It’s 3 AM: Do You Know What Your Website Is Doing? Tips for Reducing Regulatory and Litigation Risk Stemming From Website Technologies
Despite these legitimate uses, regulators and class action plaintiffs are taking aim at these technologies, leading to considerable compliance and litigation risk. Consider the following examples:
- Sephora’s $1.2 million settlement with the California attorney general for its alleged failure to process opt outs of cross-context behavioral advertising, including respecting Global Privacy Control signals.
- FTC settlements with GoodRx ($1.5 million) and BetterHelp ($7.8 million) related to their alleged disclosure of website users’ information to advertising providers.
- Video Privacy Protection Act litigation ballooning against companies in seemingly every industry concerning those companies’ alleged use of Meta Pixel, Google Analytics, and similar tools.
- Litigation alleging HIPAA violations based on health care providers’ use of digital advertising technologies.
- Litigation alleging session replay and chatbot technologies violating wiretapping statutes.
Given this landscape, organizations should consider the following three steps to reduce their compliance and litigation risk:
- Inventory the technologies and related settings currently deployed on your website and how any data is being collected, used, or disclosed. Different settings can require different privacy notices and consents. If needed, engage a consultant to scan the website and prepare a report.
- Assess current settings and practices against:
- Applicable privacy laws and regulations, based on the location of the organization, employees, customers, marketing audiences, and website visitors.
- Existing privacy notices and consents.
- The contracts in place with technology providers and any recipient of information from the tracking technologies. For health care organizations, this might involve reviewing the business associate agreements with those third parties.
- Make any advisable adjustments to address any potential issues revealed by the above. For example, updating existing disclosures, contracts, and methods for documenting consent to the practices disclosed (e.g., privacy policies, terms of use). Ask yourself:
- Are tracking technologies disclosed?
- How are any consents obtained and stored?
- Are up-to-date class action waivers and arbitration provisions included in your terms of use?
If you would like to discuss any of these steps or additional considerations in greater detail, we would be happy to assist. We've also recorded a podcast on the topic, which you can listen to here.