third-party trackers can do on a company’s behalf is out of control.
Then a claim against Oracle, a registered data broker, was made claiming the company is tracking and monitoring more than 4.5 billion people. The issue at hand is the use of “proxies” to track sensitive data that advertisers have agreed not to track. Then a month later, several lawsuits emerged related to session recording tools and their violation of a number of state wiretapping and privacy invasion laws.
Which companies will see lawsuits next?
The common theme in these lawsuits is that third-party trackers have too much access to online users’ data and not enough oversight. Healthcare companies aren’t the only ones who should worry. Financial services, e-commerce and education are all highly-regulated and have consumers that demand privacy, making them likely targets that can learn from these recent actions.
Which other companies are at risk of being sued in similar lawsuits? How best can companies protect themselves from lawsuits and truly protect their users’ personal information online? LOKKER scanned more than 5,000 healthcare and hospital websites and 3,000 financial services websites to determine the extent of these pixels across the internet in these sectors.
Pixel |
Percent of healthcare and hospital websites using |
Percent of financial services websites using |
47% |
56% |
|
20% |
34% |
|
11% |
19% |
|
TikTok |
4% |
3% |
Oracle |
12% |
13% |
How to protect users’ personal information
In the short term to avoid a lawsuit, companies need to know exactly what data is being collected from their web visitors and make sure that it’s listed in their privacy policy. The tricky part is that many of these third-party scripts are built using other third-party software themselves, so the oversharing grows exponentially and it’s increasingly difficult to manage. On average, more than 70% of the code loaded into the browser is coming from a third party, rather than from the sites users visit.
A long-term solution to this data privacy issue is to stop focusing on just complying, and instead focus on protecting. Organizations need better tools to use throughout the software development lifecycle. They need tools that provide complete visibility and control over unauthorized data collection as the default state, without impacting the user experience.
Organizations should have an inventory of all the third-party trackers on the website so that they can easily compare it to what’s disclosed in their company’s privacy policy and proactively block data from being shared with apps that have no business getting a copy of user data.