Pixels are used by many brands to understand digital consumers, but marketers do not always understand what data is being collected and shared, WARC’s Maya Yegorova reports.

Tracking pixels are vital to helping marketers understand digital consumers – but do brands really know if these tools are causing them to break privacy rules in ways that present reputational, and potentially legal, risks?

This issue was raised by Sisi Wei, Editor-in-Chief of tech-focused investigative journalism site The Markup, at AdExchanger’s Industry Preview 2023 conference in New York. And, she noted, pixels – miniscule elements of web code that are downloaded if a user clicks on something, and which can log a wide range of information – are often not understood by the very marketers that use them.

“A lot of companies, when we go to them, tell us, ‘Hey, we didn’t know that was happening on our website. We know that we installed the pixel, but we didn’t know the extent of the information that was being shared,’” Wei explained.

“Frankly, many times, it’s very believable to us, because the settings are very complicated, and you’re probably not the one who installed it yourself.”

Unhealthy marketing habits

A powerful case in point regarding the dangers of uninformed pixel usage relates to healthcare, an industry that collects arguably the most intimate personal data of all.

Last year, The Markup found that 33 of the top 100 hospitals in the US were using the Meta Pixel, a tracking tool from the parent company of Facebook, which was sending information like patients’ appointments, treatment and medical history to the social networking platform.

The Health Insurance Portability and Accountability Act (HIPAA) explicitly forbids places like hospitals to disclose personal information to third parties unless the individual in question gives consent. While Facebook itself isn’t required to be HIPAA compliant, this pixel usage demonstrates how data protection discourse can fall short in harmful ways.

Another investigation by The Markup looked into Hey Jane, an online clinic that provides approved abortion pills and offers medical services to those who are up to ten weeks pregnant. And its website contained five ad trackers (including the Meta Pixel) which notified Google, Meta, payments provider Stripe and several analytics firms when users visited its pages.

The hometowns of some people who left Hey Jane reviews, and the Instagram handle of one person who provided such feedback, were also exposed to The Markup’s Blacklight privacy inspector tool. These reviews were served by Reviews.io, a third-party service.

The risk of such privacy issues is exacerbated by the climate following the US Supreme Court’s decision to overturn Roe v. Wade, and the emerging patchwork of state-level legal restrictions on reproductive rights which followed. Any leak of personal information in this area thus has the potential, in certain circumstances, to leave an individual in legal peril.

Where Hey Jane was concerned, however, positive news came out of the investigation by The Markup, as the company removed the Meta pixel and four other trackers from its site, and removed the user reviews, too.

Hey Jane, however, was not the only provider of health services that is using such trackers. The Markup, in fact, revealed that dozens of telehealth firms were sharing patient data with Facebook and Google because of their pixel use.

One example was Workit Health, a virtual provider of opioid and alcohol treatment, which was sending data from users that took an evaluation on its site and then had a video appointment with healthcare professionals to Facebook. Having learned of this situation, once again, the company rapidly addressed it.

More broadly, The Markup’s investigation helped prompt a Senate inquiry into the issue of telehealth firms sharing this kind of data. Alongside being a legal issue, this undoubtedly is an ethical one, and could irreversibly stain a consumer’s perspective of a brand, even if these privacy failings are accidental and not deliberate.

Money matters too

Previous research from the Advertising Research Federation (ARF) has revealed that consumers approach data privacy conditions with a mix of confusion and, often, apathy, not least due to the complexity of language used in these agreements.

Another important datapoint that emerged from this study was that people are especially cautious about disclosing medical and financial information.

That insight provides some valuable context for The Markup’s report in November 2022 that tax preparation firms like H&R Block, TaxAct and TaxSlayer sent financial information – like individual earnings, refund amounts and dependents’ college scholarship amounts – to Facebook using the Meta pixel.

After being informed of these findings, each company acted to halt these practices. And, this month, three Democrats in Congress also asked the Internal Revenue Service to open an investigation into data-sharing by tax preparation companies. This, once again, demonstrates how easily pixels can infiltrate the daily lives of consumers, and how a brand’s honest mistake of not fully understanding pixel capabilities might lead to a very bruised image.

But there are ways for marketers to hold themselves accountable. One useful resource for brands and consumers is the aforementioned Blacklight online surveillance tool from The Markup, which can show the tracking tools which are used on any website.

Conducting that kind of self-review is a critical first step in understanding what data is being collected, and where any problems may exist.

Tackling the situation in its fullest sense, however, may require a mindset change regarding how data is collected and stored, as well as who views it. Why, for example, does a finance worker in Dublin need to know about the health of someone in California?

“Think about from a regular person’s perspective when going through your process,” Wei advised the AdExchanger conference. “What information [collection and sharing] would they actually consider to be fair? Would a regular person feel betrayed that you gave this piece of information away?

“And, if that is the case, make sure [you know] that even if you’re not intentionally sending it out, are you using any tools that could be secretly doing it anyway?”