Google, Meta, H&R Block Face Lawsuit Over Privacy and Tracking Pixels

Data privacy lawsuits are not new. Companies are frequently facing legal challenges regarding their collection and use of consumer data, but absent a unifying federal law, many lawsuits are taking creative approaches.

The Racketeer Influenced and Corrupt Organizations (RICO) Act, passed in 1970, was not written with data privacy in mind. But it is being used as the basis for a new class action lawsuit against Google, Meta, and H&R Block.

The Class Action Lawsuit

The case hinges on the use of tracking pixels, code snippets embedded in websites to monitor user behavior. A July 2023 congressional report details how tax preparation companies including H&R Block, TaxAct, and TaxSlayer share taxpayer data with Google and Meta.

The report finds that the tax prep companies shared the data of millions of taxpayers with Meta, Google, and other large tech companies. It reports that the data was used for advertising purposes, and the companies in question were reckless in their treatment and sharing of taxpayer data.

“The findings of this report reveal a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms that appeared to violate taxpayers’ rights and may have violated taxpayer privacy law,” according to the report.

The class action lawsuit, filed by law firm Wisner Baum, alleges that the three companies colluded on the illegal collection, interception, and transmission of sensitive personal and financial tax return information (TRI).

Related:EU Big Tech Clampdown Probe Bites Apple, Microsoft

“Defendants’ deceptive and misleading scheme was calculated to extract valuable TRI from unwitting taxpayers on a massive scale. This TRI was, in turn, used to improve Defendants’ targeted advertising operations, a revenue-generator for all defendants,” according to the complaint.

The RICO Act was established to provide “enhanced sanctions and new remedies for dealing with the unlawful activities of those engaged in organized crime,” according to the US Department of Justice.

The class action lawsuit alleges that defendants violated the RICO act by engaging in “false, misleading and deceptive marketing and a racketeering conspiracy.”

Google spokesperson José Castañeda shares in an emailed statement: “We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual. Site owners -- not Google -- are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information.”

Related:EC Says European Private Data Can Flow to Compliant US Companies

Meta did not respond to InformationWeek’s request for comment, and H&R Block declined to comment on pending litigation.

Old Laws, New Lawsuits

While challenging three companies’ use of tracking pixels under the RICO Act may be a novel legal approach, it is part of a larger trend, according to Justin Daniels, equity partner at law firm Baker Donelson and faculty member at IANS Research.

“RICO is another flavor of … using existing laws for new purposes when it comes to our digital privacy and our digital activity. That's the bigger trend that you are seeing,” he says.

Plaintiffs are looking to other older legislation like the Video Privacy Protection Act (VPPA) to seek legal recourse for alleged data privacy violations in the modern era. The VPPA was enacted in 1988, a year in the bygone era of video rentals from brick-and-mortar stores. The VPPA was introduced in response to the release of Robert Bork’s video rental history, according to The National Law Review. Bork was a Supreme Court nominee at the time.

Modern lawsuits are arguing that companies using tracking pixels on their websites are violating this law through the disclosure of personally identifiable information as defined by the VPPA. The National Law Review describes this dismissal of claims made under the VPPA as “a mixed bag thus far.”

Related:4 Big Regulatory Issues To Ponder in 2023

The filing of the class action lawsuit against Google, Meta, and H&R Block is just the first step in a long legal process. But more privacy lawsuits could leverage the RICO Act if these plaintiffs secure a victory.

“Racketeering could mean greater damages awards (and hence higher settlements), so if the plaintiffs’ bar gains traction with this approach, we may see more of them,” Julie Rubash, general counsel and chief privacy officer at privacy software company Sourcepoint, tells InformationWeek via email.

The proliferation of data privacy lawsuits, and the multitude of approaches they leverage, is unlikely to slow in the coming years. “I think we desperately need a federal privacy law because absent that we're going to have 50 state privacy laws here in the next three to five years,” says Daniels. “As to whether or not a federal privacy law would stop these large companies, that depends on the details of how the legislation works.”

Tracking Pixels in the Spotlight

Tracking pixels continue to be a hot button data privacy issue. These tools have come under scrutiny in the health care field, which is answerable to the Health Insurance Portability and Accountability Act (HIPAA), and other industries. Beauty retailer Sephora agreed to pay $1.2 million to settle allegations that it violated the California Consumer Privacy Act (CCPA). The allegations focused on the company’s sale of user data and its failure to “process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA.”

The use of tracking pixels is widespread, and lawsuits are likely to continue challenging those using them. “It’s not all or nothing,” Dante Malagrino, chief product officer at security solutions company Protegrity, points out in an interview. Companies are not going to stop collecting data. It is a matter of understanding what data they are collecting and whether they are managing and using that data in accordance with privacy requirements.

“Companies should know what tracking pixels are placed on what properties, what type of data is collected and shared with what third parties for what purposes. From there, companies can assess the risk of each pixel placement and weigh that risk against the value of the pixel,” says Rubash.

Having that knowledge can help companies act appropriately. Do high-risk tracking pixels need to be removed? Does the company need to update its policies to offer users opt-out rights?

The Value of Data and the Cost of Privacy

Data is an extremely valuable commodity, and tracking pixels are one way for companies to extract that value. With so much money hanging in the balance and a patchwork regulatory landscape for data privacy rights, are these kinds of class action lawsuits a cost of doing business?

“Large companies that are in the spotlight (particularly those in the spotlight of a controversial practice such as web tracking) are going to be sued, whether or not what they are doing is lawful,” says Rubash. “From that perspective, defending lawsuits is a normal cost of doing business for such companies.”

Sephora’s $1.2 million settlement was the first enforcement action under the CCPA. As more enforcement action takes place and the regulatory landscape evolves in response to pressure to protect data privacy, the way companies view privacy and their business operations may change.

“The only way to increase the cost of business is going to be through some regulation that makes it a lot more expensive to violate people’s privacy,” says Malagrino.