Privacy Violations: Mitigation Strategies and Cyber Insurance Considerations

In recent years, we have seen a surge in litigation involving privacy violations in the United States. Companies that engage in activities involving the collection of user data, whether for data sharing opportunities, product enhancement, or otherwise, have faced lawsuits for alleged privacy violations.

In this post, we'll explore recent class action lawsuits related to these technologies and include suggestions for policies and processes that companies can implement to protect themselves from similar lawsuits. Lastly, we’ll address the role of cybersecurity insurance coverage and how the market for privacy coverage continues to shift.

Pixel Tracking Technology

Pixel tracking technology involves placing small invisible images on web pages that allow companies to track users' online activity, including the websites they visit, the ads they click on, and the products they purchase. Although pixel tracking technology has become ubiquitous in online advertising, companies that use this technology must obtain proper user consent and be transparent about their data collection practices to avoid legal issues.

Two notable examples of companies facing legal and regulatory action are GoodRx and BetterHelp. In 2023, the Federal Trade Commission took enforcement action against each of these digital healthcare platforms for allegedly sharing user health data with third parties for advertising. The Federal Trade Commission (FTC) orders included limits on whether and how these companies can disclose user data with third-party advertisers and resulted in civil penalties of $1.5 million (GoodRx) and $7.8 million (BetterHelp).

Outside of healthcare, there have been notable class action lawsuits involving pixel tracking technology in the last five years, including cases against Google, Salesforce, Zoom, and Adobe. These cases illustrate the continued concern over the use of pixel tracking technology and the potential legal consequences for companies that do not obtain proper user consent or disclose their use of the technology.

Session Replay Technology

Session replay technology involves recording users' interactions with a website or mobile application, including keystrokes, mouse clicks, and other activities. Although this technology can provide valuable insights into user behavior, companies must obtain proper user consent and limit data collection to avoid legal issues.

Several notable class action lawsuits involving session replay technology have been filed in recent years. In 2022, Papa John’s International was sued for allegedly using session replay technology to record users' keystrokes and mouse clicks on the company's website without their consent. The case alleged that Papa John’s violated the federal Wiretap Act and the California Invasion of Privacy Act by intercepting and recording users’ activities without their consent.

Several companies, including retailers and airlines such as Spirit Airlines, Alaska Airlines, Cabela’s, and Ulta, were also sued in 2022 for allegedly using session replay technology to track and record users' activity on their websites without their consent.

Mitigation Measures to Avoid Lawsuits

To protect themselves from potential lawsuits related to pixel tracking and session replay technologies, companies may consider:

• Obtaining user consent before using the technology
• Limiting the amount of data collected to only what is necessary
• Providing opt-out options for users
• Conducting regular audits of data collection practices
• Training employees on proper use of the technology

Cyber Insurance: Restrictions Becoming More Common

Cyber insurance policies have evolved over the last decade to include coverage for a variety of data privacy violations, including allegations of unintentional unlawful collection of personal data (“wrongful collection coverage”). Coverage can include defense costs, damages, and regulatory fines and penalties arising out of a claim alleging the unlawful collection of user data. This coverage is not often included in a standard cyber insurance policy form, but instead must be requested to have affirmative coverage.

These restrictions vary depending on the policy, but some common examples can exclude coverage for:

• The use of pixel tracking and session replay technology,
• Violations of specified privacy regulations (e.g., BIPA), or
• Any claim alleging the unlawful collection of personal information.

While coverage restrictions are becoming more commonplace, they can be avoided by demonstrating effective controls to mitigate the risk (see Mitigation Measures section above). It’s important for companies to articulate to their cyber insurers a clear understanding of the risk, outline how and where user data may be collected within the organization, and verify they are obtaining user consent. Without proper controls and a clear message, companies will not be able to maintain or secure insurance coverage for wrongful collection claims.

Take Steps to Reduce Legal Risks

As the use of pixel tracking technology and session replay technology becomes increasingly prevalent, companies must take steps to protect themselves from potential legal issues related to privacy violations. By implementing policies and processes that prioritize user consent and limit data collection, companies can minimize their legal risks, promote transparency and privacy for their users, and increase their ability to secure broad insurance coverage for data privacy violations.