Meta Pixel Privacy Concerns
Authored By Ezinne Egbo
Large privacy concerns are looming over Meta Pixel, regarding how it has accessed highly sensitive information. Meta Pixel is a Javascript website tool that can measure advertising effectiveness by capturing how customers interact with business’ website. Specifically, it tracks how people react to Facebook advertisements, as well as interactions between customers/prospective customers and the business’ website. This tool can be enabled by inserting the snippet of code into the business’ website and does not require users to have a Facebook account to track their activity. While the code has benefits for marketing and advertising analytics, it comes with privacy issues concerning sensitive information that is unknowingly shared to and stored on sites with Pixel enabled. Particularly, these concerns have arisen within its use on healthcare and higher education sites.
Within higher education, an investigation by The Markup found online federal student aid applicants were unwittingly sharing personal data with Meta (formerly known as Facebook) on the Free Application for Federal Student Aid (FAFSA) website. The FAFSA website, which is regularly accessed by millions of students and their parents/guardians for completing federal financial aid requests, had Meta Pixel code embedded and enabled to automatically share data with Meta. The Markup found that information such as applicant’s first name, last name, country, phone number, and email address were being sent to Facebook from the site through Pixel as early as January 2022, up until the discovery in April 2022.
Within health care, Meta Pixel has been involved in a data breach affecting at least three million patients. American healthcare systems Advocate Aurora Health (AAH), as well as Novant Health have recently disclosed Meta Pixel-related breaches. In the case of the AAH breach, Pixel was improperly configured. According to The Cyber Wire, Meta Pixel is, “[a] Facebook-powered JavaScript tracker that helps website operators understand how visitors interact with the site in order to make targeted enhancements. Meta Pixel was installed on AAH’s websites, where patients log in and enter sensitive health data, and it was discovered that Facebook then shared the info with its network of advertisers for targeted marketing plans.” Exposed data in the AAH breach included patient IP addresses, appointment details, location relative to AAH locations, insurance information, and MyChart user communications.
These privacy concerns have led to legal complaints, as well as Congressional inquiries. So far, Meta is facing two potential class action lawsuits from some healthcare customers in the Northern District of California United States District Court. These customers have filed legal complaints about Meta’s targeted advertising that utilized their personal health information, such as information about certain medical conditions. They claim that this sharing of their health information for advertising violates Health Insurance Portability and Accountability Act (HIPAA), the federal law concerning personal health information privacy. Additionally, the Pixel privacy concerns have spurred members of the United States Congress to take action, with members such as Senator Mark Warner (VA) writing a letter to Mark Zuckerberg, Meta CEO; as well as Senator Richard Burr and Representative Virginia Foxx writing a letter to Secretary of Education, Miguel Cardona regarding the use of Pixel on FAFSA’s website.
Javier is a principal within the Cybersecurity Services Group at CLA. Prior to joining CLA, Javier spent ten years supporting the Department of Defense as well as a financial services company in the fields of insider threat, incident response, analytics, and systems engineering.
Comments are closed.