Privacy and Data Tracking: Cookies are for Children

Growing up as the internet was first hitting its stride, I learned a lot of true and false information regarding the World Wide Web. One topic that I frequently heard about was cookies. As an aside, I always imagined Cookie Monster trying to get a job in I.T. for the cookies.

I heard things like, cookies were the way the government tracked you, you better delete your cookies or your computer is going to crash, or the hackers are going to steal your information with the cookies. Nowadays, cookies aren't that big of a deal. We don't like them, but we know what they are. The problem is, cookies aren't the only game in town anymore. Enter the pixel.

Pixels, or tracking pixels, are a new way for marketers and advertisers to track our information on the internet. While both pixels and cookies track user data, there are some key differences:

1. Cookies are like little digital notepads that store information on your device, whereas pixels take your information and send it to an external server.
   1. That means it's easy to delete a cookie with your information on it, but it's much harder to delete information taken by a pixel.
2. It is relatively easy to avoid having a cookie take your information, it is much harder to stop a pixel from taking your information.
3. Because information tracked by pixels is stored on an external server, the information is much less secure and more susceptible to hacking.

All in all, not the best. However, for credit unions, one particular issue has kept popping up on my radar. Credit unions don't always know if their website has tracking pixels. That's right. It's possible you have tracking pixels and don't know it. Sometimes pixels are added by a third party, such as Google Analytics or Facebook Ads Manager. There should be something in the credit union's contract or a way to manage the pixels. However, some credit unions may not have caught it or maybe the marketing team caught it but not the compliance/privacy team. If a credit union does not know it has tracking pixels on its website, it doesn't necessarily know what information is being taken and sent to an external, non-credit union, server. Considering that credit unions are subject to privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P, this could be a lawsuit or enforcement action waiting to happen.

Under Regulation P, credit unions are required to provide an initial privacy notice to their customers and to any consumer prior to sharing nonpublic personal information about the consumer to a nonaffiliated third party.

The initial privacy notice discloses what information is collected and how the information is used and shared by the credit union. When a credit union does not know that its website has pixels, it is possible that the privacy notice provided to its customers and consumers do not cover the information the pixels collect and share.

This is not just fantasy either. On February 4, 2025, a class action lawsuit was filed against Guardian Credit Union. The defendants claim that Guardian wrongly used website trackers, such as pixels, to collect information without user permission. Whether Guardian actually wrongly collected and shared information, I don't know. However, based on this suit, it seems pixels are on the minds of class action attorneys. That means if you don't know whether your website has pixels and it does, you could be the next target.