The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Can a company track whether someone has received email using web beacons, tracking pixels, or clear GIFs?
Various technologies are often utilized – often in conjunction with marketing campaigns – to monitor whether the recipient of an email has opened or forwarded a message. One of the most common technologies used is referred to either as a “web beacon,” a “tracking pixel,” a “1x1 gif,” or a “clear gif.” The technology involves the placement of a small image file in an email. When a user opens the email, their browser or email client automatically downloads an image that is not visible to the naked eye from the server of the sender (or from the server of a service provider used by the sender). As part of requesting the download of the image file, the user’s computer sends a request to the host server that provides information such as the time that the request was made, the type of browser or email reader of the recipient, and the IP address of the recipient. The net result is that the organization that transmitted the email is alerted that the email was opened, the time that the email was opened, how many times the email was opened, and the general location of the recipient when the email was opened.
There is no prohibition under United States federal law to the use of web beacons to track whether someone has opened an email. While most state laws do not implicate the use of web beacons, a plaintiff may argue their use is covered by the California CCPA. Specifically, the CCPA defines “personal information” as including any information that “could reasonable be linked, directly or indirectly, with a particular consumer or household” including “electronic network activity information” such as “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”1 A plaintiff’s attorney is likely to argue that confirmation that a consumer has opened an email falls under the definition as that information is “linked” to the consumer (via the sender’s knowledge of the consumer’s email address) and relates to the consumer’s electronic network activity, or interaction with an advertisement. If the information learned as a result of the web beacon falls under the scope of the CCPA, the CCPA may require that the business disclose its collection of the information as part of its privacy notice, as well as disclose the “specific pieces of personal information” that the business has collected about the individual as part of a consumer’s access request.2
In comparison, the use of web beacons in email implicates two European data privacy rules – the GDPR and the ePrivacy Directive. The GDPR requires that organizations have one of six permissible purposes to process data. Under the Privacy Directive, which preceded the GDPR, the Article 29 Working Party – the independent advisory body to the European Commission on data protection matters prior to the implementation of the GDPR – analyzed which of these permissible purposes would justify the use of web beacons to track email opening. Their conclusion was that the only permissible purpose that would justify the use of web beacons was the consent of the email recipient:
In order to carry out the data processing activity consisting in retrieving from the recipient of an email, whether the recipient has read it and when and whether it has forwarded it to third parties, unambiguous consent from the recipient of the email is necessary. No other legal grounds justify this processing.3
While the Privacy Directive has been superseded by the GDPR, and the Article 29 Working Party has been superseded by the European Data Protection Board, the language requiring that an organization have one of six permissible purposes is identical under the GDPR as it was under the Privacy Directive. As a result, Member State supervisory authorities are likely to believe that consent is required.
Article 5(3) of the ePrivacy Directive requires that before gaining access to information “stored, in the terminal equipment of a subscriber or user” a company must generally obtain user consent. Although the Article 29 Working Party has not analyzed web beacons embedded within emails, it did analyze the use of web beacons on websites to “enable advertising services.” The Working Party reasoned that when a web beacon is used to collect “information elements from the user’s device” and those information elements are “transmitted to the third-parties” as part of carrying out “targeted advertising” the “consent of the user” is also required under the ePrivacy Directive.4