Careless pixel tracking is bad for your company's health

When it comes to data privacy, little things can have a huge impact. That’s certainly the case when it comes to tracking pixels — tiny images, designed to go unseen, that are inserted into websites to monitor people’s online behavior and that often funnel detailed information back to third-party analytics and ad services providers.

In recent weeks, these normally invisible tracking tools have been thrust into the spotlight, with the Federal Trade Commission slapping healthcare companies including BetterHelp and GoodRX with multimillion-dollar penalties, and accusing the companies of unfair and deceptive practices relating to their use of tracking pixels.

At Ketch, we believe the FTC’s crackdown on healthcare companies’ use of tracking pixels is a gamechanger — and not just for companies that collect health-related data. 

The reality is that the FTC’s new focus on tracking pixels represents an important shift in the regulatory discourse around data privacy. As such, it’s something to which every company should be paying close attention. Read on to find out why. 

Why the FTC cares about pixels

In recent months regulators have been taking aim at healthcare companies that use tracking pixels to collect and share sensitive data relating to consumers’ medications, illnesses, and other health issues.

Among the companies that have run into trouble:

• GoodRX, which was hit with a $1.5 million penalty for using tracking pixels to share users’ sensitive medical information with companies including Facebook, Google, and Criteo. Among other things, the FTC reports, GoodRX’s use of pixels enabled advertisers to identify and target patients with illnesses such as heart disease and elevated blood pressure, even as it falsely told its users that their data was protected under HIPAA. 

• BetterHelp, which was the subject of a $7.8 million settlement over its use of tracking pixels that, among other things, revealed to Facebook whether millions of users had received counseling or therapy. The company also reportedly leaked information enabling advertisers to see whether consumers had sought counseling services targeting LGBTQ people, and falsely denied sharing health information with tech companies.

• Cerebral, which shortly after the FTC fined GoodRX was forced to admit sharing over 3.1 million patients’ data, including their medical appointment dates and responses to a mental health self-assessment, with social-media companies such as Facebook and TikTok. The telehealth company blamed the lapse on improperly configured tracking pixels. 

• Advocate Aurora Health, a major healthcare provider in the Midwest, which built tracking pixels operated by Google and Meta into its online services, only to inadvertently leak around 3 million patients’ sensitive health data to third-party tech companies.

Such cases are only the tip of the iceberg. Recent investigations have found that at least 33 of America’s top hospital systems use tracking pixels on the pages used by patients to request medical appointments, for instance. Such reports even led the Biden administration to publish a notice warning healthcare providers that pixel tracking could constitute a violation of the Health Insurance Portability and Accountability Act (HIPAA) and leave them open to monetary penalties.

The rise of telehealth services, many of which aren’t subject to HIPAA, opens the door to further abuse of tracking pixels. Investigations show that virtually all telehealth companies use tracking pixels, with many sharing patients’ answers to medical questionnaires with companies including TikTok, Twitter, Google, and LinkedIn. Some companies even share the contents of consumers’ shopping carts with tech companies — so if you buy a prescription medication, or subscribe to a treatment plan, the details of your purchase could potentially be bought and sold online by advertisers.

A new focus on fairness 

If the thought of advertisers tracking your medications and medical appointments upsets you, then you aren’t alone. People might not get particularly riled up about brands monitoring which ads they click on, but they certainly do care about companies trying to track whether they suffer from rickets, rheumatism, or rubella. 

Our health issues are as intimate as it gets, and everyone understands, on a deeply personal level, the need to enforce privacy rules when it comes to health data.

That self-evident truth is the reason that the FTC chose to crack down on healthcare organizations’ egregious misuse of tracking pixels. But it’s important not to take the wrong lesson from the regulators’ actions.

The reality is that while health-related data is especially sensitive, the healthcare sector isn’t a special case when it comes to regulatory action. In fact, it’s better seen as a leading indicator that reveals a broader emerging trend. 

Crucially, the FTC’s actions haven’t been solely grounded in specific regulations barring the disclosure of health information. They were anchored, instead, in rules barring companies from engaging in “unfair and deceptive” business practices.

In taking healthcare companies to task over tracking pixels, in other words, the FTC is really warning that failing to disclose data collection and sharing is inherently unfair and deceptive, and thus leaves careless companies open to humiliating regulatory actions and big fines.

