Understanding Risks of Online Tracking Technologies

Trap & Trace: the latest trend of privacy lawsuits (A short guide for Chief Privacy Officers) What is Trap and Trace? Trap and trace devices or processes, originally used by law enforcement, capture information about incoming signals to devices like phones or computers. In the digital context, this term now often refers to tracking technologies such as cookies or web beacons that record user activities like IP addresses, browsing behavior, or interaction with content on websites. Under laws like California's Invasion of Privacy Act (CIPA), unauthorized use of these technologies can lead to significant legal repercussions. What Chief Privacy Officers Need to Know: Statutory Penalties: In California, violations can lead to penalties of $5,000 per violation or treble damages, highlighting the financial risk of non-compliance. Broader Implications: With over 400 lawsuits filed, there's a trend towards interpreting privacy laws more broadly, which could affect businesses across the U.S. What to Look for on Your Website: Tracking Technologies: Identify all cookies, pixels, scripts, or beacons that might be capturing user data. This includes analytics tools and advertising tech. User Consent: Ensure there's explicit consent for data collection. This might involve updating privacy policies or adding clear opt-in notices. Data Sharing: Review how collected data is shared with third parties to ensure it's done with user consent and within legal boundaries. How to Mitigate Risks: Compliance Audit: Regularly audit your website's data practices to ensure they adhere to privacy laws. This might involve third-party audits or consulting with legal experts. Privacy by Design: Implement data protection from the ground up in your website design, ensuring minimal data collection and transparent practices. User Education: Clearly communicate to users what data is collected, how it's used, and how they can control it, enhancing trust and compliance. Stay Informed: Keep abreast of legal changes and court rulings. Laws like CIPA evolve, and staying ahead can prevent legal issues. Privacy Policy: Ensure your privacy policy is comprehensive, clear, and easily accessible, reflecting your actual data practices. Legal Preparedness: Have a response strategy for potential legal actions, including how to handle data breaches or user complaints. By focusing on these areas, CPOs can significantly reduce the risk of privacy violations through trap and trace mechanisms and ensure their organization's practices are legally sound and respectful of user privacy. Need experts to conduct a cookie audit? Reach out! * This post written with the assistance of Grok AI.

The FTC and HHS issued a joint statement warning hospital systems and telehealth providers about online tracking technologies' potential privacy and security risks. In addition to the joint statement, the two agencies sent a joint letter to approximately 130 hospital systems and telehealth providers to more specifically alert them about these concerns. The FTC (which uses its authority under the FTC Act and the Health Breach Notification Rule) and HHS (which enforces HIPAA against HIPAA-covered entities) have each individually issued warnings and enforcement actions against companies whose use of online tracking technologies reveal (or create a risk of revealing) sensitive information such as "health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment." The letter highlights the potential harms identified by the agencies, including "discrimination, stigma, mental anguish and other negative consequences to reputation," along with the more traditional harms of identity theft, financial loss, and impact on physical safety. This latest statement and letter is just another reminder to companies to audit their websites carefully, understand what tracking technologies may be on their websites or used in their mobile apps, what information those technologies are collecting/disclosing (and what that information may reveal) and take steps to address the FTC and HHS concerns ahead of what will inevitably be more enforcement. 

Regulators are coming after your tracking pixels. In the US, we are currently handling numerous pixel lawsuits and working with clients on compliance with both wiretapping, State laws and HIPAA in connection with pixel deployment. Now, Tobias Judin 🏳️🌈 and Datatilsynet in Norway, are going after these with investigation uncovering that websites often share sensitive information through the pixels unknowingly. 6 points that apply in the US as well: 🔹 Identify which tracking pixels, cookies, and other tracking tools your service uses; especially ones that use the info for their own purpose (this could be a "sale" or completely prohibited in the US if sensitive) 🔹 Browsing data can be sensitive. Consider the types of people who use your service and what inferences can be drawn about them, directly or indirectly, based on their browsing history. 🔹 Trackers on websites that target children as especially difficult because they require parental consent for deployment. In the US this has been enforced under COPPA 🔹 You need to give people a choice about the trackers. In the EU - this is pure consent; in the US this can be an opt out unless the data is sensitive. 🔹 You must provide accurate and understandable information about what the tracking tools do, and how they affect the individual and their privacy, as publicly as possible. This should be just-in-time but also in your privacy disclosures. 🔹 You are responsible for the trackers on your website, even if your particular use of them is innocent. You will generally be the one facing enforcement. https://lnkd.in/ef83G5XR pic by ChatGPT

