Avoiding Meta Pixel Lawsuits

Businesses continue to face lawsuits for leveraging the Meta Pixel on their websites. The lawsuits allege the use of the Meta Pixel led to the unauthorized disclosure of personally identifiable information (PII) to Meta’s platforms, which include Facebook and Instagram, thus leading to a violation of various wiretapping laws, primarily the California Invasion of Privacy Act (CIPA). Healthcare organizations are especially vulnerable because they handle protected health information (PHI). Along with wiretapping laws, violations of privacy and video content laws often serve as the basis for Meta Pixel lawsuits.

What is Meta Pixel

The Meta Pixel is a small piece of code embedded on the website that allows businesses to track visitor activity on their websites. Businesses can use the information gathered by Meta Pixel to:

• Track actions users take on your site, such as button clicks, making purchases, signing up for a newsletter, or downloading a file.
• Improve the performance of ads by targeting the right audiences.
• Build custom audiences who have interacted with their site or app to retarget them with relevant ads on Facebook, Instagram, or other Meta platforms.
• Analyze how well ads drive traffic and conversions on a website.

Here are some examples of lawsuits stemming from the use of Meta Pixel.

GoodRx

GoodRx, a telehealth organization, agreed to a $25 million class action lawsuit settlement. Plaintiffs in the case argued that health information relating to medical treatments and prescriptions communicated through the GoodRx platform was disclosed to and intercepted by Meta and other companies including Google. The sharing of data was made possible using the Meta Pixel and other tracking technologies. GoodRx was accused of disclosing the data even though their privacy policy stated that “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.”

In 2023, GoodRx was fined $1.5 million by the Federal Trade Commission (FTC) for failing to report unauthorized disclosure of consumer health data to Facebook, Google, and other companies.

Spring Fertility Holdings, LLC

A California plaintiff brought a class action lawsuit against Spring Fertility Holdings, Meta, and LinkedIn on behalf of all patients who used the Spring Fertility website to book a consultation for fertility services. The plaintiff is arguing that given the deeply personal nature of fertility treatments, maintaining patient privacy is paramount. The suit alleges that Spring Fertility aided, employed, agreed, and conspired with social media websites Facebook and LinkedIn to intercept sensitive and confidential personal and medical communications sent by patients seeking to book services with Spring Fertility through its website. The highly sensitive details allegedly intercepted include the specific type of fertility treatment sought and the patient’s sexual orientation, all without patient knowledge or consent.

Excela Health

Two plaintiffs in Pennsylvania filed a class action lawsuit against Excela Health in 2023. The suit claims that Excela, through the deployment of the Meta Pixel on its website, shared PHI and individually identifiable health information (IIHI) with Facebook without patient consent. The information allegedly shared includes:

• The types of medical information patients sought
• The name, gender, and specialty of the physicians patients sought treatment from
• The location where the patients sought treatment
• When a patient clicks to call to schedule an appointment with a particular doctor

Costco

Four plaintiffs filed a suit against retail giant Costco in the corporation’s home state of Washington. The suit alleges that Costco encourages people to use the pharmacy pages on its website to communicate about their prescriptions, research medications for purchase, order new prescriptions, and request refills for existing medications, then shares that information with Meta via Pixel.

Meta Pixel Risk Mitigation Strategies

The most effective way to mitigate the risk of a privacy-related lawsuit surrounding the use of the Meta pixel is to simply not use it. Organizations need to determine if the value the Meta Pixel provides warrants the risk before continuing with its use. Organizations that decide to keep using it need to determine where it is firing and ensure they are collecting a website visitor’s consent for its use before it fires.

Additional strategies may include a cookie banner with the appropriate disclosures without collecting consent and strong arbitration clauses. Businesses must ensure the banner does not give the impression that it is an opt-in banner to website visitors.

Risks Associated with Websites that Stream Video

Many of the Meta Pixel lawsuits accused businesses of violating the Video Privacy Protection Act of 1988 (VPPA). The federal law prohibits videotape service providers from knowingly disclosing consumers’ PII. The VPPA defines personally identifiable information as identifying a person as having requested or obtained specific video materials or services from a video tape service provider. The law also defines a video services provider as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” That definition has been interpreted to include websites streaming online video.

In Ambrose v. Boston Globe Media Partners LLC, the defendant alleged the Globe sent a record of every video a person viewed on their website to Facebook via the Meta Pixel without consent. This class action lawsuit resulted in Boston Globe Media Partners paying a $5 million settlement.

Businesses should only use pixels on websites that include streaming video if they deem the value of the data is enough to justify the risk of being sued for VPPA violations.

To learn more about reducing the risk of fines and lawsuits from cookies like Meta Pixel on your website, listen to our Website Privacy Functions and Controls podcast episode.

CompliancePoint offers Cookie Management Services to help businesses ensure the privacy and consent functionality of their websites comply with all data privacy and consumer protection laws. Reach out to us at connect@compliancepoint.com to learn more.