“Oops! I Did It Again” ... Meta Pixel Still Hoovering Up Our Sensitive Data
The Markup is on a roll, finding additional examples of Meta Pixel hoovering up sensitive personal information. Previously, The Markup found the Meta Pixel “transmitting information from the U.S. Department of Education, prominent hospitals, telehealth startups, and major tax preparation companies.” Its latest report found that “twelve of the largest drug stores in the U.S. sent shoppers’ sensitive health information to Facebook.” Shopping cart items sent to Meta included Plan B, prenatal vitamins, HIV test, and pregnancy test, along with cookies and IP addresses that could be used to identify an individual. This is not just a problem with Meta but was also found with “pixels” from Bing, Twitter, Snapchat, and Pinterest, as well as Google and Nextdoor.
In this blog post, I will describe just what is the Meta Pixel and drill down on some of the problems The Markup and my own research have found. This includes content from my book Containing Big Tech where I explore each of the Big Tech firms’ digital surveillance capabilities in the very first chapter. I think the big lesson learned is that the Chief Privacy Officers at major companies should be visiting their respective web teams and asking if the Meta Pixel is installed on the corporate website and what information is it passing back to Meta and why.
I borrowed this imagery from the Prop 24 video I made in 2020 for Californians for Consumer Privacy https://www.caprivacy.org/prop-24-california/
What is the Meta Pixel?
Meta introduced in 2015 the “Meta Pixel” that collects detailed user behavior data. It added this capability so advertisers could better “retarget” users. An example of retargeting is when you browse for red shoes on website A and see an ad for the same shoes on website B later that day.
As I describe in my book:
“When embedded on a publisher’s website, the Meta Pixel sends data to Meta about user activity, including what you are viewing, your searches on websites, purchases you have made, items added to a shopping cart, and even information you filled out in online forms. Meta calls this activity “interactions.” It sends this information back to Meta even if you don’t have a Facebook account. The website publishers can then use this information to retarget you by advertising their products when you are on a Meta property or through the Meta Audience Network for non-Meta websites and mobile apps. As of 2018, over two million websites had the Meta Pixel installed, and a researcher found that Pixel was installed on 30 percent of the top one hundred thousand websites. In addition, this technology is available for mobile apps, and it is estimated that it is embedded in sixty-one of the one hundred most popular mobile apps.”[1]
Meta Pixel and Sensitive Data
As I referenced, The Markup has found a number of examples of the Meta Pixel collecting sensitive personal information that really should not be collected. As I write in Containing Big Tech:
“For example, The Markup found in 2022 that one-third of the top 100 US hospitals sent sensitive healthcare data to Meta via the Meta Pixel, including “patients’ medical condition and prescriptions from the hospitals’ patient-facing electronic health record systems.” This appears to violate the Health Insurance Portability and Accountability Act (HIPAA), which protects the personal privacy of patient healthcare. The Markup also discovered in 2022 that the US Department of Education sent sensitive data from their financial assistance website to Meta. And in addition, The Markup found that various tax preparation firms were sending sensitive taxpayer data such as “income, filing status refund amounts, and dependents’ college scholarship amounts,” which may have violated IRS regulations governing tax preparers. In all these examples, this happened even if the consumers entering data on these websites did not have a Facebook account.”[2]
My research for the book found the same thing:
“Meta claims it discards this type of sensitive information sent by websites using the Meta Pixel. But in my “Off-Facebook Activity,” I saw that Meta had captured me searching and scheduling a Covid test on a healthcare provider site, so my health-related information was making its way to Meta’s database.”
In fact, The Markup even found that many suicide hotline websites tied to the national mental health crisis hotline “transmitted information on visitors through the Meta Pixel.” Urghhh.
What Can Consumers Do?
You can view what recent activity Meta has collected by going to https://www.facebook.com/off_facebook_activity/. You can clear past activities, but more importantly, you can disconnect the collection of any future activity.
But Problems Linger
One concern I do have is for the people who don’t have a Facebook account or have deactivated their Facebook accounts. The data is being collected about them, but because they don’t have an account (or an active account), they can’t clear past activity or disconnect the collection of future activity. In the past, these were referenced as “ghost accounts” or “shadow profiles.” This came to the forefront during Mark Zuckerberg’s 2018 congressional testimony, where he was pressed on collecting data on people who don’t have a Facebook account.
I assume that the way for non-Facebook users to delete the pre-existing collection of “off Facebook activity” is to exercise their privacy rights and do a “delete” request (but that assumes they are in one of the few states like California that has a comprehensive privacy law). But that would not stop the subsequent collection and storage of any new user data after that request. A delete request is not an ongoing request, it happens at a point in time, and Meta keeps on collecting no matter what after the request.
Consumers can also use a browser plug-in such as EFF’s Privacy Badger to stop third-party tracking, which would block the Meta Pixel on a given website from sending data to Meta. I use Privacy Badger on my PC, and also use the DuckDuckGo app on my Android device to block third-party trackers on my phone (ala Apple’s App Tracking Transparency). But what I have found is that Meta Pixel is integrated into apps on my TV, which I can’t block, so I am still being tracked by Facebook even when I block third-party tracking on my PC and phone.
Sigh.
But I do know that at some point someone is going to sue Meta and/or a company that has the Meta Pixel installed on their website for this sensitive data collection. So one recommendation I do have for the Chief Privacy Officers at corporations is for them to carefully review what the marketing folks are doing with Meta Pixel on the corporate website, and if they are sending too much sensitive data back to Meta from their website. The Markup does a nice job of documenting how you can "resolve to fix your organization’s Meta Pixel problem" by finding out if you are sending too much data to Facebook.
Footnotes
[1] Angie Waller and Colin Lecher, “Help Us Investigate Facebook Pixel Tracking,” The Markup, January 21, 2022, https://themarkup.org/pixel-hunt/2022/01/21/help-us-investigate-facebook-pixel-tracking; Julia Angwin, “Facebook’s Pervasive Pixel,” The Markup, August 20, 2022, https://themarkup.org/newsletter/hello-world/facebooks-pervasive-pixel; Geoffrey A. Fowler, “There’s No Escape from Facebook, Even If You Don’t Use It,” Washington Post, August 29, 2021, https://www.washingtonpost.com/technology/2021/08/29/facebook-privacy-monopoly/.
[2] Angwin, “Facebook’s Pervasive Pixel”; Surya Mattu and Colin Lecher, “Applied for Student Aid Online? Facebook Saw You,” The Markup, April 28, 2022, https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you; Simon Fondrie-Teitler, “Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook,” The Markup, November 22, 2022, https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook.