Experts Blog

Powerful and popular online behavior tracking tools, such as Meta Pixel, MS Clarity, and HotJar, come with hidden traps every company and organization needs to know. 

Fortalice Solutions has worked with multiple Energy and Healthcare clients to identify and locate trackers that may be installed on their applications. The Fortalice team has also analyzed the data sent via these trackers to determine if there are potential compliance or privacy implications. 

The Trend

Many companies are opting to install various trackers on their web applications for several marketing needs. Whether it is to produce targeted ads, provide general analytics on applications, or improve the customer experience, these trackers monitor the average user’s internet usage on numerous applications across every industry. While marketing teams within these companies are generally the authority on these trackers, the implementation for these trackers often requires technical skill sets to properly configure them to capture only required information.  

These different types of trackers may, unintentionally or unbeknownst to the teams that implement them, capture sensitive information. Specifically, this information may include personally identifiable information (PII), such as full name, email address, mailing address, phone number, or even health information, including insurance, medical condition, appointment details, or just general patient data. After receiving information from these application trackers (including potentially sensitive information), many of the companies behind these trackers attempt to use automated processes to filter out, remove, or mask the sensitive information received. Still, the details on how these companies perform this process are unclear. There are many unanswered questions the process’s reliability and whether it is sufficient, as these companies have already ingested the potentially sensitive data. 

Types of Trackers

There are many different trackers, but for the purposes of this document, we’ll examine three main categories: 1) those used primarily for ad tracking; 2) those used primarily to provide companies with application analytics; and 3) those used primarily to understand customer experience for application improvement. While there is overlap between these tools, high-level categorization allows us to focus on each tracker’s main purpose and functionality. 

Ad Tracking

The trackers used primarily for ad tracking purposes are generally implemented to determine the effectiveness of ad campaigns, measuring return on investment (ROI) for the money spent vs. the traffic generated. These trackers are meant to monitor user behavior and eventually provide metrics that can be used to create target audiences and understand conversion rates. Examples of these trackers include Meta Pixel and Google Ads. 

Analytics Tracking

These trackers provide an understanding of overall application tracking, including things like the number of users that have signed up for something or put something in their cart. While this may sound like ad tracking, it is more often used to understand customer behavioral trends and eventually drive business decisions. Examples of these trackers include Google Analytics and Adobe Analytics. 

User Experience Tracking

These trackers obtain metrics for user experience and overall application improvements. This is generally achieved through heat maps that identify high-traffic areas that users visit most frequently, as well as anonymized screen recordings of users within the application. Examples of these trackers include Microsoft Clarity and HotJar. 

How do these trackers work?

There are multiple ways for a company to implement a tracker on its application. Typically, these trackers are small snippets of code that can be directly put onto the application. While these trackers are available on the internet, to fully set it up and correctly attribute tracker metrics back to a specific entity, the company needs to sign up with the tracker’s creator. The sign-up process is usually available on the creator’s website (e.g., Meta, Google, Adobe, LinkedIn). After signing up, the company receives an ID that will then need to be added to the code so any transmitted tracking requests are correctly attributed to the entity that created the tracker. Many companies implement tag managers (e.g., Google Tag Manager) to keep inventory of their trackers, set up triggers, and edit the associated pages. When implementing trackers via Google Tag Manager, the only code put directly onto the application is the Google code. When a user visits the application, the Google code will load a JavaScript file that contains the code for all the trackers, which the application will then execute. 

These trackers typically set cookies in the background when users visit websites or web pages where these trackers are implemented. Cookies are small blocks of data created by web servers during application usage that the browser places on a user’s computer. These cookies are primarily used to provide the user with a unique identifier that will track them throughout their usage of the application or their entire browsing session. Generally, there are two different types of cookies: first-party cookies and third-party cookies. First-party cookies are generated by the website the user is browsing and are restricted to that one website. Third-party cookies, on the other hand, are generated by the tracking site (e.g., Adobe, Facebook) and will track users across the internet, not just a single website. 

In 2018, popular internet browsers Mozilla Firefox and Apple Safari made a point to prohibit the use of third-party cookies by default. As a result, Firefox and Safari restricted trackers from following users across different websites, essentially removing cookies from these trackers. In response, Meta defaulted its cookie implementation to first-party cookies so it could still gather insights about a user’s browsing session on one website. 

If customers use a browser that allows third-party cookies, the cookies generated by third-party trackers will trace them across all websites visited that have integrations from those third parties. Moreover, if the user is authenticated to some of the large third-party media platforms (e.g., Facebook, LinkedIn, Twitter) using the same browser, additional tracking cookies from these platforms that will allow them to directly correlate that browsing session to a specific user identity. 

