Cyber and Digital Law Insight: Part 1: Online tracking technologies
Market Insight 01 February 2024 01 February 2024
While many Australians are becoming increasingly familiar with the emerging cyber landscape, less are likely aware of the legal and ethical dilemmas associated with online tracking technologies.
Until recently, online tracking technologies (‘OTTs’) were mainly unheard of and limited in their ability to share, collect, and disseminate user information from online browsing. Within the last year, however, there has been a wave of third-party claims targeting companies that use OTTs on their own websites to collect and transmit private user information to third parties.
These third-party claims have overwhelmed the US, UK, and EU markets. The use of OTTs in these markets have been regulated for some time now, but this often results in the unauthorised use of OTTs. This article is the first of a three-part series, which will address the existence of OTTs and how they are causing an influx of claims in the US market. With input from Mullen Coughlin LCC on the US perspective, this article delves deeper into the potential wave of claims that could ripple into the Australian market.
Our next article (Part 2) will focus on the UK market and its apparent claims activity in relation to the misuse of OTTs. Finally, our last article (Part 3) will consider whether this wave of claims will eventually reach into the Australian market (and if so, how to ensure you prepare for these claims).
What are online tracking technologies?
It is becoming increasingly common for websites to track user activity when browsing online. Online tracking is the process through which website companies observe and collect user information to customise their offers and online engagements. Pixel is one example of an OTT that collects user information. This information typically includes:
- where users navigate while visiting a website;
- how long users are browsing for on a particular session;
- location data – such as the user’s IP address and geo-location; and
- other types of data (which many are unaware is even being collected).
Many OTT companies are marketing these technologies to organisations as a tool to re-engage users with site owners and ultimately boost their sales. More importantly, however, the user data collected is typically shared with third parties without the knowledge of the user.
Tech giant Meta has built its pixel tracker user agreements so that they can collect this data for their own purposes (i.e. to share and collect the data to third parties). ‘Meta Pixel’, formerly known as the ‘Facebook retargeting pixel’, is a piece of code that sits on a website which helps businesses understand the effectiveness of their advertising and the actions people take on its site. The use of Meta Pixel has recently triggered a significant wave of class action lawsuits in the US (through both federal and state privacy and surveillance laws). It is worth noting that these laws are considered to be stronger in respect of consumer protection than any legislation that exists in Australia today. These US claims arise out of the voluntary relationship between the consumer (the user) and the entities who control and manage the online domain and provides services back to the consumer; a complicated, yet critical space when it comes to online technologies.
What are we seeing in the US market?
Of late, the US has seen significant growth in claims alleging the unauthorised use of OTTs, such as Meta Pixel. For instance, in the US, many class action lawsuits have alleged a violation of the Video Privacy Protection Act of 1988 (VPPA), which prohibits entities from disclosing a user’s consumption of video content containing personal information without first obtaining the user’s informed and written consent. In these claims, issues have arisen where user information relating to the users’ video history is unknowingly being shared with unknown third parties after it has accessed and browsed the website domain of a video content provider which has Meta Pixel activated on the domain. Similar issues are surfacing in specific US states, where it is alleged that website operators are intentionally ‘wiretapping’ users without consent by recording and sharing information gathered during users’ interaction with its online chatbot.
The US perspective
Claudia McCarron from Mullen Coughlin LLC, a US law firm which specialises in data privacy events and information security incidents, provides a unique perspective on the topic of OTT claims arising in the US.
The emerging case law in the U.S. regarding these claims has been unpredictable, with decisions favouring both plaintiffs and defendants. Generally, these claims are surviving initial dispositive motions by the defense and moving forward. Although none of the cases have gone to verdict, the potential liability can be staggering. The litigation is driven by the availability of statutory damages on a class-wide basis ranging from $1,000 to $10,000 per class member. The class could include all website visitors over a period of years based on the applicable statutes of limitation. As a result, the settlement demands are often so high that most defendants are litigating the claims. Although a handful of settlements have been reached, they represent a very small fraction of the pending litigation, and predictable settlement valuations for such claims have not yet emerged. Additional settlements or outcomes that may occur this calendar year, including on several matters currently pending in appellate courts, will hopefully provide greater clarity to quantify exposure and risk.
Claudia McCarron, General Counsel, Mullen Coughlin LLC
So, what can Australia expect?
Currently, the protections in the Privacy Act 1988 (Cth) (Privacy Act) only apply to individuals’ personal information. As the information collected and shared through OTTs is often not enough to identify an individual (and therefore meet the definition of personal information under the Privacy Act), organisations may not need to seek consent or comply more broadly with the Privacy Act in order to use OTTs. Similarly, Australia’s existing surveillance laws are yet to define key terms such as ‘direct marketing’, ‘targeting’, and ‘trading’, which we believe is necessary to effectively regulate the use of OTTs, and open the market to increased claim activity.
There is some way to go before Australia’s privacy and surveillance laws, in particular, with respect to OTT, align with those in the US. However, there has been some developments in the Australian government’s response to the Privacy Act Review Report and the Attorney-General’s Electronic Surveillance Framework Discussion Paper. More specifically, the government has intimated that reform of the Privacy Act and / or state surveillance laws are likely to facilitate consent requirements (or even prohibitions) regarding the use of online technologies such as OTTs.
It is now expected that the Australian government will make some significant amendments to the Privacy Act within the next few years which is likely to shed light on the use of OTTs and bring it in line with the US market. So, whilst we do not expect a tidal wave of claims to come through in the near future, it is imperative that entities are prepared for a ripple of claims to inevitably come through, which have the ability to build up to something bigger.
Only recently, we witnessed the Australian Information Commissioner announce that it would make inquiries against one major tech company (known as ‘TikTok’) as there were claims against it for using OTTs to harvest personal information without user consent. Our understanding of these claims is therefore becoming essential to ensure we all are prepared for any potential third party claims and / or regulatory action.
What’s next in our article series?
In our next article, we will discuss the reality of OTT claims as they move towards the UK Courts and organisations seek redress for affected individuals. This next article (Part 2 of our three-part series) will unpack how one of the most important data privacy and collective redress disputes to date has opened the floodgates for individuals to seek compensation from a domain owner for failing to comply with privacy laws.
In our last article of the series (Part 3), we will focus back on Australia to determine what organisations need to do to minimise this potential risk of regulatory action by the Australian Information Commissioner and/ or third party claims against it. As this space continually progresses and changes in real time, it will be important for organisations to understand how they can reduce their exposure.
How can Clyde & Co help?
Clyde & Co’s Cyber, Privacy and Technology Team has specialised expertise across the privacy, cyber, financial services and broader technology practice areas. It also houses the largest dedicated privacy and cyber incident response practice across Australia and New Zealand.
The firm's tech, cyber and privacy practice provides end-to-end risk management solutions for clients. From advice and strategy regarding transactions, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries, and third-party claims the team offer practical, solutions-focussed assistance and advice.