The Pixel Problem for Pharma and DTC Health: 3 Risks Privacy Leaders Can’t Ignore

The California AG and Healthline Media just reached a landmark settlement that could change compliance for health and life science companies forever. 

Healthline agreed to pay $1.55 million for collecting sensitive consumer health data via tracking pixels in violation of California privacy law. And they’re not the only ones. Early this year Amazon was sued for breaking Washington’s My Health My Data act after collecting consumer health data without disclosure or consent. 

State privacy laws are beginning to define “consumer health information” more broadly, and collecting sensitive health data often requires opt-in. You need to be aware of how your pixels and marketing tools are processing health data because they could be putting your organization at risk.

So if you’ve been saying, “We’re not in ‘healthcare,’ we’re safe,” or even asking, “What the heck is a pixel anyway?” it’s time to get up to speed. Let’s dive into what pixels are and break down the three main risks they create for privacy leaders at non-HIPAA-covered pharmaceutical, health, and life science companies.

How Pixels and Marketing Technology Actually Collect Health Data

A website tracking pixel is a short piece of code embedded on your website that collects information as website visitors engage and transmits it to third-party marketing technology platforms, like Meta, Google Ads, and Google Analytics. 

You can think of pixels as digital note takers for your website. When someone visits, pixels track which pages they go to, what buttons they click, and how long they stay. They also collect visitors’ personal information, such as IP address, device details, and URL and form field information. 

Once this data is transmitted to marketing technology platforms, marketing uses it to analyze user engagement, target campaigns, personalize messaging, and more. These data-driven marketing practices are not at fault, but when marketing uses visitors’ health data without consent, it’s a different story. As state privacy laws continue to evolve, this can create increased regulatory risk—even for non-HIPAA covered entities. 

The Three Main Pixel Risk Vectors for Privacy Leaders

Getting your head around the wild world of marketing technology might seem like a herculean task. To make things simple, let’s focus on the three main pixel problems that you need to look out for. 

1) Pixels could be collecting sensitive health information in URLs and event payloads

Many health and life sciences companies’ websites have condition names and diagnoses baked into their URLs and route structures. A blood sugar monitoring device company, for example, may have a webpage detailing how their product supports diabetes patients at the URL www.mybloodsugardevice.com/diabetes-support. 

As visitors navigate the website, pixels will track their information and behavior, including URLs visited. If URLs include information related to condition names and diagnoses, such as “diabetes,” that information will be collected alongside identifiable information, like the user’s device ID and IP address. 

Privacy laws are now defining “consumer health information” more broadly, and collection of health information in URLs without site visitors’ consent could compromise compliance. At the federal level, prescription discount platform GoodRx was fined $1.5 Million by the FTC for using pixels to collect users' health information without proper authorization or disclosure. And at the state level, Healthline media settled with the State of California for $1.55 Million after they violated CCPA by using pixels to collect users’ health information in the form of page view data without consent. 

Health and life science companies, even non-HIPAA-covered entities, must be able to audit whether their pixels are collecting sensitive personal data in any form. And if pixels are collecting personal data, you must be able to sanitize health information from website engagement data so that marketing can continue to use data without putting the organization at risk. 

As Mason Fitch, Of Council at Hintze Law, describes, “Just because your specific corner of the market has not seen litigation doesn’t mean you’re exempt.” It’s important for privacy teams to manage risk proactively as state and federal regulations continue to evolve. 

2) Pre-consent collection and broken consent enforcement

Many organizations rely on website consent banners to collect visitors’ consent preferences. When a visitor arrives on your site, they can declare which categories of data can be collected, and which can’t. 

But consent banners, even a full consent management platform, don’t guarantee compliance. Collecting consumers’ consent preferences alone isn’t enough—you also need to enforce those preferences across your website and marketing technology stack. 

If you’re not careful, pixels can be configured to collect data before consent banners appear to visitors on your website. That means that before a visitor has the chance to declare which data can be tracked, pixels have already collected their IP address, clicks, and even email. 

Collecting user data before consent preferences are shared can dramatically increase organizational risk. If you collect data types that the user later rejects tracking for, you’re at risk of violating CCPA and other regulations. The New York Attorney General, in particular, published a guidance in July 2024 noting that collecting data before consent banners offer the chance to opt out is “deceptive trade practice.” 

To ensure your organization isn’t at risk, review your website tracking configuration and ensure that you’re using a consent management platform that can enforce consumers’ consent preferences once they’re collected. 

3) Sharing sensitive data with platforms that do not want it

As privacy regulations have evolved, major platforms such as Meta and Google have introduced policy shifts around health and sensitive data categories. 

Meta, for example, is now using an automatic tool that determines whether a business is a health and wellness organization based on website contents, business activity, and ad copy—regardless of whether it's a HIPAA-covered entity. If Meta identifies you as a health and wellness business, the platform will strictly reduce the data that you can track through Meta’s pixel. “Meta doesn’t want health data in their system,” Mason explains. “If they designate you a health or wellness website, they chop off everything other than the top level domain in tracking.”

Pharma marketers should assume Meta will increasingly block or de-prioritize any signal that could imply a sensitive health trait, so the play is to minimize health context while preserving attribution: stop sending condition-, symptom-, or treatment-related details (in URLs, event metadata, and event names), switch to neutral custom event names, and structure conversions to pass only the minimum required signal (often just the click ID) rather than rich payloads.

Get the Power of Data-Driven Marketing Without the Risks

Responsible data collection empowers your marketing and product teams to make better decisions and drive business growth. But irresponsible collection can lead to catastrophic compliance risks. 

As with any important decisions, information must come before action. If you don’t know what pixels are on your website or how they’re collecting data, that’s a great place to start. Get the full lay of the land with our Web Tracker Report, a simple tool that gives you a complete picture of all the web trackers on your website so you can protect sensitive patient information.