Tracking Trouble: Navigating the Legal Minefield of Pixels and Privacy in the Age of CIPA

For the better part of a year now, companies have been suffering from an epidemic in the form of a wave of suits, demands, and requests for arbitration claiming that the company has violated their rights by using tracking technology on their websites.

These claims rely on recent interpretations of the California Invasion of Privacy Act (CIPA) and similar laws that have found that use of third-party pixels and cookies added to a company’s website or service, even when the pixel or cookie belongs to the company’s own vendor.  Many such claims specifically list the Meta pixel as the basis, alleging that this pixel in particular intercepts communications between customers and the company, transmits it to Meta, and Meta in turn, uses for its own targeted advertising and data mining, and proceeds to share it with other persons/entities that are not providing related services to the company.

Some courts disagree with this approach, and believe that a pixel of that company’s vendor that is operating on the company’s own platform is not an invasion of privacy, or an interception of a communication, but rather just a tool the company is using.

In any case, until there is a definitive ruling in California (and beyond) on the proper interpretation of CIPA in the context of a company using third-party pixels and cookies, companies will likely continue receiving demand letters from plaintiff firms seeking damages (CIPA provides for statutory damages in the amount of $5,000 per violation.  This means that each person that visits a company’s site (which has the Meta pixel firing), and communicates with the company, can be a plaintiff seeking the statutory damages on a per interception basis, and on a per third party basis. This means that if the plaintiff claims their data is intercepted by the Meta pixel 4 times, and they claim that the Meta pixel captures (and transmits out) that the customer was tracked as having visited 3 third party sites, then the plaintiff can claim $35,000 in statutory damages (=$5,000 * (4 (interceptions) + 3 (third-party sites))).

Companies can address this risk in three (3) ways: 1) stop using Meta pixel (not ideal); 2) take no action, hoping they will not be discovered by a plaintiff (firm) and sent a demand; and 3) taking action to avoid these claims.  The best practice for avoiding these claims (aside from not using Meta pixel), though not a perfect defense, is to employ the European cookie banner approach.  This approach functions on the premise that only third-party cookies and pixels, other than those that are strictly necessary for the website to function, do not fire/work unless and until the customer/visitor clicks a box to enable them. This requires a bit of additional disclosure, but, absent a clear ruling from the California Supreme Court, this is the optimal way to move forward using the Meta pixel.

If you have received a demand letter claiming a violation from CIPA (or another law) because of your use of the Meta pixel or similar tracking technologies, contact Brown Rudnick today.