The risks of online tracking tech

Nowadays, tracking technology like pixels and cookies are pervasive on the majority of websites. They enable businesses to track audience interactions, personalize user experience, measure advertising effectiveness, and target visitors with relevant ads.

While contributing to increased sales and customer satisfaction, these technologies collect a wide range of data about users without explicit consent, posing risks to people’s privacy and data protection rights.

Recently, there has been a growing backlash against tracking technologies. An investigation by UK newspaper The Observer revealed that UK National Health Services (NHS) trusts installed Meta Pixel on highly sensitive websites, allegedly sharing visitors’ data with Facebook without patients’ notice or consent.

The use of technology such as meta-pixel code snippets or Google Analytics can lead to the unauthorized disclosure of personally identifiable information. Unauthorized disclosure poses several privacy risks that we will understand in this blog post.

Privacy risks associated with online tracking tech

Data breaches

Tracking technologies are intricate software applications, susceptible to various vulnerabilities such as cross-site scripting (XSS), JavaScript injection, SQL injection, and more. These vulnerabilities allow attackers to inject malicious code into a website or app.

When users visit a website with installed tracking scripts, their browsers download and execute the code without their consent or knowledge. The embedded code empowers the attackers to pilfer personal data, including cookies or session IDs, and may even redirect users to malicious websites.

Stolen cookies allow the attackers to carry out anything just like an original user. It may be making fraudulent purchases in the user’s name, transferring money from the user’s bank accounts, hijacking the user’s social media accounts, spamming the user’s contacts, etc.

Sometimes, attackers also target the supply chain of tracking technologies to attack the companies that develop and sell tracking technologies directly. Attackers usually exploit a vulnerability in the company’s software or a third-party vendor’s software used by the tracking technology company to gain access to the personal data of consumers.

Equifax, a credit reporting agency, suffered a massive data breach in 2017. The attackers were able to exploit a vulnerability called CVE-2017-5638 in Apache Struts, an open-source web framework Equifax was using. Attackers exploited the bug to remotely execute code on Equifax’s servers, stealing the personal data of over 143 million users.

User profiling

Tracking technologies amass a wealth of user data, encompassing details such as the user’s IP address, browser type, device type, operating system, geolocation, browsing history, and interactions with website elements such as forms, buttons, and links. This trove of information empowers a company to build a comprehensive profile of users’ online activities.

Even if data collected through the use of tracking technologies does not comprise personal data directly, it can be linked with previously stored data on users or data collected from third parties to enrich it. This strategic integration enables businesses to learn the interests and behaviors of users in depth and target them with more relevant ads and marketing messages.

Facebook’s case of tracking the online activities of users even after they were logged out of the platform exemplifies user profiling. Facebook embedded tracking cookies in the code of third-party websites to share information about users with its server without their knowledge. It resulted in their profiling even when they were not using the platform.

Potential legal implications

Tracking technologies enable businesses to collect a vast amount of information about users, which is often collected without their consent. Data protection laws require businesses to only collect the data that is necessary for their business purposes, state legitimate purposes for data collection, and obtain specific and informed consent from users.

If businesses do not follow the rules as required under GDPR, they violate the principles of data minimization, transparency, and accountability. Such violations can result in potential legal implications for the business. Data protection laws like GDPR and CCPA impose substantial penalties on businesses that are found infringing upon user’s privacy rights.

In some cases, tracking technologies can also be used to track users across sites and gather information about one’s competitors. This information provides unfair advantages in the marketplace and can be used to develop new products and services or target potential customers. Such a practice goes against the antitrust laws.

In 2018, the European Commission fined Google €4.34 billion for violating antitrust laws. The Commission found that Google abused its dominance in the online search market and used Google Analytics to:

• Track which websites users visited before and after visiting Google’s own websites
• Track users’ searches on competitors’ websites, and then use this information to favor its own products and services over those of its competitors

Lessons for businesses

Responsible data handling

Businesses must adhere to data protection regulations that mandate responsible data handling.

Businesses can do away with the risks of privacy violations, security risks, and abuse of power associated with tracking technologies, given that they collect and process user data by:

• Being transparent about how they use tracking technologies to collect and process data about users
• Obtaining specific, freely given, informed, and unambiguous consent for each data type collected through tracking technologies
• Using tracking technologies only for legitimate purposes, such as improving products or services
• Implementing appropriate security measures for the internal handling of user data
• Ensuring that third parties with whom they share user data have appropriate security measures in place to safeguard the user data

Furthermore, given that the use of tracking technologies comes with risks and there are multiple instances of non-compliance to derive lessons from, businesses should also:

• Use tracking technologies from reputable vendors with a proven track record of protecting user privacy and security
• Regularly scan their tracking technologies for vulnerabilities and promptly update them as needed
• Provide users with granular control over their privacy settings, allowing them to make informed decisions about which tracking technologies to allow and which to block

Compliance with regulations

The use of tracking technologies without the transparency and consent of users can cause complications. Businesses should strike a delicate balance between their data collection practices and compliance with regulations.

Especially in the US, where data protection regulations apply specifically to industries, businesses should be wary of any non-compliance that may arise. In the case of heavily regulated industries like healthcare, financial services, education, and children’s privacy, businesses must ensure that they:

• Avoid collecting any data through tracking technologies that are strictly prohibited under certain regulations
• Understand the types of data they’re allowed to collect and use using tracking technologies with respect to industry
• Provide clear and concise information on how tracking technologies are used to collect and use data
• Offer consumers robust privacy settings to manage consent and preferences, including the ability to opt out of the sale of their data collected through tracking technologies

The same principles hold for state laws as well as data protection laws under any jurisdiction.

Significance of building trust with users

Fostering trust with users is crucial for businesses that use tracking technologies. Users are increasingly becoming aware of the risks of online tracking technology. They’re more likely to engage with businesses that they trust to protect their personal data. If users are educated about the importance of providing personalized content and recommendations through the use of tracking technologies, they will likely appreciate these benefits.

Bottom line

Businesses should enshrine the use of tracking technologies to enhance the user experience, not to snoop on their privacy. When users understand the purposes clearly, they will likely allow tracking and trust the business more to protect their data. In a world where tracking technologies are subject to a variety of data protection regulations, being responsible when using tracking technologies increases user trust and reduces the risk of violating regulations and facing penalties.