Type of Data that May be Transmitted

Most ad-based and analytics-based third-party trackers monitor URL information and various smaller pieces of non-sensitive metadata. This typically includes data such as the page title, browser usage, and browser dimensions. However, some third-party trackers will attempt to track additional information (e.g., button click data). Specifically, by default, the Meta Pixel script enables the tracking of pageviews (i.e., URL information), metadata (i.e., title, browser information), and button clicks. The data contained in a button often varies from site to site, and if a button contains sensitive information, it will be transmitted to Meta. Additionally, many websites put information in their URL, some of which could be sensitive, including but not limited to account numbers, session identifiers, and personal information. If there is any potentially sensitive but non-identifying information in the URL, the user’s identity could still be associated using cookies. 

User experience trackers also track similar information (e.g., URL, browser information, button clicks), but may include additional information on user actions. This is because many user experience tracking tools include session recording and heat map functionalities, which help companies understand how users are interacting with their website and whether there are areas of their site that are more or less utilized. When implemented, user experience trackers continuously send data back to the third party with mouse click information, page information, and various pieces of data on the page. All this data is pieced together into a session recording for user sessions. Sensitive data on the page may also get captured and transmitted by these trackers. This can include any type of data that is on the page (e.g., PII). Many of these trackers claim that after the data is transmitted, sensitive data is recognized and masked in the screen recordings after the initial ingestion. However, the process for this filtering and masking process is unclear. 

Compliance Impact

While neither U.S. regulators nor the American public are currently sensitized to the privacy risks associated with use of internet and mobile-based technologies, that is changing. On the state level, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) include IP address, browsing history, search history, and information regarding a consumer’s interaction with a website to be protected personal information; information that can be used to create a consumer profile that reflects tastes, characteristics, preferences, attitudes, etc. is also protected. Under the Virginia Consumer Data Protection Act, consumers have the right to opt-out of targeted advertising, profiling, and the same of personal data. The Connecticut Data Privacy Act has similar provisions. 

On the federal level, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, includes IP address as one of the identifiers that must be removed from a data set to make it de-identified; other data elements include email addresses and URLs. Commercial entities that are subject to the jurisdiction of the Federal Trade Commission (FTC), including the Federal Trade Commission Act, the Video Privacy Protection Act, and the Children’s Online Privacy and Protection Act, should be aware “persistent identifiers,” such as the IP address, may be PII if such identifiers track users over time and across web services. On August 11, 2022, the FTC announced it is considering rules to limit commercial surveillance and strengthen data security requirements, noting the increased risks to data associated with broad-scale surveillance and seeking comments from the public regarding concerns that should be addressed.

It is incumbent upon entities that use tracking tools and cookies to fully understand where the tools are deployed, how the tools work, what data is collected, where the data can be transmitted, and the limits on the use of that data by the designer of the tool and third parties. Default configurations are not always set to the most protective operation of the tool, and without intentional effort, the tool may be sending sensitive data to third parties. Further, attempts by tool designers to screen sensitive information are insufficient. Under HIPAA, a breach of data occurs when there is an acquisition, access, use, or disclosure of protected health information; “disclosure” includes any “…release, transfer, provision of access to, or divulging in any manner…outside the entity holding the information…” Therefore, a breach can occur based on the mere fact that data is transmitted to a third party, even if not viewed or used. 

While it is common for companies to install tracking tools based on a request from its marketing or operations department, it is important for the company or organization to consult its Information Security and Legal departments, as well. Understanding what data is collected and how it is used is critical to ensuring compliance and protecting data. Each web page on which a tracking tool may be deployed should have a Privacy Policy and Terms of Use that inform the users of the types of data collected and anticipated uses. Regulated industries also need to consider whether an agreement other than the standard click-wrap agreement offered by some tool developers is needed; for example, if the analytics company is engaged in providing a service for or on behalf of a HIPAA-covered entity, a Business Associate Agreement or a Subcontractor Business Associate Agreement may be necessary. 

Finally, this is a good time to review policies and procedures regarding complaint and “bug bounty” calls. There should be a clear process for directing calls related to possible data breach issues to the right person promptly, and policies regarding working with security researchers and others who identify a vulnerability in the system that might affect confidentiality, security, or availability of data. A timely response with a careful investigation of the possible vulnerability and a commitment to resolve identified risks both furthers compliance with legal obligations and honors the trust that customers and patients have placed in the entity. 

Improving Compliance and Privacy

To ensure trackers are providing valuable information without disclosing sensitive data, consider the following steps: 

• Discover where trackers are deployed. We have identified some situations in which a tracker, or code related to tracking functions, has been deployed on web pages unexpectedly. 
• Develop a process for vetting and approving the use of tracking and similar technology, including IT Security and Legal in the discussion.
• When installing and configuring tracking technology, run tests that emulate common website activities, and ensure only data appropriate for the task is collected and transmitted.
• Ensure your Privacy Policy clearly explains the use of tracking technology, and where required, provide a means for users to “opt-out” of tracking. 

Acknowledgements

Fortalice Solutions consulted with Melissa Markey, an attorney with Hall Render, who specializes in data privacy and security, to provide insights into how trackers may affect federal and state compliance laws.

‍