Tools like Meta Pixel are excellent for companies seeking to track consumer behavior, but recent cases—particularly in the healthcare space—are challenging how organizations can use the data acquired this way. Eric Jesse explains how to structure your cyber, D&O, and other insurance policies so as to mitigate the risk of privacy class actions and other potentially damaging claims.


Eric Jesse, Partner, Insurance Recovery


Eric Jesse: Hi, I'm Eric Jesse, partner in Lowenstein Sandler's Insurance Recovery Group, and welcome to "In the Know."

Today, we're going to discuss recent litigation that companies can face related to Meta Pixel and other tracking tools, and ways to adequately protect your company through cyber and other insurance.

Meta Pixel is a tracking code that companies embed on their websites to track their visitors' activities and collect data. For example, retail companies can track things like prior purchases, items added to a shopping cart, searches for products, and pages viewed. This information is then used to target users through ads on, for example, Facebook or Instagram based on a particular user's interests, preferences, and online behavior.

Now, this has become a hot issue, particularly in the healthcare space. Several lawsuits have been filed against Meta in hospitals across the country alleging HIPAA and other privacy violations as a result of hospitals allegedly using Meta Pixels on their websites to collect patient data. These lawsuits allege that this data, such as patients' names, ages, and medical conditions, has been released to Facebook and other third parties—without patient consent—for marketing purposes. The nature of the claims include violations of consumer protection statutes, violations of state or federal wiretapping laws, breaches of fiduciary duties, and invasion of privacy, among many others.

These have the potential to be big claims. Companies like Google and Meta have faced lawsuits seeking damages in the hundreds of millions of dollars and even billions of dollars. So, the question is, are these claims covered by insurance? As always, the answer is it depends, but it's important to know where to look, what to look for, and what to consider on a go forward basis to obtain appropriate coverage.

So first, the type of policy that is most likely to cover these types of claims is cyber. But there also could be coverage under other liability policies, such as Directors & Officers or Errors & Omissions, and maybe even general liability policies.

Second, the coverage grants to look for coverage within these policies include, but are not limited to, media liability, data and network liability, and professional liability.

Third, it's important to be aware of potentially applicable sub-limits and exclusions that insurers may increasingly seek to include in the policies. For example, expect insurers to try to add or invoke exclusions for media related exposures, gathering or distribution of information, prior known acts, or willful violations of laws. To maximize coverage, policyholders, when negotiating their policies, should also keep in mind the importance of the definitions for key terms within these policies. Those definitions include computer system, confidential information, and claim.

Finally, policyholders should be prepared to face a more thorough underwriting process with longer, more granular questions related to privacy risks and these tracking technologies. Therefore, companies should be able to answer questions regarding how data is collected and shared within the company and what tools the company has to monitor and manage third-party applications. Answers that provide comfort to insurers will enable policyholders to obtain coverage on better terms and conditions, and better premiums.

Thank you for joining us, and we look forward to seeing you next time on "In the Know."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.