Meta Pixel: the tiny fragment of code causing big concerns

In a class as young and volatile as cyber, emerging risks are par for the course. However, an uptick in litigation relating to Meta Pixel, and other third-party tracking tools, is prompting rising concern among underwriters and insurance clients.

This was the view of Dan Fox (pictured), senior underwriter for cyber at Markel International, as he discussed the challenges of underwriting emerging cyber risks with Intelligent Insurer.

“New and emerging privacy risks are being created by third party tracking tools, such as Microsoft Clarity, Google Analytics, and most famously, Meta Pixel—the latter of which has emerged as a serious threat to portfolio health generally,” says Fox.

There has been a recent uptick of litigation focused on companies’ use of Meta Pixel, which is effectively a tracking tool that enables the collection of online user activity and information. The tracker is a tiny fragment of code, like a cookie, which sits in a user’s browser. But unlike a cookie, it can’t be disabled by the end user. Website owners use this code on their website or web application to identify user trends, measure engagement or improve the overall experience of the website.

Surreptitious data-sharing

Fox says that it has emerged that this piece of code, or pixel, is capable of sharing this information with Meta. This can then be linked with Facebook and Instagram profiles to generate highly targeted advertisements across that end user’s digital space.

“Where it gets bad is when this capability is not made clear, or it was not made sufficiently clear to the end user and, therefore, explicit consent cannot be said to have been adequately obtained.”

Meta Pixel threats highlight the pervasiveness of many of these tracking technologies among cyber insureds, he says. End users have already brought litigation against company practices around Meta Pixel but, according to Fox, it is still early days.

So far litigation has focused on two main avenues.

“The first is the use of Meta Pixel on websites that support online video content. The allegation is that the harvesting of user behaviour around videos—what you watch, how long you watch it for—violates a 1980s US statute called the Video Privacy Protection Act,” he says.

This act was introduced to protect people who bought or rented tapes from video stores. Now, plaintiffs are trying to stretch that to cover the digital space as well.

The second avenue that litigation is going down alleges that the use of Meta Pixel constitutes wiretapping under US federal and state laws. Fox says that these cases have mainly focused on hospitals that have used Metal Pixel in their patient portals where healthcare information is entered and shared.

“The allegation is that this has allowed Meta to potentially eavesdrop on what would be considered private doctor-patient communications. This could potentially violate not just wiretapping laws, but also the federal Health Insurance Portability and Accountability Act, as well as other state healthcare and general privacy laws.

“The scope is wide. It’s quite concerning, and in both of these avenues volumes of notifications have risen quickly,” he says.

While Fox says it is very difficult to predict the severity of the fallout of this risk with a high degree of confidence, he is clear that “clients and underwriters have a right to be concerned, and not just for the present” because tools like Metal Pixel have been used for years, suggesting there is significant retrospective scope for litigation.

This legal action could spread. “Most of the litigation has been focused in the US, but recent rulings by EU data protection authorities have classified Google Analytics and Meta Pixel as non-compliant with its General Data Protection Regulation. That opens up the possibility of legal action against website owners or application owners operating in the EU or processing EU data. And there are other material privacy regimes in Canada, Australia and other countries, so it’s not limited to the US.”

Apply extra scrutiny

Insurers that don’t write US domicile business have less to be worried about right now, Fox says. But they’re not necessarily in the clear.
“Scrutiny should be applied in any territory that has what you would classify as a mature privacy framework.”

Geography aside, there should be a lot of focus on industry and business activity, he adds.

“Extra scrutiny needs to be applied on insureds with a strong digital presence that invites a lot of customer interaction, especially when that interaction is with video content, as well as owners operating web applications or portals that collect highly sensitive information, such as protected health information, from the end user.”

When assessing a company’s management of the exposure, underwriters have to pay close attention to what information is being collected, how it’s being collected, how it’s being shared, and how it’s being used, he says. Beyond this, it’s important for underwriters to know how clearly those collection practices are being disclosed to the end user and how explicit consent for data use is being obtained during that interaction with the customer.

“Any company that uses Meta Pixel but isn’t able to answer those questions clearly and comprehensively, I would personally view with caution,” he says.

“Some insurers have taken steps to exclude losses arising from shared analytics data, or even just wrongful collection of data on a blanket basis. This hasn’t been widely adopted, but it is an emerging coverage trend that I think will gain some traction with the more cases we see.”

To hear more from Dan Fox on systemic black and grey swan events and changing conditions in the cyber insurance market, watch the full video interview  here.