Data collection is the gear that powers the modern internet. User data provides powerful behavioral insights, supercharges web analytics for tailored advertisements, and engages organizations in meaningful user experience research. But collecting that data requires tracking user behavior, which can lead to potential for personal data leaks, advertising spam, and unclear boundaries around what is considered invasive user research.
This article defines tracking pixels, their relation to current regulations, and how to evaluate your use of embedded pixels that direct user data to third-party corporations.
What is a Tracking Pixel?
Tracking pixels are known by many names, such as web beacons, embedded pixels, spy pixels, tracking bugs, and tracker pixels. They can be embedded into emails and websites to collect user data from email recipients and website visitors.
Intentionally unobtrusive, tracking pixels are a transparent 1x1 pixel file that functions as a near-invisible beacon to assess user activity. These pixels are typically embedded in JavaScript or HTML code on web pages and in email marketing.
Tracking pixels work by logging data that can aid businesses in building their customer profile and optimizing marketing and conversion efforts. When tracking pixel code is processed, it sends information back to the pixel server. Depending on the tool and the type of tracking pixel used, you might receive different types of user information.
In an email, a tracking pixel can collect engagement data to help you evaluate the efficacy of an email campaign, such as the following:
- Recipient open rates and session duration
- How much of the email was viewed by the recipient
- Recipient click rates
- The recipient's device type and email client
- IP and location data
On a website, a tracking pixel collects information about the user's digital experience, such as:
- The user's browser, operating system, and device type
- The user's screen resolution
- Date and time of access
- Website activities during the pixel session, such as ad interaction and consumer purchase data
- IP address and location data
Pixel tracking includes retargeting and conversion to provide consumer insights. If you have ever searched for one thing, then opened a social media platform where you received ads for that item, then you have experienced retargeting pixels. Conversion pixels evaluate your behaviors, such as completed purchases or specific user actions, and provide insights about likely future behavior. Tailored ads based on your existing website data result from both retargeting and conversion pixels.
Benefits to Using Tracking Pixels
Collecting information about user behaviors offers valuable data for optimization, conversion strategies, and other marketing purposes. Due to the minimal design, these pixels do not overwhelm or distract a user while they are navigating your site or reviewing an email.
Product and marketing departments can then use those insights to update their approaches or test new approaches. Some benefits to gathering behavioral user data through marketing pixels include the following insights:
- Customer journeys, including target audience and website visitor information
- Tailored advertisements and retargeting
- Marketing campaign efficacy and website ad conversions
- Email open and click rates
- Web analytics and search engine optimization
- Accurate reports on behavioral patterns
These snippets of information can help you improve your marketing efforts and ad campaigns based on actual user visits. Metrics around email tracking, digital marketing, and conversion rates provide valuable information to help you remarket to prospective customers.
However valuable the insights, tracking user data always has tradeoffs around exploitation of user information and potentially losing customer trust. It's even possible that your target audience may limit the use of tracking to protect their user privacy, which would limit the efficacy of marketing campaigns and digital ads.
Disadvantages to Using Tracking Pixels
While performance analytics measured through user behavior is invaluable to businesses, many consumers may view engagement monitoring as a form of spyware. Targeted advertisements developed through unobtrusive data collection may be perceived as invasive by a consumer, and the business may lose the consumer's trust in the future. To avoid losing user trust, you can provide users with the opportunity to opt out of tracking pixels.
Invasive data collection can also lead to potential data leaks of an individual's personally identifiable information if the data is not appropriately processed to remove identifiable details. Data processing and retention standards should be clarified to ensure that user data is appropriately sanitized and stored according to business needs. Research on data collection practices with app-based mental health services, like BetterHelp and GoodRx, identified that these apps collected sensitive health data and other PII that was then shared without clear privacy policies, which led to enforcement action by the United States Federal Trade Commission.
Spammers and other malicious actors may collect information through pixel tracking in order to facilitate phishing attacks based on whether an email address is valid. If a spam email is opened by the recipient and that information is tracked through a pixel, then the spammer knows that the email address is valid and the attacker may escalate their phishing probes into a malicious campaign. For example, if an attacker knows an email address is valid and the email recipient is likely to open emails, the attacker could take advantage of a vulnerability like the libwebp vulnerability to load malicious content into an email.
These issues become of concern when user data collection runs counter to regulations and laws around this information.
Global Regulations on User Tracking
Data privacy laws and regulations impact practices around user behavioral data collection. Different countries have different compliance requirements, and those regulations may also vary between industries.
The United States has multiple laws regarding user data collection, including the Health Insurance Portability and Accountability Act (HIPAA) regarding protected health information (PHI) and the Gramm-Leach-Bliley Act regulating financial institutions' use of consumer data. HIPAA violations can lead to major financial penalties depending on the category of violation, with tier four violations resulting in a minimum fine of over $68,000 per violation. Individual states have also set privacy regulations, such as the Ohio Data Protection Act and California's implementation of the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA).
The European Union’s General Data Protection Regulation (GDPR) sets data protection standards in the EU. To remain GDPR-compliant, organizations must receive user consent to use tracking pixels and provide consumers with the option to opt out of this behavioral tracking. In some cases, as with an August 2022 decision issued by the Austrian Data Protection Authority, data collection and subsequent transfer without proper sanitization would be considered a violation of the GDPR. According to Article 44 of the GDPR, the international transfer of personal data, such as the kind of data that tracking pixels can link to an individual's Facebook account, must meet specific criteria.
The GDPR is not the EU's only data protection ruling. The ePrivacy Directive dictates data privacy protections, such as consent-based user tracking and data retention and the removal or anonymization of specific data types.
The Indian Digital Personal Data Protection Act builds data protections similar to the GDPR, including consent-based data processing, as does the United Kingdom's Data Protection Act 2018.
If your site transmits user tracking data to a third-party service, it's important to audit that data collection to ensure it does not violate privacy regulations.
How UpGuard Can Help
UpGuard identifies when domains include tracking pixels that relay user data to Meta/Facebook and TikTok:
- Meta/Facebook Pixel detected
- TikTok Pixel detected
At the time of publication, we have identified over 11,000 organizations with embedded tracking pixels across a variety of industries, including universities, software technology, healthcare, ecommerce, and more. To find out if your organization impacted by these tracking pixels, log in and access your Risk Profile in BreachSight to search for the pixel findings. If you're not a current UpGuard user and you want to review your public-facing assets for these findings and more, sign up for a trial.
These tracking pixels share website user data with Meta or TikTok to generate audience data for retargeting campaigns. Embedding these pixels on your site can help you collect information relevant to the customer journey, but it's important to evaluate how the pixel setup complies with regulatory guidance around user data collection.
If you receive either pixel finding, you should review what type of data is collected and shared with these technologies. Avoid collecting personally identifiable information and ensure that data collection abides by applicable regulations.
