A federal court has given preliminary approval to a $2.6M class action award against a website operator violating end user privacy by using the Facebook (Meta) pixel. The pixel is a piece of tracking code that allows Facebook to track end users who have Facebook accounts when they go to websites operated by third parties (such as the defendant in this case). In the last couple of years, there have been multiple federal suits against the commercial customers of Facebook and Google that claim these pixels/trackers violate the privacy of the end user when deployed on a third-party site. In each case, the plaintiff has cited an old federal law (e.g., wiretapping, video rental records privacy) to claim that trackers, session replay technology, and similar widely-used tools violate end user privacy. In most cases, the claims are brought against the companies that use back-end services from Google and Facebook (such as shopping cart technology or ad serving) rather than against the social media companies themselves.
Facebook, Google, and other social media providers commonly use such trackers -- it is one way they amass data and can use it to sell and target ads and provide website analytics. The social media tracking pixels generally "fire" when the end user takes certain actions on the third-party website. They send information back to Google/Facebook about the actions the end user is taking on the third-party website. In other words: the pixels are communicating with the social media company, not with the website operator, about what end users are doing on the operator's page. The operator might not get information from the pixels (and might not even know they are present). Information from the pixels is often combined with other information about the end user that the social media company has gathered on its own site.
It all sounds very complex, but it boils down to this: social media companies track their end users both on and off their own services. This includes end users who visit websites that subscribe to back-end services provided by the social media company. The operator of the website isn't tracking the end user and isn't getting information about the end user from the pixel. But the operator may find itself facing a lawsuit alleging that it has violated end user privacy.
Why It Matters
Many courts have allowed plaintiffs to plead these unusual cases and permitted them to go beyond the summary judgment stage. So far, we do not have a body of case law stating that a website operator is generally liable for the end user tracking conducted on its site by a social media/commercial services provider. In part, that is no doubt due to the indirect liability claims being asserted; in part, it is because statutes written 40+ years ago are not always a good fit for these actions.
The fact that these cases have not yet succeeded in large numbers is encouraging. However: they are expensive to defend, and they are exceedingly disruptive. Furthermore, as this settlement shows, any successful claim could be extremely expensive for the website operator.
Any company using back-end or other commercial services from Google, Facebook, or other social media companies would be well served to understand how those providers track end users and make very explicit disclosures about that tracking in their own privacy policies so that end users cannot claim lack of notice.