The steady move from marketing in traditional media to online platforms has always been accompanied by the development of assistive technologies. From cookies to the creation of psychometric profiles for individual users, marketers and advertisers are constantly searching for ways to refine their approach based on the characteristics of those they wish to target.
This, of course, is not a new phenomenon and is not solely a product of a digital age: whereas advertisers may have previously placed their adverts in publications known to have a suitable readership, this has now shifted online.
Now, however, a new technique to study user interaction has been revealed and as yet, there is no opt out. Indeed, many people do not even realise it is happening.
“Spy pixels”, or email pixels, are small files, usually GIFs or PNGS, which are embedded in emails and may be as small as 1 x 1 pixels (in more standard measurements, and to give an idea of scale, a pixel is roughly equivalent to 0.26mm.) As well as their minute size, the colour of these pixels is often designed to match the content below, making them almost impossible to spot to the naked eye. Further, users do not need to activate them – once an email containing a “spy pixel” is opened, they become active.
They are also widespread. Hey’s, a premium email service, conducted a review at the request of the BBC which found that British Airways, TalkTalk, Vodafone, Sainsbury’s, Tesco, HSBC, Asos and Unilever were among brands in the UK which were found to be using them. This review, argues Rory Lynch, a Senior Associate in Vardags’ Reputation & Privacy department, “has shone a spotlight on the clandestine world of spy pixels in emails.”
So what do they do?
“Spy pixels” are used to track user interactions with marketing emails. By embedding them into such emails, and analysing the results, marketers and advertisers are able to see if and when an email is opened, how many times it has been opened, on what kind of device it was opened and through studying the user’s IP address, an approximate idea of the user’s physical location. Far beyond a read receipt, a study by Princeton University also found that the data gathered by these pixels was sometimes linked to data gathered by a user’s cookies, allowing for an email address to be tied to wider browsing habits.
What does the law say?
As mentioned previously, use of tracking pixels is regulated by the 2003 Privacy and Electronic Communications Regulations and the General Data Protection Regulation (GDPR). These laws require organisations to inform users that they have received pixels and ask consent for their use. Many companies, however, do not do this directly; instead, they point to the fact that their use of pixels is mentioned in their privacy policies.
This, however, is likely not sufficient – “Most are not even aware they exist, let alone that they are harvesting information about email recipients,” says Lynch.
“As a recent European Court of Justice decision has determined, it is not enough that their legal justification is buried in privacy notices or obscure, hard to read email footers. Rather, email recipients’ consent is required and this must be evidenced in a “clear affirmative act”.
What can be done?
Users are able to install free plug-ins which strip out many pixel trackers or, alternatively, set their software options to block images or view emails as plain text. Beyond the individual actions of users, however, greater enforcement is likely to be necessary. Indeed, Lynch surmises:
“Class actions around misuse of private information and breach of data protection rights could be the result of more public awareness of this issue. No doubt established companies which rely on the marketing data from spy pixels may now look to confirm recipients’ consent in a more transparent way”.
Read more about our best Reputation and Privacy lawyers for cyber security.