Behind the Pixel: Understanding the Risks and Impact of Pixel Tracking

Online advertising has permeated every aspect of our digital experiences. From search engine results to social media feeds, advertisements seem to follow us everywhere we go online.

Pixel tracking, often referred to as web beacon tracking, spy pixels, or tracking pixels, is one of the methods that is frequently employed by marketers and online advertisers for advertising purposes. Although the practice may appear innocent, pixel tracking substantially impacts users' digital security and privacy.

In this article, we will explore how pixel tracking works, the data it collects, and its risks and impacts, including the potential dangers it poses for individuals and businesses alike. The article will further delve into the US Federal Trade Commission (FTC)’s recent enforcement actions, and the FTC’s new guidance on pixel tracking.

Individuals and companies can make more educated choices regarding online privacy and take the necessary precautions to secure their digital infrastructure by being aware of the risks and effects of pixel tracking.

FTC’s Recent Enforcement Actions & New Guidance on Pixel Tracking

FTC announced recent enforcement actions against two digital healthcare platforms for allegedly sharing user health information with external parties for marketing purposes. In both instances, third-party tracking pixels, which allow platforms to gather, examine, and draw conclusions about user behavior, were used.

On February 1, 2023, the FTC announced its first enforcement action under its Health Breach Notification Rule against a telehealth and prescription drug discount provider platform for failing to notify consumers and other persons of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. According to a groundbreaking proposed order filed by the US Department of Justice on behalf of the FTC, the company has agreed to pay a $1.5 million civil penalty and will not be permitted to share user health information with applicable third parties for advertising purposes.

A month later, on March 2, 2023, the FTC announced another proposed action banning an online counseling service from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising purposes. According to the proposed order, the corporation must also pay $7.8 million to consumers to settle claims that it shared consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising despite agreeing to keep such information private.

The FTC Office on Technology has issued new guidance following these measures. The new guidelines underline the risks associated with pixel technology tracking individuals’ online behavior and collecting personal data. The FTC has determined that ‘companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and [their] privacy promises to consumers.’

What is Pixel Tracking?

Pixel tracking is a method used in the digital marketing and advertising realm to monitor user behavior on websites and target ads to users based on the data collected on them.

Advertisers frequently employ pixel tracking to monitor the success of their marketing campaigns and further optimize them. For instance, a pixel can be added to a website's checkout page to monitor the number of customers who finalize their purchases after clicking on an advertisement. Then, using this data, future marketing initiatives can be improved, and users can be targeted more precisely based on their digital behavior.

Learn about advertising cookies and how they are used.

How Does Pixel Tracking Work?

A pixel is a tiny, inconspicuous image or graphic that is embedded in an email or web page. Tracking pixels are not visible and are able to track and collect personal data on how a user behaves on a digital interface, including information regarding page visits, clicks, and conversions.

Here are the basic steps of how pixel tracking works:

1. A small, transparent image, usually a 1x1 pixel, is added to a web page or email. Usually, the advertiser or marketer owns the server where the image is stored.

2. A user's browser or email client loads the image from the server when they access the web page or open the email.

3. As the image is loaded, the server logs information about the user's visit, such as the time and date of the visit, the user's IP address, the type of device they are using, and the referring web page or email.

4. Using cookies or other tracking technology, the server can tie the user's visit to other information, such as their previous browsing history or demographic information.

The advertiser or marketer can then use this data to analyze user behavior and target future advertising campaigns.

Pixel Tracking Concerns

Pixel tracking can pose several concerns for both users and businesses, including:

1. Invasion of Privacy: Pixel tracking may result in the unauthorized collection of personal information such as browsing history, location, and device information without the users' knowledge or consent. As traditional controls, such as blocking third-party cookies, may not be completely efficient in blocking pixel tracking, online consumers would be more vulnerable to the unauthorized collection of their personal information, identity theft and other online threats.

2. Data Breaches: Companies may be more susceptible to data breaches and cyber-attacks if they store copious amounts of user data obtained through pixel tracking. Even though some pixel tracking methods seemingly remove personal information or attempt to encrypt it through ‘hashing,’ the FTC has deemed such methods to be inadequate because hashes may be reversed or used to connect information across different databases. Moreover, as data collected through pixel tracking may be used to identify social media profiles, any unauthorized access to the data could lead to the theft or exposure of private user information, harming both individuals and companies.

3. Misuse of User Data: Companies that gather user information via pixel tracking may disclose such data to unaffiliated marketers without the users’ consent or knowledge, or use it for targeted advertising, which may result in invasive and deceptive advertising techniques.

4. Decreased Website Performance: A website's page load speeds may be slowed down by using numerous pixels, thus degrading user experience and lowering website traffic and revenue.

5. Legal and Ethical Concerns: The use and sharing of user data collected through pixel tracking may raise legal and ethical concerns, particularly with regard to privacy laws and regulations such as the EU’s GDPR, CCPA, CPRA, LGPD, etc. For example, the Irish data protection authority recently held that the use of Facebook login and Meta Pixel violates the GDPR due to the transfer of EU personal data to the US, where the data is at risk of intelligence surveillance.

How Can Companies Limit Pixel Tracking?

Companies can limit pixel tracking in several ways to safeguard the privacy of their website users and email subscribers. In this respect, some of the best techniques are:

1. Publish a Privacy Policy: Through a comprehensive, accessible and easy-to-read privacy policy, companies can describe in detail how they gather and track data. Users may benefit from having a better understanding of the data being gathered and its intended uses.

2. Provide Opt-Out Options: Companies can provide users with the option to opt-out of tracking. This can be done through the provision of a clear and prominent opt-out facility on the website or in the email.

3. Employ Consent Pop-Ups and Obtain User Consent: Companies can employ cookie consent pop-ups informing users that their website uses cookies and similar tracking technologies and obtain their consent. The pop-up can feature equivalent options of accepting or rejecting tracking technologies and provide users with sufficient details regarding the types of technologies used and their purposes.

4. Use Alternative Advertising Methods: Companies must consider alternative marketing strategies that do not involve third-party cookies or similar tracking technologies and shift towards privacy-friendly marketing solutions such as contextual advertising.

5. Limit Third-Party Tracking: Companies can limit the use of third-party tracking scripts on their websites. This can help reduce the amount of data collected and shared with third-party advertisers. Consented first-party data can be leveraged by marketers.

How Can Securiti Help?

Securiti, by harnessing the power of automation, enables organizations to leverage its DataControls Cloud and overcome hyperscale data environment challenges, by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.

Securiti’s multiple automation modules, such as privacy policy and notice management, consent management, and third-party consent, enable you to comply with evolving data privacy laws and avoid non-compliance penalties. Securiti’s Cookie Consent Management scans not just cookies but also similar tracking technologies, including local storage mechanisms, tracking pixels, and web beacons. It categorizes the trackers automatically, thus enabling you to comply with evolving data protection laws.