You can’t see them, but Meta’s trackers are embedded in millions of websites across the internet, collecting data about where you go and what you do and sending it back to Meta. A recent investigation shows that these trackers reside on sites that even the most cynical of us might expect to be taboo: hospital sites, including patient portals, that are said to be protected by privacy laws.
This week, The Markup, a nonprofit news outlet reporting on the technology’s harms, released the latest findings from its investigation into metas pixels, which are bits of code developers can embed into websites to track their visitors . So far, these stories show government websites, pregnancy counseling centers and hospitals sending data to Meta via pixels, many of which are deemed sensitive to the users who unknowingly provided them.
It’s easy and understandable to blame Meta for this, considering the company has a well-deserved, less-than-stellar reputation when it comes to user privacy. In Pixel and other trackers, Meta has played a crucial role in building the privacy-free online world we must navigate today. The company supplies a tracking system designed to suck up user data from millions of websites and turn it into advertising gold, and they know full well that there are many instances where the tool has been poorly implemented at best and abused at worst. But this could also be a rare case of a Meta-related privacy scandal that isn’t entirely Meta’s fault, in part because Meta has done its best to shift the blame elsewhere.
Or as security researcher Zach Edwards put it: “Facebook wants its data cake and doesn’t want to eat the breaches.”
Businesses choose to place Meta’s trackers on their websites and apps, and again they choose what data about their visitors is sent to the social media giant. There’s just no good excuse these days for developers using Meta’s business tools not understanding how they work or what user data is being sent through them. At the very least, developers shouldn’t place them on health appointment scheduling pages or patient portals, which users have every reason to believe won’t secretly send their details to nosy third parties, as these sites often explicitly tell them they aren’t . Meta created a monster, but these websites are feeding it.
How pixel tracking makes it too easy
Meta provides pixels free of charge for companies to embed on their websites. Pixel collects and sends website visitor data to Meta, and Meta can match that to a user’s profile on Facebook or Instagram, giving much more insight into that user. (There are also instances where Meta collects information about people who don’t even have Meta accounts.) Some information, such as a visitor’s IP address, is automatically collected by Meta. But developers can also set up pixels to track something called “events”: various actions that users take on the website. This can include links they click or form responses they fill out, and it helps organizations better understand users or focus on specific behaviors or actions.
All of this data can then be used to target ads to these people or to create so-called “lookalike audiences”. This includes a company asking Meta to send ads to people who Meta believes are similar to its existing customers. The more data Meta gets from companies about these trackers, the better it should be able to target ads. Meta may also use this data to improve its own products and services. Businesses can also use pixel data for analytics to improve their products and services.
Businesses (or the third parties they hire to build their websites or run ad campaigns) have a lot of control over what data Meta receives about their customers. The Markup discovered that on some of the websites in its report, the appointment pages of the hospital website Meta conveyed the name of a person making an appointment, the date and time of the appointment, and the doctor the patient is seeing. When that happens, it’s because someone on the hospital side set up pixels to do it. Either the hospital did not fulfill its duty of care to protect this data or it did not consider it worthy of protection. Or maybe it was believed that Meta’s tools would prevent the company from collecting or using sensitive data sent to it.
In its most recent hospital survey, Markup found that a third of the hospitals it surveyed from a list of the top 100 hospitals in the country had a pixel on their scheduling pages, and seven healthcare systems had pixels on their patient portals. Several of the sites removed pixels after being contacted by the markup.
How can a hospital justify something like that? The only hospital to provide a detailed response to the markup, Houston Methodist, claimed it does not believe it sends protected health information to Meta. The markup found that when someone clicked “make an appointment,” the hospital’s website told Meta which doctor they made the appointment for, and even that searching “home abortion” found the doctor. But Houston Methodist said that scheduling an appointment didn’t mean the appointment was ever confirmed, nor did the person making the appointment be the person the appointment was actually intended for. Houston Methodist may think it doesn’t violate patients’ privacy, but his patients may feel differently. But they also would have no way of knowing this was even happening without using special tools or having some level of technical knowledge. Houston Methodist has since removed the pixel.
Another healthcare system that looked at the markup, Novant Health, said in a statement that the pixel was placed by a third party for a campaign to get more people to sign up for their patient portal system and was only used to see how many people signed up. But the markup found far more data than what was sent to Meta, including the medications users listed and their sexual orientation. This third-party provider seems to have made some mistakes here, but Novant is the one who has an obligation to their patients to keep their information private on websites that promise it. Not the third party and not meta.
That shouldn’t let Meta off the hook. Again, the pixel tracking system was created, and while it has rules and tools designed to prevent certain types of sensitive information – like health conditions – from being sent to it, Markup’s reports are evidence that these measures not suffice.
Meta told Recode in a statement that “our system is designed to filter out potentially sensitive data that it detects.” But the markup noted that those filters were missing when it came to data from at least one crisis pregnancy center website. Meta didn’t respond to Recode’s questions about what it does when it finds a company is breaking its rules.
Edwards, the security researcher, was even less sympathetic about how much blame Meta should get here.
“In my opinion, Facebook is 100 percent to blame,” he said.
Meta also didn’t respond to questions from Recode asking what it does to ensure companies follow its policies, or what it does with the sensitive information it doesn’t want companies to send. From the looks of it, it looks like Meta manufactures and distributes a tracking tool from which Meta can materially benefit. But if this tool is exploited or misused, someone else is to blame. Apparently, the only people paying the price are the website visitors, whose privacy is unknowingly violated.
What you can do to avoid pixels
There are a few things you can do to protect yourself here. Browsers like Safari, Firefox, and Brave offer tracker blockers. Todd Feathers, one of Markup’s hospital history reporters, told Recode that they used Chrome browsers without privacy extensions for their tests. Speaking of privacy extensions, you can get those too. VPNs and Apple’s paid private relay service can hide your IP address from the websites you visit.
Finally, Meta has controls that limit tracking and ad targeting outside of its platforms. The company claims that turning off “Data about your activity from partners” or “Activities outside of Facebook” prevents it from using data collected by Pixel to target ads to you. This means you trust Meta to do what they say their privacy tools do.
And, of course, there’s always a plea for your legislators to push for privacy laws that would explicitly make some of these practices illegal, or to force companies to inform users and get their consent before collecting their data and sending it to others. Just this week, some new federal privacy laws or bills were introduced. There is interest from some members of Congress, but not yet enough to even remotely approve anything.