Guess who’s getting sued again!

This summer, Meta is facing renewed criticism of how it manages, and often violates, personal privacy online. Meta, the parent company of Facebook, Instagram, and many others, is facing a class action lawsuit in the Northern District of California over its collection of personal data through its webpage marketing integrations. As reported in the HIPAA Journal reported on August 1, 2022

The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Those who are unfamiliar with client-side risk (whether data privacy compliance or security)  may be shocked to learn how common this type of practice is, although it is a hallmark of the risk present in nearly every web page on the World Wide Web. 

Meta’s marketing technologies include a service known as the Meta Pixel. This technology is a very useful tool for people who run customer-facing websites because it allows them to leverage the advertising and user tracking capabilities provided by the advanced and immensely popular social media advertising platform developed by Meta over the past decades. 

While this tool grants powerful tools to website administrators it simultaneously exposes vast swaths of user information to the Meta corporation. The Meta Pixel allows the collection of such information as a visitor’s IP address, geolocation, what buttons they click on, what form fields they interact with, and much more. 

The class action lawsuit alleges that ads like these are related to Meta’s collection of personal data on healthcare websites. Source: HIPAA Journal, August 2022

You’re more likely to get sick at the doctor’s office website than anywhere else

In any context, this is an immensely invasive technology that introduces potential material risk to a wide variety of organizations. When it is installed on websites which are subject to regulatory concerns, such as HIPAA, CCPA, GDPR, PCI DSS, amongst many others, it becomes a serious liability for companies which run those websites. 

We have seen similar lawsuits in finance and other industries, such as the on-going action against Ally Bank who are alleged of exposing visitor data to marketing partners by installing technologies like the Meta Pixel within their web application. Regulatory pressure has increased for online retailers as well, as the new PCI DSS v4.0 compliance framework requires measures to address client-side risk specifically

Healthcare websites are particularly exposed to this type of risk. The average healthcare website, whether it be an insurer, care provider, health network, or online practice, often processes a unique combination of health information, payment information, and marketing data, creating a complex intersection of regulatory and compliance concerns. This high risk environment is often compounded by the sprawl of applications, websites, integrations, and organizational units that are involved. These factors all combine to create a data privacy and security nightmare. 

A prescription for good data hygiene

Source Defense has been on the forefront of eliminating client-side risks just like this one for nearly a decade. Our data privacy compliance and client-side security platform blocks hundreds of thousands of invasive actions performed by Meta Pixel and similar technologies every day – while at the same time ensuring that tools perform their essential business functions. By isolating code and managing code, such as the Meta Pixel, inside of the webpage itself. 

Source Defense ensures that sensitive information is never even exposed, let alone collected. We currently protect more than $20bn in revenues and thwart 2 billion compliance policy violations per quarter – we understand how to deal with this issue through a solution that is easy to manage, supports the needs of the entire business, and adds no additional strain to already overworked security teams.  

If you are curious about how Source Defense can help you secure your visitors’ private information and eliminate the compliance risk associated with running a public-facing web site, request a risk report to learn more about your organization’s current client-side risk and what you can do about it

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.