Hidden privacy risks of data tracking technologies

CyberArticleApril 29, 2026

As digital marketing evolves, tracking technologies raise new privacy risks. Learn how organizations can reduce litigation exposure.

By Kara Higginbotham, Head of Professional Liability and Cyber, Zurich U.S.

Digital marketing is delivering powerful results – but without tight controls, data tracking tools can lead to serious privacy violations. With litigation emerging, Kara Higginbotham, Zurich’s Head of Professional Liability & Cyber, explores how businesses can manage privacy and maximize data-driven value.

Corporate marketing strategies have evolved beyond recognition in the digital era. The days of static billboards and newspaper advertising has given way to dynamic data-driven campaigns with hyper-personalized messaging driven by consumers’ real-time internet activity.

The business case is clear. Every day, consumers leave traces of their digital identity, purchasing preferences, downloads and browsing habits. Access to this information is a marketer’s dream, leading to higher conversion rates, improved return on advertising spend and invaluable customer insight.

However, increasingly sophisticated digital marketing strategies are potentially colliding with invasion of privacy laws. In the US, an evolving patchwork of federal and state privacy laws, including existing state wiretap laws, has challenged organizations navigating the tradeoff between leveraging data-driven technologies and maintaining compliant data privacy practices governing the collection and sharing of information.

Pixel tracking: a double-edged sword?

At Zurich, we are seeing a rising number of invasion of privacy claims often relating to tracking technology – and particularly, the use of pixels. Pixels are tiny images, or snippets of code, embedded in a website or email. Major tech platforms like Meta and Google provide tracking pixels to third party websites and apps to collect information about how users interact with content – tracking actions such as page visits, clicks and conversions. The data is fed back to the platform, analyzed and subsequently used to optimize highly targeted marketing campaigns.

Pixels are a well-established tool in the modern marketing armory, with research suggesting 55% of companies in the S&P 500 use them on their website.¹ When used with the appropriate governance and necessary consents in place, pixel tracking is a legitimate and successful strategy.

However, without appropriate controls to ensure responsible deployment, their use raises serious questions about consent and data sharing with third parties – and potentially leaves businesses vulnerable to regulatory action or litigation.

The rising tide of privacy litigation

There is already a rise in pixel-related lawsuits in the U.S., where plaintiff firms are bringing claims under statutes never intended for this purpose — including the California Invasion of Privacy Act (CIPA), Pennsylvania Wiretap Act, Health Information Privacy Act (HIPAA) and Video Privacy Protection Act (VPPA). These cases often center on whether website users provided informed consent for data collection and transmission through tracking tools.

Healthcare has become a particular target. Several U.S. hospital systems have faced class actions alleging that the Meta Pixel transmitted protected health information to third parties.² To date, most of these cases have not reached the higher courts.

Many suits have been dismissed early because the laws cited pre-date modern tracking technologies while some defendants have chosen to settle. Even without firm precedents being established, the rising number of filings show that plaintiffs’ firms are testing the boundaries of existing privacy law. Even if no legal liability is found, these lawsuits often seek very large sums in damages and can be costly and distracting for organizations.

Choice and consent: the compliance challenges

Many businesses are unaware of the extent to which they are using pixels or don’t have a clear understanding of the data flows involved. Consequently, unauthorized data collection is more pervasive than most people realize.

Last year, for example, the nation’s largest managed care organization agreed to pay up to $47.5 million to settle claims alleging that tracking pixels sent Protected Health Information (PHI) to third party technology platforms without patient consent.³

Furthermore, the concept of consent is not straightforward – simply installing a pop-up consent banner onto a website is not necessarily sufficient. Generic language, consent that is bundled with other permissions, or a lack of choice may be considered red flags by regulators or law makers.

In September 2024 the Federal Trade Commission released a report indicating that while social media platforms are increasingly offering privacy dashboards, ad-preference pages, and toggles to give users more control over tracking and personalized advertising, the regulator found that extensive and opaque data collection practices put the onus on organizations embedding tracking tools on their websites to maintain adequate data privacy safeguards.⁴

Implications for risk professionals

These trends highlight the need for risk professionals to implement robust privacy governance around consent mechanisms, data flows and vendor controls wherever marketing or analytics technologies are used. These are not just technology or marketing issues – they touch many parts of the business, from legal to procurement, and risk professionals are well-placed to lead a joined-up response.

Strengthening privacy liability defenses

At a minimum, businesses should consider the following five steps:

Map the ecosystem: Identify all teams and third parties involved in marketing, analytics and data processing. Understand their role in handling customer data and secure an integrated oversight between the core functions.
Conduct privacy impact assessments: Understand current pixel usage and data flows, establishing processes to assess all new products and data uses. Pay particular attention to free or off-the-shelf marketing products.
Align policies: Ensure marketing policies, procurement guidelines and data privacy policies are up to date and aligned with current regulatory requirements. Embed best practice across the business, including clear consent mechanisms and appropriate email and web security controls. Minimize retention of sensitive personal information and apply strong access controls and encryption.
Educate: Raise awareness among employees about digital marketing, privacy and consent. Keep teams updated on emerging AI and analytics tools and their privacy implications.
Monitor legal developments: Stay abreast of new laws or amendments to regulation across all jurisdictions. Engage with brokers, insurers or global partners for guidance on emerging trends.

Maximizing the business opportunity

When used correctly and responsibly, tracking technology can form a central tenet of a powerful marketing strategy, leading to positive outcomes for both the business and the consumer. The challenge is not to avoid them altogether – but to use them appropriately.

Risk professionals have a leading role to play in ensuring businesses maximize the opportunities of data-driven marketing in a considered and compliant manner, avoiding the risk of third-party claims and expensive litigation.

The interplay between digital marketing strategies and the concepts of privacy and consent is complex, nuanced and continually evolving. Zurich is committed to working with its customers to help them keep pace with the shifting landscape, understand potential exposures and embed best practice.

To explore Zurich’s tools and resources for building cyber resilience, visit Zurich’s Cyber Resource page.

Resources

1. Report: LOKKER’s Analysis of More Than 3,400 Websites Reveals Meta Pixel Still on 33% of Healthcare Websites, with 12% of the S&P 500 Showing Likely Privacy Violations, April 2, 2024.
2. Healthcare Organizations Settle Website Tracking Class Action Lawsuits, Jul 31, 2025.
3. Kaiser Permanente’s $47.5 Million Lesson About the HIPAA Security Rule, December 9, 2025.
4. FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens, September 19, 2024.
5. Dipshan, Rhys. Legal Tech’s Predictions for Data Privacy in 2026. Law.com. 9 January 2026.

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.