I had planned to pen an article applauding U.S. Department of Health and Human Services (HHS)'s move to appeal a recent ruling that struck down HHS's data tracking rule... but before I could put the finishing touches on the article, I assume someone had a horse's bloody head laid in their bed. Just days after they filed their notice of appeal, HHS reversed course and withdrew its appeal to the 5th Circuit. What I wouldn't give to have listened in on those calls between the American Hospital Association and administration officials that prompted this about face. As a refresher, the case centered on the invasive use of tracking technologies by hospitals, which, without most patients’ knowledge, collect and share highly sensitive health information with marketing giants like Facebook and Google. Hospitals successfully argued that these tracking tools are essential for patient safety and continuity of care, claiming they help enhance patient experiences by providing better analytics and personalized services. (*Pardon me while I spit out my coffee.) But its worse than my cynicism... these tools are not the benign, HIPAA-compliant tools hospitals would have us believe...they are sophisticated marketing surveillance systems, designed to exploit patient information for financial gain, not to protect it. When a patient visits a hospital’s website, they might browse pages about specific health conditions, book appointments, or log into their patient portal. Unbeknownst to them, embedded tracking technologies are quietly collecting data about every click, scroll, and keystroke. This includes URLs of the pages they visit (e.g., information on fertility treatments), their IP addresses, device details, and even unique identifiers like cookies that persist across multiple devices. This data is then transmitted in real-time to third-party companies like Google and Facebook, who are masters at linking this information with their vast existing databases. The result? These companies can create a highly detailed profile of the patient, connecting their web activity on the hospital site with other online behavior, including social media activity and search history. These tracking technologies can even link data across different devices... if a patient checks their fertility treatment plan on their smartphone during a lunch break, that information could then be connected to their work computer, leading to targeted ads appearing while they’re at work. This not only breaches the patient’s privacy but also risks exposing deeply personal information in highly inappropriate settings. While the consequences of this ruling are profound and set a dangerous precedent that further erodes trust and compromises the privacy of millions of patients; HHS's about face is an even bigger slap in the face. Patient Rights Advocate Marilyn BartlettDave Chase, Health Rosetta-discovering archaeologistJake PerryPreston AlexanderAnn LewandowskiLee LewisHannah Anderson

It is apparently letter writing season for regulators! Yesterday, the FTC and HHS-OCR sent this letter to approximately 130 hospital systems and telehealth providers to draw their "attention to serious privacy and security risks related to the use of online tracking technologies that may be present on [their] website or mobile application (app)." Specifically, the letter addresses the use of technologies that can track a user’s online activities, such as the Meta/Facebook Pixel and Google Analytics. The letter notes that HIPAA applies when information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes personal health information (PHI). Entities not covered by HIPAA still have an obligation to protect against impermissible disclosures of PHI under the FTC Act and the FTC Health Breach Notification Rule. This is true even if these entities relied upon a third party to develop their websites or mobile apps and even if they do not use the information obtained through use of a tracking technology for any marketing purposes. The letter notes that "it is essential to monitor data flows of health information to third parties via technologies . . . integrated into your website or app." It concludes by "strongly encourag[ing]" organizations that are using these tracking technologies "to review the laws cited" in the letter and to "take actions to protect the privacy and security of individuals’ health information." #DataPrivacy #HHS #FTC #Tracking #Cybersecurity