Skip to main content

Privacy law is becoming more technically sophisticated. So should you.

By , and March 21, 2023March 29th, 2023Insights

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.

For example, state privacy laws, such as the California Consumer Privacy Act (CCPA), require companies to implement opt-out solutions and honor applicable privacy requests. Companies including an opt-out link, privacy preference controls, and a privacy policy on their websites and apps may indicate compliance, but confirming they are actually working correctly (and technically) is an entirely different reality. These changes come as regulators continue to bring actions against companies for failing to be technically compliant, which likely indicates that regulators are conducting their own technical testing to determine whether claims made by companies are true and technical solutions are working correctly.

The California Privacy Right Act (CPRA) created the California Privacy Protection Agency, led by former chief technologist of the FTC, Ashkan Soltani. The CPRA sunset the notice and cure provision of CCPA that allowed accused parties 30 days to cure alleged violations, which further stresses the importance of configuring your technical solutions correctly.

Additionally, the Federal Trade Commission (FTC) launched the Office of Technology in February. Its first guidance note headlined the hidden impacts of pixel tracking as “lurking beneath the surface” just last week. With its own dedicated staff and resources, the office supports the agency’s policy and enforcement work and expands the FTC’s in-house technological expertise.

The Office of Technology’s note dove deeper in both enforcements – a US$1.5m GoodRx civil penalty on February 1 and a US$7.8m BetterHelp consumer settlement charge on March 2 – and raised more than a dozen questions to inform future pixel tracking guidance, notably:

  • Which pixel providers are particularly competitively significant for various tracking use cases, and how has competition in this industry evolved?
  • What unique consumer harms, financial or otherwise, can result from the use of pixel tracking?
  • What is the minimum data retention period necessary to provide services based on pixel tracking?

Further, Video Privacy Protection Act (VPPA) litigation regarding use of the Facebook Pixel continues to rise in the US. Double digit proposed class action lawsuits filed against household names in the last 12 months is quickly approaching triple digits. The actions allege that companies, through the Meta Pixel on their sites, are transmitting video information with the c_user cookie, which plaintiffs argue qualifies as Personally Identifiable Information (“PII”), to Meta.

Also, the Office for Civil Rights (OCR) released guidance on the use of trackers in December 2022, stating that “regulated entities” under HIPAA “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures” of Personal Health Information (“PHI”). Covered entities and business associates may not use tools and trackers (broadly defined) such as cookies, pixels, etc., and share collected unauthorized PHI with third parties such as marketing vendors, without potentially being subject to liability.

The problem

Without understanding which trackers and technologies are used on company app(s) and/or website(s), businesses run the risk of facing legal exposure due to unintentional data collection and/or transmission to third parties.

Indeed, under legal and industry frameworks – such as the CCPA and state privacy laws, the VPPA, HIPAA, FTC Act, and mobile app store requirements – businesses may be responsible for the trackers and technologies present on their apps and websites, as well as any data collection and/or transmission to third parties.

Unfortunately, it is all too common for businesses to be unaware of the trackers and technologies on their websites and apps. This lack of unawareness occurs for a few reasons:

  • Companies are blind to data leakage from their apps and websites because traditional cybersecurity solutions are focused on the company data center, not the user’s device (e.g., smartphone, computer, tablet, etc.), despite being legally responsible for data collection/transmission occurring from the user’s device in certain circumstances.
  • Many businesses necessarily rely on external code and aggressive development cycles, which are the norm for most industries.
  • Companies often rely on statements from vendors regarding data sharing and collection that may not be accurate.
  • Communication gaps occur between the marketing, development, and legal teams due to the broad definitions of “personal information” and “personal data” under relevant law, which can include hashed data, encoded data, technical identifiers (such as device IDs, cookies, localStorage, fingerprinting, etc.), as well as traditional plaintext identifiers like name and email address.

Our take

It’s important for companies to take technical steps to verify which third parties are present on their sites and apps, and the data transmitted to them, rather than relying on representations made by a vendor.

And remember that technical configuration matters. Empowering Legal to have an understanding, at least at a high-level, of the configuration options made available by these vendors – even those that are not otherwise advertised or readily available – can help bridge the gaps regarding unintended data collection/transmission.

As such, it is important to explore the relevant configuration options made available by vendors and third parties. Although not always openly advertised by vendors, certain configuration options do exist, which can enable the suppression of certain data collection/sharing elements to these vendors and third parties.

In addition, we recommend:

  • Having routine communication between Legal, Engineering, and Marketing.
  • Undertaking technical testing to validate and confirm that all behavior on applicable website(s) and app(s) is intended.
  • Executing applicable contracts such as CCPA service provider, contractor, and/or third party agreements.

As these privacy/data protection laws and requirements become more technically nuanced, it’s important that Legal continues to do the same.

NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including personally identifiable information, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements. NT Analyzer also analyzes code associated with the “fingerprinting” of browsers as well as data used for “fingerprinting” mobile devices.

Find us at the IAPP Global Privacy Summit on April 4-5, 2023 at Booth 720 to talk mobile and website testing, state privacy law compliance, and video privacy.

You can also always reach out to us directly and request a demo of the tool here.

Read our next update Validating State Privacy Law Opt-Out Signals.


Special thanks to Elyssa Diamond and Rahul Kapoor for their assistance on this post.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig
Steven Roosa

Author Sue Ross

More posts by Sue Ross