‍

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

Samuel Levine, Director, FTC Bureau of Consumer Protection

‍

With the Biden administration increasingly focused on data privacy, pixel tracker misuse and other “unfair and deceptive” practices will remain on regulators’ minds in coming months. That means that while regulators may currently be focused on healthcare, their efforts will have a spillover impact on organizations spanning many other industries.

Increasingly, we’re going to see an accelerating shift toward enforcement based not on specific rules tailored to concrete use-cases, but on fairness as the essential governing principle for privacy regulation. For businesses of all kinds, that’s a big deal.

The power of pixels

How should companies respond to this trend? Before we answer that question, let’s pause out for a second and ask how tracking pixels are actually used.

It’s an important question, because tracking pixels are invisible by design; inevitably, most website visitors have no idea they even exist. Despite that, though, they play an important role in shaping consumers’ experience of the modern Internet. 

How pixel tracking works in 4 steps

Here’s how it works: 

1. A web developer inserts code pointing to the tracking pixel — also called a pixel tag — into the code on a website or email. 
2. When the page loads, the user’s browser follows the designated link in order to retrieve the tiny invisible graphic, and the server where the graphic is hosted registers the request.
3. Based on these requests, organizations can capture remarkably detailed information about consumers’ online activities — not just the device or browser they used, but also the time they accessed the page in question and the location or IP address from which it was accessed. 
4. Combine multiple tracking pixels, and it becomes possible to follow those breadcrumbs to obtain a rich and detailed record of a consumer’s journey through a website, or even from one site to another.    

It’s important to remember that this kind of tracking isn’t necessarily a bad thing — it makes it possible to serve up more useful ads, a more personalized web experience, and more relevant features and services. Precisely because tracking pixels are unobtrusive, they can be a great way for organizations of all types to deliver a more streamlined and user-friendly web experience.

The problems start when organizations fail to disclose that they’re using tracking pixels — or, more precisely, when they fail to disclose how they’re using tracking pixels.

For the most part, after all, consumers couldn’t care less whether companies are using cookies, pixels, or teams of invisible elves to collect their data. The mechanics of the data-collection process simply don’t matter much to them. 

What matters to consumers isn’t how data is collected — it’s why it’s being collected. 

Today’s web users understand that their data has value, and they want a clear and transparent relationships with the brands to which they entrust their data. If companies want to use tracking pixels, they need to anchor their data collection strategy in real transparency and clear consumer consent.

How Ketch can help

To operate in a world in which fairness and transparency are paramount, organizations need to ensure that all the data they use is anchored in meaningful permission and clear consumer consent.

That’s precisely the problem that Ketch was built to solve.

The Ketch Data Permissioning platform does three key things to unlock the value of your data without diminishing the value of your customer relationships:

1. First, we enable you to provide notice, and collect consent and opt-out signals to use data for specific purposes, with real transparency about exactly why data will be used, how it will be shared, and when it will be deleted.
2. Next, we anchor data use to those consent (aka permission) signals, ensuring that data is always and only used in the specific contexts and for the specific purposes that consumers have approved.
3. Finally, we ensure permission signals flow down through your entire data ecosystem, including third-party companies such as Facebook and Google, to ensure that advertisers and other partners never receive data they shouldn’t.

With Ketch’s programmatic privacy solution, we can ensure that expanded or revoked privacy choices, including data deletion requests, are reflected instantly across your entire data ecosystem. Automated systems also proactively communicate with tech partners’ data systems, enforcing your privacy policies and your consumers’ consent signals with no need for human intervention.

What does that mean for your business? It means that you can eliminate the risk of slipping into “unfair and deceptive” business practices when it comes to handling your users’ data, while still using tracking pixels and other technologies to manage operations and add value to your services. 

In summary: Ketch helps you honor the promises you’ve made to your users, and actually do what you’ve told them you were going to do.

That’s important because when it comes to data privacy, healthcare isn’t an edge-case — it’s a sign of things to come. 

The reality is that companies like GoodRX weren’t punished because they used tracking pixels. They were punished because they weren’t transparent and up-front about how they did so, and how they used the data they collected.

At Ketch, we believe transparency and responsible data management are more than just buzzwords. They’re the only way forward for companies that want to earn consumers’ trust, defend themselves against newly empowered regulators, and build the fair and up-front data privacy systems needed to thrive in the modern data economy. Get in touch today to find out more.