Meta’s Tracking Pixel Violates GDPR and the EU Ban on Transatlantic Data Transfers

Posted on Mar 23, 2023 by Glyn Moody

One of the most insidious forms of surveillance carried out routinely by web sites and their advertisers involves tracking pixels. These are graphic elements that are just one pixel in size, colored so as to be invisible on whatever page they appear. Visitors to a site can’t see them, but as soon as the page is loaded, so is the tracking pixel, which causes a wide range of your personal data to be sent to the site.

The main tracking pixels are managed by Meta and Google. Recently, it has emerged that the increasingly popular TikTok also makes use of tracking pixels, gathering personal data about people whether or not they have TikTok accounts. TikTok tracking pixels have even been found on US state government sites.

Now, the tide may finally be turning against tracking pixels, in the EU at least. Once again, it is the Austrian privacy expert Max Schrems and his noyb.eu organization that is driving the change.

Why Are Tracking Pixels So Bad?

The problem with tracking pixels is that they gather information surreptitiously, without most users being aware. They are also opaque: even if a visitor to a site assumes that there are tracking pixels, it is rarely clear what personal data is being gathered.

Tracking pixels represent a huge threat to online privacy because the three main companies offering them – Meta, Google, and TikTok – operate on such a scale that it is likely they have created extremely detailed databases of most people’s online activities and interests. This information can then be used to sell micro-targeted advertising all over the web.

Last year, the Austrian Data Protection Authority ruled that the continuous use of Google Analytics violates the EU’s GDPR. The ruling against Google was the result of noyb.eu filing 101 complaints against companies for alleged violation of the GDPR. In the Austrian decision, the role of the tracking pixel was not highlighted so much as the transfer of personal data of EU citizens to the US.

However, in a new decision from the Austrian Data Protection Authority, also as a result of a noyb.eu complaint, Meta’s tracking pixel has been explicitly judged as violating both the GDPR and the top EU court’s ban on transatlantic data transfers. As the noyb.eu post on the latest ruling emphasizes, the ban on Meta’s tracking tools applies across the EU, and to many web sites currently live:

Decision relevant for almost all EU websites. Many websites use Facebook tracking technology to track users and show personalized advertisement. When websites include this technology they also forward all user data to the US multinational and onwards to the NSA. While the European Commission is still aiming to publish the third EU-US data transfer deal, the fact that US law still allows bulk surveillance means that this matter will not be solved any time soon.

EU Citizens Subject to US Mass Surveillance

The US and the European Commission are still trying to come up with a framework that will allow EU personal data to be legally transferred to the US. Two previous versions – Safe Harbor and Privacy Shield – have been thrown out by the EU’s highest court. Schrems is sceptical that the latest attempt will fare any better than previous ones, which were struck down following legal action instigated by. Back in December, he wrote: “I can’t see how this [new framework] would survive a challenge before the [EU] Court of Justice.”

Although the latest decisions only apply to the EU, and depend upon the GDPR, the authorities in the US are also concerned about the risks of large-scale and invisible surveillance carried out by tracking pixels. The US Federal Trade Commission recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising, gathered using tracking pixels. In a post, the FTC wrote:

Companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and [their] privacy promises to consumers.

Gathering health-related data using pixel tracking is viewed as particularly harmful to people’s privacy.

Pixel Data Collection Used for Political Gain

Another extremely sensitive topic involves collecting information on visitors’ political views, which can also be monitored using pixels. This is a new area where noyb.eu is active, and it has just filed a series of complaints as a result of research with ZDF Magazin Royal. Analysis revealed German political parties were using micro-targeted ads on Facebook. Here’s why that is problematic:

One of the greatest dangers of political microtargeting is that a voters political opinion can be influenced and altered. Political parties can make countless promises to a specific groups of voters and can hide their personalized stance from the general public. This can lead to very different expectations in voters, which politics can never live up to. The result is a polarized society, and individual parties can create advantages for themselves in the election campaign by making contradictory promises.

The new research revealed that precisely this was happening. For example, the German FDP party showed an ad to people with “green” interests stating that the party was in favor of “more climate protection”. But simultaneously, the FDP showed an ad targeting “frequent travelers” in which it promised “no government measures, restrictions on freedom or bans”. Because the ads were only shown to particular groups, the contradictory promises were never evident.

Political opinions are strongly protected under the GDPR, and noyb.eu claims practices by no less than six political parties are “unlawful and a threat to democracy and to the privacy of voters”. Although it will take a while for the complaints to be dealt with, if successful, they will have a major impact on EU political parties’ digital strategies, including the use of pixel tracking.

Featured image created with Stable Diffusion.