Are spy pixels a threat to online privacy?

The steady move from marketing in traditional media to online platforms has always been accompanied by the development of assistive technologies. From cookies to the creation of psychometric profiles for individual users, marketers and advertisers are constantly searching for ways to refine their approach based on the characteristics of those they wish to target.

This, of course, is not a new phenomenon and is not solely a product of a digital age: whereas advertisers may have previously placed their adverts in publications known to have a suitable readership, this has now shifted online.

Over recent years, public awareness of these techniques has grown and legislation has been introduced to aid this understanding. For instance, you will no doubt have noticed that on almost all websites you visit, a text bar will pop up at the bottom of the page, stating that the website uses cookies and asking if you are happy for them to do so. This is because, under GDPR, websites who wish to collect data from users within the EU must gain their explicit consent to do so. Further, each website must allow the user to determine which cookies they are willing to accept, rather than making it an all or nothing decision.

Now, however, a new technique to study user interaction has been revealed and as yet, there is no opt out. Indeed, many people do not even realise it is happening.

“Spy pixels”, or email pixels, are small files, usually GIFs or PNGS, which are embedded in emails and may be as small as 1 x 1 pixels (in more standard measurements, and to give an idea of scale, a pixel is roughly equivalent to 0.26mm.) As well as their minute size, the colour of these pixels is often designed to match the content below, making them almost impossible to spot to the naked eye. Further, users do not need to activate them – once an email containing a “spy pixel” is opened, they become active.

They are also widespread. Hey’s, a premium email service, conducted a review at the request of the BBC which found that British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Asos and Unilever were among brands in the UK which were found to be using them. This review, argues Rory Lynch, a Senior Associate in Vardags’ Reputation & Privacy department, “has shone a spotlight on the clandestine world of spy pixels in emails.”

So what do they do?

“Spy pixels” are used to track user interactions with marketing emails. By embedding them into such emails, and analysing the results, marketers and advertisers are able to see if and when an email is opened, how many times it has been opened, on what kind of device it was opened and through studying the user’s IP address, an approximate idea of the user’s physical location. Far beyond a read receipt, a study by Princeton University also found that the data gathered by these pixels was sometimes linked to data gathered by a user’s cookies, allowing for an email address to be tied to wider browsing habits.

What does the law say?

As mentioned previously, use of tracking pixels is regulated by the 2003 Privacy and Electronic Communications Regulations and the General Data Protection Regulation (GDPR). These laws require organisations to inform users that they have received pixels and ask consent for their use. Many companies, however, do not do this directly; instead, they point to the fact that their use of pixels is mentioned in their privacy policies.

This, however, is likely not sufficient – “Most are not even aware they exist, let alone that they are harvesting information about email recipients,” says Lynch.

“As a recent European Court of Justice decision has determined, it is not enough that their legal justification is buried in privacy notices or obscure, hard to read email footers. Rather, email recipients’ consent is required and this must be evidenced in a “clear affirmative act”.

What can be done?

Users are able to install free plug-ins which strip out many pixel trackers or, alternatively, set their software options to block images or view emails as plain text. Beyond the individual actions of users, however, greater enforcement is likely to be necessary. Indeed, Lynch surmises:

“Class actions around misuse of private information and breach of data protection rights could be the result of more public awareness of this issue.  No doubt established companies which rely on the marketing data from spy pixels may now look to confirm recipients’ consent in a more transparent way”.

Read more about our best Reputation and Privacy lawyers for cyber security.

Whether you are facing defamation in the press, by an individual, harassment, blackmail, mishandling of your private data, pre-publication threats, or you wish to gain top legal advice on such matters, reach out to our leading reputation and privacy team today.