An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated.
The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling. Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.
The First Wave: The Health Care Industry
The deluge began in 2019 when a class action lawsuit was filed against a renowned Boston hospital alleging the hospital system’s websites contained third-party tracking technologies that caused the plaintiffs’ web browsers to disclose information about the plaintiffs’ use of the websites, and that the information was transferred and sold to third parties without the plaintiffs’ consent. In January 2022, the hospital settled the case for $18.4 million.
Since then, not only have courts across the country been flooded with similar pixel-related class action complaints alleging that the use of third-party tracking technology violates common law privacy rights, wiretap laws, and state consumer protection statutes; regulatory bodies have also launched inquiries and aggressively pursued enforcement actions. For example, In June 2021, Flo Health, a women’s fertility tracking application, signed a consent agreement related to Federal Trade Commission (“FTC”) allegations that the company misled consumers by assuring the privacy of their data, but sharing information with third-party trackers. As part of the settlement, Flo Health agreed to obtain users’ affirmative consent before sharing their personal health information with third parties and to obtain an independent review of their privacy practices. While there was no monetary penalty as part of the settlement, the consent agreement carries the force of law with respect to future actions. Each future violation of such an order could result in a civil penalty of up to $43,792 for Flo Health.
Then, in June 2022, The Markup ignited an explosion in litigation and enforcement actions after it published an article regarding its investigation into the use of pixels by hospitals and health systems, which found that 33 of the top 100 hospitals in the United States used tracking technologies on their websites. In the wake of that article, several hospitals announced data breaches, many of which had subsequent class actions filed against them. The FTC also launched a wave of enforcement actions against GoodRx, BetterHelp, and Premom, similar to the 2021 enforcement against Flo Health.
Pixel Litigation Spreads to the Financial Industry
- But this is no longer just a health care story. In fact, The Markup followed its explosive June 2022 exposé with a similar report on the use of the Meta Pixel by tax filing preparation services, prompting an investigation by Congress, which released a report in July 2023 claiming that these tax filing service companies, including H&R Block, had “recklessly” shared millions of taxpayers’ financial data. The report predictably spurred calls for further investigation as the lawmakers involved provided the report to various federal enforcement agencies, including the Department of Justice, the FTC, the Treasury Inspector General for Tax Administration, and the Internal Revenue Service, and asked them in a letter to investigate and prosecute any company or individual who broke the law. Then chair of the FTC, Lina Khan, responded in writing acknowledging the request and issuing a warning to tax preparation companies that they may face civil penalties for sharing confidential data from taxpayers through pixels and other tools. The announcement more broadly stated that “Companies that violate Americans’ privacy by seeking to monetize personal data without consent can face significant financial consequences.”
- Since that time, putative class action complaints once focused on hospitals and health systems now commonly name media outlets, retailers, and financial services entities as defendants, often alleging a mix of privacy violations, violation of state wiretapping statues, and unfair competition or business allegations in an “everything but the kitchen sink” approach to litigation. Complaints naming banks or other financial institutions may also include allegations that the defendant institution breached its duties under the Gramm-Leach-Bliley Act by disclosing consumers’ financial information and other non-public personal information without proper advance notification.
- Notably, a federal district court, the Northern District of California, at the end of 2024 granted class certification in a lawsuit against Prudential Financial alleging violation of California’s wiretapping statute, the California Invasion of Privacy Act (“CIPA”), stemming from its use of third-party tracking technologies, including session replay. Plaintiffs alleged that Prudential’s use of ActiveProspect’s TrustedForm script allowed ActiveProspect to record users’ interaction with the form, which plaintiff website users used to obtain life insurance quotes, and argued disclosed demographic information and medical history to a third party without their consent. Class certification where CIPA claims are involved can be especially concerning as the statute allows for statutory damages from $5,000 per violation to three times the actual damages, whichever is greater. In welcome relief to businesses everywhere, summary judgment was granted for defendants just last month. This ruling is one of the few decisions to be made on the merits since pixel-litigation first cropped up a few years ago. The court found that ActiveProspect’s access to the disclosed information did not occur “in transit,” as required under CIPA; the Federal Wiretap Act (the “FWA”) contains this same requirement, though certain other state wiretap laws may not. Still, the class certification decision and the very fact that the case proceeded for so long should serve as a warning to entities engaging third-party service providers for similar services, especially as the court at the same time rejected Prudential’s more logical argument that ActiveProspect was itself a “party” to the conversations between Prudential and its website users and thus exempt from CIPA liability, a rejection which plaintiffs’ attorneys are sure to recall.
- In March, the Northern District of California allowed pixel-related claims under the California Consumer Privacy Act (“CCPA”) to proceed against Capital One, a notable expansion in underlying actions that could spur CCPA litigation, which had previously been predicated on data breaches or similar security incidents. This expansion, if it foreshadows a true broadening of CCPA’s private right of action, could be particularly damaging as the CCPA provides for statutory damages of between $100-$750 per incident.
- Pixel litigation targeting financial institutions has so far primarily been brought against major institutions, but mid-size institutions should heed these as warnings as well as the plaintiffs bar has focused on a range of targets. Similarly, while financial regulators have not yet aggressively pursued tracking tech investigations here with the same fervor as in the health care context, financial entities should stay on guard and take affirmative steps to deflect and prepare for possible litigation or investigations.
- How Financial Institutions Can Protect Themselves
- Robust consent is a key defense for many companies, with many turning to what is normally termed EU-consent banners that allow users to either accept or reject or customize tracking. Courts have recently dismissed putative class actions where defendants successfully argued consent as an affirmative defense. For example, just last month, the Northern District of California dismissed claims against a defendant video game company, Ubisoft, that the company had violated the Video Privacy Protection Act, CIPA, the FWA, and state constitutional privacy protections. Ubisoft argued that plaintiffs had consented to the use of cookies at multiple points: (1) when interacting with the website cookie banner, (2) during account creation (by accepting the Terms of Use and Privacy Policy in conjunction with account creation), and (3) when making purchases (again accepting the Privacy Policy). Other institutions have found some success in arguing arbitration provisions may bar pixel class actions, with courts instead compelling individual arbitration over the claims.
Knowledge of the extent and uses of tracking is obviously key. Compliance officers and attorneys at financial services businesses should review their current website practices and implement updates or changes to address issues such as notice (regarding tracking technologies in use) and consent (whether express or implied) before collecting user data.
Understanding how third-party tracking vendors comply with data protection laws is also essential. Certain rulings have underscored inconsistencies between published privacy disclosures and actual data sharing practices, highlighting that companies should specifically and accurately disclose which categories of information collected via online technologies may be shared with third parties. Companies should also make certain that they clearly allow users to opt-out of the sharing/selling of their personal information, including through compliant cookie banners and cookie policies.
Here are a few key steps for businesses:
- Identifying and evaluating all pixels, web beacons, cookies, and other tracking technologies in use on your website, including identifying and documenting what data, especially sensitive financial information, each tracking tool discloses and to whom;
- Understanding whether the data are collected in authenticated or unauthenticated areas of the website;
- Adequately reflecting any such data sharing practices in privacy policy disclosures and implementing a website cookie banner that accurately represents data sharing with third-party providers, including for what purposes;
- Deploying a consent management platform and requiring affirmative user consent for any non-essential cookies;
- Maintaining clear documentation of consent;
- Including contractual provisions in vendor contracts explicitly limiting data use to uses consistent with applicable privacy laws and routinely auditing vendors to ensure compliance with such provisions; and
- Considering including a class action waiver and/or arbitration provision in your terms of use.
