Insurers can expect pixel liability to “rear its ugly head” in Canada after recent litigation in the U.S., a lawyer at the NetDiligence Cyber Risk Summit said.
Especially as one Canadian home improvement company has been deemed by the Office of the Privacy Commissioner of Canada to have disclosed a user’s personal information to Facebook without their knowledge and consent.
What are pixels and why are they a problem?
Pixels are code embedded in a website that collect data and share information about the site’s visitors.
As you browse the internet, information about your visits to different sites will be collected by the pixel and shared with a third party.
“It was designed primarily to study consumer behaviour, but also to help companies improve their target marketing,” said Brett Stephenson, partner at Dolden Wallace Folick LLP. But this form of data collection is raising questions about privacy and consent.
In the last twelve months, the U.S has been seeing an explosion of class action litigation involving pixel liability — and organizations that use pixels are in the regulators’ lines of sight.
“In almost all [class action] cases, it was the same allegations that were made: that it was a pixel tracking tool on online platforms that was sending the personal information of online users without that person’s knowledge and consent,” said Stephenson.
Most recently, Facebook and its parent company Meta have caught legal flak for tracking user’s internet movements without their knowledge.
“It’s important to note that this class action litigation spans all sectors,” said Stephenson. And this form of data collection creates liability exposure for the sites using them.
For example, a pixel installed on many U.S. hospitals’ websites has been collecting patients’ sensitive health information and sending it to Facebook, including prescriptions, and doctor’s appointments and details about their health conditions.
The United States’ National Football League (NFL) has also come under legal fire recently after its website, NFL.com, was found to be using pixels to track subscribers’ viewing activity.
“There was a pixel tracking tool embedded in that website that was sending your viewing history, your viewing preferences, to Facebook,” explained Stephenson. “Not only would Facebook know what you like to watch, when you watched it, but also, the NFL was sending your unique ID to Facebook without your knowledge.”
And while the above examples indicate this class action trend booming south of the border, similar lawsuits could arrive in Canada.
Applicability in Canada
Pixel tracking is on the Canada’s Federal Privacy Commissioner’s radar, Stephenson said.
Earlier this year, a complainant alleged that Home Depot of Canada disclosed his personal information to Facebook and Meta, without his knowledge or consent. The Privacy Commissioner of Canada found this claim to be “well founded and resolved.”
The complainant learned that Meta had a record of most of his in-store purchases made at Home Depot.
“Home Depot forwards the customer’s hashed email address and off-line purchase details to Meta when the customer provides their email address to Home Depot, at check-out, to obtain an e-receipt,” the Office of the Privacy Commissioner of Canada wrote in its decision.
Stephenson explained the findings further: “The concern was not so much the type of information that was being exposed. It wasn’t that the individual had bought hardware or lumber at Home Depot. The concern was, there was no reasonable expectation that Home Depot would share that information with Facebook.”
However, Stephenson says pixel liability class action litigation has not yet arrived in Canada. But lawyers, regulators and other key stakeholders are keeping an eye out for this litigation to arise.
“Canada tends to be about five years behind the U.S. in terms of litigation trends,” said Stephenson. “So, I think you can expect that this is something that’s going to rear its ugly head here, and it’s something that we’re watching very, very carefully with litigation.”