The hidden risks of data tracking: navigating privacy concerns amid rising litigation

Corporate marketing strategies have evolved beyond recognition in the digital era. The days of static billboards and newspaper adverts have given way to dynamic data-driven campaigns with hyper-personalized messaging driven by consumers’ real-time internet activity.

The business case is clear. Every day, consumers leave traces of their digital identity, purchasing preferences, downloads and browsing habits. Access to this information is a marketer’s dream, leading to higher conversion rates, improved return on advertising spend and invaluable customer insight.

However, increasingly sophisticated digital marketing strategies are potentially colliding with invasion of privacy laws. In Europe, the General Data Protection Regulation (GDPR) is clear that users must give explicit, informed and freely-given consent before personal data is processed, and other data protection laws around the world set similar standards.

Pixel tracking: a double-edged sword?

At Zurich, we are seeing a rising number of invasion of privacy claims often relating to tracking technology – and particularly, the use of pixels.

Pixels are tiny images, or snippets of code, embedded in a website or email. Major tech platforms like Meta and Google provide tracking pixels to third party websites and apps to collect information about how users interact with content – tracking actions such as page visits, clicks and conversions. The data is fed back to the platform, analyzed and subsequently used to optimize highly targeted marketing campaigns.

Pixels are a well-established tool in the modern marketing armory, with research suggesting 55% of companies in the S&P500 use them on their website. When used with the appropriate governance and necessary consents in place, pixel tracking is a legitimate and successful strategy.

However, without appropriate controls to ensure responsible deployment, their use raises serious questions about consent and data sharing with third parties – and potentially leaves businesses vulnerable to regulatory action or litigation.

The rising tide of privacy litigation

There is already a rise in pixel-related lawsuits in the United States, where plaintiff firms are bringing claims under statutes never intended for this purpose — including the California Invasion of Privacy Act (CIPA), Pennsylvania Wiretap Act, Health Information Privacy Act (HIPAA) and Video Privacy Protection Act (VPPA). These cases often centre on whether website users provided informed consent for data collection and transmission through tracking tools.

Healthcare has become a particular target. Several U.S. hospital systems have faced class actions alleging that the Meta Pixel transmitted protected health information to third parties. To date, most of these cases have not reached the higher courts.

Many suits have been dismissed early because the laws cited pre-date modern tracking technologies while some defendants have chosen to settle. Even without firm precedents being established, the rising number of filings show that plaintiffs’ firms are testing the boundaries of existing privacy law. Even if no legal liability is found, these lawsuits often seek very large sums in damages and can be costly and distracting for organizations.

Choice and consent: the compliance challenges

Many businesses are unaware of the extent to which they are using pixels or don’t have a clear understanding of the data flows involved. Consequently, unauthorized data collection is more pervasive than most people realize.

Last year, for example, the Swedish Data Protection Authority fined a bank around 1.3 million euros after finding that a Meta Pixel had been incorrectly configured and personal data transferred to Meta Platforms without proper safeguards.

Furthermore, the concept of consent is not straightforward – simply installing a pop-up consent banner onto a website is not necessarily sufficient. Generic language, consent that is bundled with other permissions, or a lack of choice may be considered red flags by regulators or law makers.

In November 2023, for example, Meta introduced a “pay or consent” system across Facebook and Instagram in Europe, giving users a choice between paying a monthly fee for an ad-free experience or agreeing to personalized advertising based on their tracked data. The European Commission argued that this model breached the Digital Markets Act because it pressured users to accept tracking rather than offering a truly free choice and fined the organization 200 million euros.

Implications for risk professionals

These trends highlight the need for risk professionals to implement robust privacy governance around consent mechanisms, data flows and vendor controls wherever marketing or analytics technologies are used. These are not just technology or marketing issues – they touch many parts of the business, from legal to procurement, and risk professionals are well-placed to lead a joined-up response.

As a minimum, businesses should consider the following five steps:

Map the ecosystem: Identify all teams and third parties involved in marketing, analytics and data processing. Understand their role in handling customer data and secure an integrated oversight between the core functions.

Conduct privacy impact assessments: Understand current pixel usage and data flows, establishing processes to assess all new products and data uses. Pay particular attention to free or off-the-shelf marketing products.

Align policies: Ensure marketing policies, procurement guidelines and data privacy policies are up to date and aligned with current regulatory requirements. Embed best practice across the business, including clear consent mechanisms and appropriate email and web security controls. Minimize retention of sensitive personal information and apply strong access controls and encryption.

Educate: Raise awareness among employees about digital marketing, privacy and consent. Keep teams updated on emerging AI and analytics tools and their privacy implications.

Monitor legal developments: Stay abreast of new laws or amendments to regulation across all jurisdictions. Engage with brokers, insurers or global partners for guidance on emerging trends.

Maximizing the business opportunity

When used correctly and responsibly, tracking technology can form a central tenet of a powerful marketing strategy, leading to positive outcomes for both the business and the consumer. The challenge is not to avoid them altogether – but to use them appropriately.

Risk professionals have a leading role to play in ensuring businesses maximize the opportunities of data-driven marketing in a considered and compliant manner, avoiding the risk of third-party claims and expensive litigation.

The interplay between digital marketing strategies and the concepts of privacy and consent is complex, nuanced and continually evolving. Zurich is committed to working with its customers to help them keep pace with the shifting landscape, understand potential exposures and embed best practice.

Originally published on Commercial Risk on November 18, 2025.