Observer investigation reveals NHS trusts, mental health charities and police forces sharing sensitive data with Meta via Meta Pixels on their websites
An investigation by the Observer into use of the Meta Pixel has revealed that numerous public and charity sector organisations have been sharing sensitive information with Meta due to the use of the Meta Pixel on their websites.
The Observer found that 20 NHS trusts had been sharing sensitive health data about patients’ medical conditions, appointments and treatments.
The information sent to Meta by the NHS websites included data which could reveal personal medical details when linked to an individual, such as when website users clicked buttons to book appointments, order repeat prescriptions, request referrals or complete an online counselling course.
It was collected from patients who visited NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and other issues.
According to the Guardian report:
- Millions of patients are potentially affected.
- The 20 NHS trusts that were using the Meta Pixel on their websites have since removed it.
Mental Health charities
The information sent to Meta by the mental health charities’ websites included details of website users’ browsing behaviour, such as:
- Webpages visited and buttons clicked across content linked to depression, self-harm and eating disorders.
- Details of when users requested support – such as clicking a link saying “I need help”.
- Details of when users viewed webpages to access online chat tools.
Some of the webpages were aimed specifically at children, including a page aimed at teenages offering advice on suicidal thoughts.
The information sent to Meta included sensitive data about people using its website to report sexual offences, domestic abuse and other crimes, including:
- Records of browsing activity about people using an online form for victims and witnesses to report offences.
- Details about content viewed and buttons clicked on webpages linked to contacting police and accessing victim services and advice pages for crimes including rape, assaults, stalking and fraud.
According to the Guardian article: “In one case, Facebook received a parcel of data when someone clicked a link to “securely and confidentially report rape or sexual assault” to the Met online. This included the sexual nature of the offence being reported, the time the page was viewed and a code denoting the person’s Facebook account ID.”
Norfolk and Suffolk Police were also found to have shared data about people accessing sensitive webpages, including when web visitors clicked links to report antisocial behaviour, domestic abuse, rape, hate crime and corruption, as well as when they clicked to view a page titled: “Tell us something anonymously.”
The Guardian article reports that the ICO has been made aware of the Observer’s findings and is investigating. We haven’t seen anything on the ICO website about this yet, so we await confirmation of the outcome of the ICO’s investigation and any enforcement action it decides to take.
What is the Meta Pixel?
The Meta Pixel is a free tracking tool that is embedded in websites and collects users’ browsing information, such as pages viewed, buttons clicked and keywords searched, matching this to the user’s IP address and, in many cases, their Facebook account.
In Meta’s own words, it is “a piece of code … that lets you measure, optimise and build audiences for your ad campaigns”.
It’s one of several “Business Tools” – “technologies offered by Meta Platforms, Inc. and Meta Platforms Ireland Limited that help website owners and publishers, app developers and business partners, including advertisers and others, integrate with Meta, understand and measure their products and services, and better reach and serve people who use or might be interested in their products and services.” Which in turn are one category of “Meta Products”.
It is added to websites by website owners (or their developers) deliberately.
The information it collects can then be used by Meta for its own business purposes, including providing and improving its online advertising services.
This Meta pop-up privacy information describes how Meta collects data from third parties via the Meta Pixel (among other products).
Why does it matter?
The use of the Meta Pixel on these organisations’ websites has resulted in millions of peoples’ sensitive data being shared with Meta – a serious breach of privacy and trust affecting vulnerable individuals and undermining confidence in healthcare providers, charities and police forces to treat information safely.
The ‘covert’ nature of the data collection and sharing is a particularly sinister aspect to this story, taking place without website users agreeing to the sharing of their information or even knowing that it was happening.
What’s the nature of the breach?
This data sharing isn’t a breach in the ‘usual’ sense of the term – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In fact, the data sharing via the Meta Pixel is a result of this Business Tool working in exactly the way it is designed and intended to work and as described in Meta’s legal terms and privacy information.
However, it’s likely that the organisations that included it on their websites breached the GDPR in various ways, including:
- Unlawful processing of special category personal data: Data relating to health, sex life and sexual orientation is “special category personal data”, which cannot be processed unless one of the legal bases in Article 9.2 of the GDPR applies. The only basis potentially available in connection with the websites would be the “explicit consent” of the website visitors to the sharing with Meta for a specified purpose, and as no such consent was obtained by any of the organisations involved, it’s hard to see how this data sharing could have a lawful basis. The Observer found that the data transfer happened automatically upon loading webpages, before the user had a chance to accept or decline cookies.
- Purpose limitation breaches: Under the ‘purpose limitation principle’ in Article 5.1.b., personal data must only be collected “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. It doesn’t appear that the organisations had any purpose at all for this data sharing, never mind specifying a purpose to their website visitors.
- Transparency failures: In accordance with the ‘lawfulness, fairness and transparency principle’ under Article 5.1.a. and privacy notice requirements under Articles 12, 13 and 14, organisations are required to tell people about what data they collect, what it is used for and who they share it with. It seems that most of the organisations failed to include details of this data sharing in their privacy notices.
