The Privacy Pitfalls and Security Dangers of Internet Trackers

Powerful and popular online behavior tracking tools, such as Meta Pixel, MS Clarity, and HotJar, come with hidden traps every company and organization needs to know. 

Many companies are opting to install various trackers on their web applications for several marketing needs. Whether it is to produce targeted ads, provide general analytics on applications, or improve the customer experience, these trackers monitor the average user's internet usage on numerous applications across every industry. While marketing teams within these companies are generally the authority on these trackers, the implementation for these trackers often requires technical skill sets to properly configure them to capture only required information.  

There are many different trackers, but for the purposes of this document, we'll examine three main categories: 1) those used primarily for ad tracking; 2) those used primarily to provide companies with application analytics; and 3) those used primarily to understand customer experience for application improvement. While there is overlap between these tools, high-level categorization allows us to focus on each tracker's main purpose and functionality. 

Ad Tracking

These trackers provide an understanding of overall application tracking, including things like the number of users that have signed up for something or put something in their cart. While this may sound like ad tracking, it is more often used to understand customer behavioral trends and eventually drive business decisions. Examples of these trackers include Google Analytics and Adobe Analytics. 

User Experience Tracking

There are multiple ways for a company to implement a tracker on its application. Typically, these trackers are small snippets of code that can be directly put onto the application. While these trackers are available on the internet, to fully set it up and correctly attribute tracker metrics back to a specific entity, the company needs to sign up with the tracker's creator. The sign-up process is usually available on the creator's website (e.g., Meta, Google, Adobe, LinkedIn). After signing up, the company receives an ID that will then need to be added to the code so any transmitted tracking requests are correctly attributed to the entity that created the tracker. Many companies implement tag managers (e.g., Google Tag Manager) to keep inventory of their trackers, set up triggers, and edit the associated pages. When implementing trackers via Google Tag Manager, the only code put directly onto the application is the Google code. When a user visits the application, the Google code will load a JavaScript file that contains the code for all the trackers, which the application will then execute. 

In 2018, popular internet browsers Mozilla Firefox and Apple Safari made a point to prohibit the use of third-party cookies by default. As a result, Firefox and Safari restricted trackers from following users across different websites, essentially removing cookies from these trackers. In response, Meta defaulted its cookie implementation to first-party cookies so it could still gather insights about a user's browsing session on one website. 

Most ad-based and analytics-based third-party trackers monitor URL information and various smaller pieces of non-sensitive metadata. This typically includes data such as the page title, browser usage, and browser dimensions. However, some third-party trackers will attempt to track additional information (e.g., button click data). Specifically, by default, the Meta Pixel script enables the tracking of pageviews (i.e., URL information), metadata (i.e., title, browser information), and button clicks. The data contained in a button often varies from site to site, and if a button contains sensitive information, it will be transmitted to Meta. Additionally, many websites put information in their URL, some of which could be sensitive, including but not limited to account numbers, session identifiers, and personal information. If there is any potentially sensitive but non-identifying information in the URL, the user's identity could still be associated using cookies. 

While neither U.S. regulators nor the American public are currently sensitized to the privacy risks associated with use of internet and mobile-based technologies, that is changing. On the state level, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) include IP address, browsing history, search history, and information regarding a consumer's interaction with a website to be protected personal information; information that can be used to create a consumer profile that reflects tastes, characteristics, preferences, attitudes, etc. is also protected. Under the Virginia Consumer Data Protection Act, consumers have the right to opt-out of targeted advertising, profiling, and the same of personal data. The Connecticut Data Privacy Act has similar provisions. 

On the federal level, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, includes IP address as one of the identifiers that must be removed from a data set to make it de-identified; other data elements include email addresses and URLs. Commercial entities that are subject to the jurisdiction of the Federal Trade Commission (FTC), including the Federal Trade Commission Act, the Video Privacy Protection Act, and the Children's Online Privacy and Protection Act, should be aware “persistent identifiers,” such as the IP address, may be PII if such identifiers track users over time and across web services. On August 11, 2022, the FTC announced it is considering rules to limit commercial surveillance and strengthen data security requirements, noting the increased risks to data associated with broad-scale surveillance and seeking comments from the public regarding concerns that should be addressed.

While it is common for companies to install tracking tools based on a request from its marketing or operations department, it is important for the company or organization to consult its Information Security and Legal departments, as well. Understanding what data is collected and how it is used is critical to ensuring compliance and protecting data. Each web page on which a tracking tool may be deployed should have a Privacy Policy and Terms of Use that inform the users of the types of data collected and anticipated uses. Regulated industries also need to consider whether an agreement other than the standard click-wrap agreement offered by some tool developers is needed; for example, if the analytics company is engaged in providing a service for or on behalf of a HIPAA-covered entity, a Business Associate Agreement or a Subcontractor Business Associate Agreement may be necessary. 

To ensure trackers are providing valuable information without disclosing sensitive data, consider the following steps: 

• When installing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.

• Fortalice Solutions consulted with Melissa Markey, an attorney with Hall Render, who specializes in data privacy and security, to provide insights into how trackers may affect federal and state compliance laws.