By: Erin Gray
The release of Meta by Facebook in October of 2021 introduced another way in which Facebook may connect and increase interactions amongst people and companies across the globe. Like other online software, the “metaverse” creates virtual spaces where people can “create and explore” with others who can’t be in the same place as each other. More specifically, the development of Meta Pixel allows a website owner to track visitor activity, a process known as conversion tracking. This analytical tool is used to gain insight on audience habits and interests so that advertisements and other tools can be used to increase traffic. As enticing as this new software sounds, the risks that it poses to individuals’ privacy has already caused great uneasiness. As more entities have created and connected with this software, there have been growing concerns about data privacy and an influx of class-action litigation against its improper use.
Various universities and their athletic organizations operate their websites using Meta Pixel to offer their audience unique experiences to connect with their favorite teams. These universities use website operators such as Sidearm Sports LLC and Learfield Communications LLC to build and maintain their website audience. However, by using this analytical tool, colleges have exposed themselves to litigation for obtaining too much information about their website audience. Since the beginning of this year, there has been a drastic uptick of class action suits alleging illegal conduct under the VPPA on collegiate team websites. Recent cases were filed against top universities such as the University of Southern California, the University of Florida, the University of Nebraska and the University of Texas at Austin.
The Video Privacy Protection Act (VPPA) of 1988 is a federal statute that prohibits a video tape service provider from disclosing specific personally identifiable information (PII) of a consumer without their consent. Although the original language is specifically tailored to old technology, plaintiffs’ attorneys have attempted to apply the language to modern technological innovations. Litigation against streaming services in the 2010s led to an amendment to the VPPA to allow disclosure of PII once obtaining “informed, written consent” from consumers. Additionally, these class-action suits pose issues under state and federal wiretapping statutes, such as the Federal Wiretap Act of 1968, the Electronic Communications Privacy Act of 1986 and the California Invasion Privacy Act.
The plaintiffs in the University suits are alleging that the universities and their website operators knowingly and systematically disclosed PII without the plaintiffs’ consent by using Meta Pixel on their team websites. Although the universities and website operators did not purposefully share the plaintiffs’ information, by using Meta Pixel, they did not have to take any additional steps to disclose the PII.
While there are clear benefits to using this software to tailor their websites to their audiences, there are still great concerns for both the subscribers and universities. Facebook claims that they are building the software responsibly by anticipating risks to privacy, equity and inclusion, safety and integrity, and economic opportunity. Although these goals are aspirational, these recent class-action suits illustrate how at least two of these goals are being unmet. In a world where our lives are shared and stored across the internet, the privacy and safety of website audiences need to be of the utmost importance. Without giving explicit consent, as VPPA cites, disclosure of subscribers’ PII to outside sources is unacceptable.
Universities are also at risk by exposing themselves to suits from dedicated subscribers whose information was shared without their permission. These schools must decide if they are to use Meta Pixel, they should fully understand the extent of the PII collected and shared with other parties. If they choose to use it, the universities must prioritize giving adequate privacy notices and terms to their subscribers.
This story is a tale of caution not just to other universities, but to all businesses and websites that are storing and sharing the PII of their customers and audiences without proper consent. Data breach class-action lawsuits are not new but are increasingly important as the frequency of data sharing rises. Therefore, this type of litigation is essential to the securitization of personal information from threats, such as fraud and identity theft. These entities must be held accountable so that we can feel that our information is safe no matter where we click.
Student Bio: Erin Gray is a second-year law student at Suffolk University Law School. She is a staff writer for the Journal of High Technology Law. Due to her passion for technology law, Erin is also on the Executive Board of two student organizations, the Data Privacy & Cybersecurity Law Association and the Legal Innovation & Technology Student Association
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.