- Non-compliance with data protection by design and default/data minimisation: Embedding the Meta Pixel in the websites, thereby enabling ongoing data sharing with Meta, is clearly not in line with the ‘Data protection by design and default’ obligation under Article 25 or the ‘Data minimisation principle’ under Article 5.1.c, as the collection and sharing of the data doesn’t appear necessary for the purposes for which the webpages are provided. As mentioned above, the data transfer happened automatically upon loading webpages, before users clicked to accept or decline cookies, meaning that the ‘default setting’ was that data would be collected and shared.
- DPIA failures: The organisations should probably have carried out a data protection impact assessment (DPIA) as required under Article 35 before using the Meta Pixel. The circumstances and the nature of the data and data subjects involved are likely to trigger the need for a DPIA in line with ICO and EDPB guidance.
How did this happen?
The main problem here is probably that the organisations and people involved in creating and publishing the webpages just didn’t know about the Meta Pixel – what it is, what it does, that it was even on their websites.
It’s ironic that many of the organisations involved have some of the strictest information governance and confidentiality rules and requirements, at least on paper, in the form of policies and contractual terms that staff and organisations doing business with them have to sign up to and comply with.
Any lawyer who’s assisted companies that provide services to NHS trusts or collaborate with them on research projects can testify to the exacting requirements regarding protecting data and complying with data protection law in the underlying legal agreements.
See for example the NHS Data Security and Protection Toolkit for organisations that have access to patient data and NHS Information Governance guidance about the use of personal confidential data in health care, and the Metropolitan Police Digital Policing Strategy 2021-25. People who work for NHS trusts have to undertake information governance training annually.
Most staff probably know to avoid clicking on links in dodgy emails, not to leave paper documents on their desk or the bus, to be careful about who they send patient/client data to, and to only use organisation-approved apps, services and platforms for storing or sharing sensitive data. But something like the Meta Pixel – which won’t be visible to most staff and probably appears innocuous to those who are aware of it – just isn’t on the radar of things to be wary of. It’s highly unlikely that staff data protection training advises staff to refrain from installing the Meta Pixel on their websites.
It seems that most of the organisations had originally added the Meta Pixel to their websites in connection with recruitment campaigns, events, fundraising, campaigning and promoting their support services.
Most people working in organisations, even those responsible for building websites, probably have no idea that:
- The kind of data collected by the Meta Pixel and similar tools is personal data for the purposes of the GDPR, nor how that kind of data can be linked to other data such as IP addresses and Facebook accounts to identify individuals online and create profiles.
- Use of the Meta Pixel results in sharing data with Meta (referred to as “Event Data”, a subcategory of “Business Tools Data”, as described in its Business Tools Terms.
- By adding the Meta Pixel to their websites they are entering into a legally-binding contract with Meta under its Business Tools Terms and agreeing to Meta using the data it receives for its own commercial purposes as described in those terms:
- They are making legally-binding representations and warranties to Meta that the organisation they work for:
- has all necessary rights and permissions and a lawful basis for the disclosure and use of Business Tool Data;
- will not share Business Tool Data that it knows or reasonably should know is from or about children under the age of 13 or that includes health, financial information or other categories of sensitive information;
- has provided robust and sufficiently prominent notice to users regarding the Business Tool Data collection, sharing and usage that includes, at a minimum:
- In the EU and UK, which are “jurisdictions that require informed consent for storing and accessing cookies or other information on an end user’s device”, they must ensure, in a verifiable manner, that end users provide all necessary consents before they use Meta Business Tools to enable the storage of and access to Meta cookies or other information on end users’ devices.
- They are instructing Meta to process personal data for the purposes of providing matching, measurement and analytics services as described in its Data Processing Terms.
- They are a joint controller with Meta for the use of Event Data for the purposes of ads targeting and delivery and delivering commercial and transactional messages, and have obligations regarding privacy notices, determining a legal basis and security, as described in its Controller Addendum.
What does this mean for my business?
You need to know whether the Meta Pixel or similar tracking tools are installed on your websites. Ask your developers/IT team, carry out a cookie scan and/or check your own browser cookies after visiting your websites.
If you don’t need these tools, delete them from your website.
If you do need them, you’ll have to make sure you can continue to use them in compliance with the GDPR, e.g.
- Ensure you have a solid legal basis to rely on for the data you collect and share.
- If you’re relying on consent as your legal basis, ensure that you obtain that consent in compliance with the GDPR from each website user.
- Ensure you provide your website users with the information required by the GDPR about the tools.
- Carry out a DPIA if you need to.
- Assess whether you need to change your website design to comply with the GDPR requirements regarding data minimisation and data protection by design and default.
How can we help?
- Help you understand whether there is an available legal basis for your use of these tools, and if so, which is the most suitable.
- Advise on compliant consent mechanisms and provide suitable text for them.
- Update your privacy notices to describe the processing enabled by the tools.
- Advise on whether you need to do a DPIA and help you produce it.
- Advise on how you can implement data protection by design and default on your website.
Do get in touch if you have any concerns about your website: call Hannah Kirby now on 01865 953542 or email firstname.lastname@example.org.
For more information on the relevant areas mentioned in this case study, please click below: