Striking a Digital Balance in Advertising and Privacy

Written By Julianna Simpson

Morgan Hennessey

Digital advertising is a critical part of most online business strategies, it enables businesses to reach their customers directly with minimal resistance to the final conversion, whether through a purchase or lead generation.[1] Meta advertising is among the most rewarding digital advertising platforms for businesses due to its highly targeted advertising capabilities.[2] However, this precision sparks concerns over consumer data privacy, making Meta the target of numerous lawsuits.

In a recent case, Texas secured one of the largest privacy settlements in history–$1.4 billion–with Meta to halt the company’s practice of capturing and using biometric data without lawful authorization.[3] Meta’s data collection practice violated the Texas Capture or Use of Biometric Identifier Act.[4]

Lawsuits spawning from the Meta platform’s data collection do not only target Meta. The individual companies that employ Meta’s advertising services also face legal risks, particularly when they use the Meta Pixel to gather and disclose personally identifiable information (“PII”) without the proper authorization. Costco,[5] GoodRx,[6] and Excela Health[7] are among the businesses that have been subject to lawsuits because they unlawfully shared PII with Meta without the proper consent from their customers and website visitors.  These companies have been sued under laws such as the Health Insurance Portability and Accountability Act (“HIPAA”) and various state privacy statutes . These lawsuits underscore the evolving regulatory landscape around data privacy.

Recognizing these challenges, Meta has invested over $8 billion since 2019 in overhauling their privacy program.[8] Meta has focused on improving significant consumer-facing issues, such as end-to-end message encryption and granting access for users to download their data logs.[9]

Notably, in 2020, Meta began offering the Limited Data Use Flag, which allows businesses to send out a flag to alert Meta to “process data in accordance with its role as a service provider or processor with respect to flagged personal data.”[10] In other words, the flag warns Meta to treat personal data with greater care, and to not collect more personal data necessary. But this is seemingly an “exclusive” service only being offered in states with codified data privacy laws[11]:

-              California (under the California Consumer Privacy Act)

-              Colorado (under the Colorado Privacy Act)

-              Connecticut (under the Connecticut Data Privacy Act)

-              Delaware (under the Delaware Personal Data Privacy Act)

-              Florida (under the Florida Digital Bill of Rights)

-              Montana (under the Montana Consumer Data Privacy Act)

-              Nebraska (under the Nebraska Data Privacy Act)

-              New Hampshire (under the New Hampshire Data Privacy Act)

-              New Jersey (under the New Jersey Data Protection Act)

-              Oregon (under the Oregon Consumer Privacy Act)

-              Texas (under the Texas Data Privacy and Security Act)

One of the most basic acts of transparency an online business can do is to inform consumers what data is being collected from them and how it is being used, typically by means of a “Website Cookie Notice” that allows website users opt in or out of cookies.[12] However, Meta’s piecemeal Limited Data Use flagging implementation raises concerns about regulatory compliance across different jurisdictions .[13] This could create inconsistencies as to which pieces of data and PII nationwide businesses are collecting from their users and sharing with Meta, thus, misleading consumers from mixed messaging in Website Cookie Notices.

Although Meta has made a monumental investment to improve privacy, businesses should not assume that their data collection processes in advertising are consequently improved. While programs like the Limited Data Use Flag are steps in the right direction, it is only available in the states with strict statutory standards set for data privacy, and even then, it is an affirmative action that needs to be taken by the businesses themselves to employ the flagging.

One way for a business to be in control of all of the data collected on their website is to employ a First-Party Data strategy, which cuts out third-party advertisers like Meta and keeps all collected data within the business’s own systems.[14] Businesses should always conduct regular compliance audits,[15] implement clear data collection policies and obtain affirmative user consent where required, and most definitely gain familiarity on what privacy protection tools are available on their third party advertisement platform such as Meta’s Limited Data Use flag.

As privacy laws continue to evolve, companies must remain vigilant, prioritizing both ethical data collection and compliance with state and federal regulations. Failure to do so could result in substantial legal and financial repercussions, as evidenced by the growing number of lawsuits against businesses and digital platforms alike.

 


[1] Online Advertising and Marketing, Federal Trade Commission, https://www.ftc.gov/business-guidance/advertising-marketing/online-advertising-marketing.

[2] Jonathan Vanian, A growing digital ad market is benefiting giants like Meta and smaller players like Reddit, CNBC, https://www.cnbc.com/2025/02/14/a-growing-digital-ad-market-is-benefiting-tech-from-meta-to-reddit.html (Feb. 14, 2025).

[3] Press Release, Texas Attorney General, Attorney General Ken Paxton Secures $1.4 Billion Settlement with Meta Over Its Unauthorized Capture of Personal Biometric Data In Largest Settlement Ever Obtained From An Action Brought By A Single State (July 30, 2024).

[4] Id.

[5] Complaint, Doe v. GoodRx Holdings, Inc., No. 23-cv-00501 (N.D. Cal. July 7, 2023).

[6] Complaint, Castillo v. Costco Wholesale Corp., No. 23-cv-01548 (W.D. Wash. Nov. 14, 2024).  

[7] Complaint, Galley-Keller, et al. v. Excela Health, No. 23-cv-00942 (W.D. Pa. 2023).  

[8] Michel Protti, Reflecting on Meta’s $8 Billion Investment in Privacy, Meta (Jan. 28, 2025), https://about.fb.com/news/2025/01/meta-8-billion-investment-privacy/.

[9] Id.

[10] Meta Business Help Center, https://www.facebook.com/business/help/1151133471911882 (last visited Mar. 29, 2025).

[11] Id.

[12] Shreya, Cookie Consent: The Essential Guide, Cookie Law Info, https://www.cookielawinfo.com/cookie-consent/ (Dec. 2, 2024).

[13] Simon Poulton, Facebook CCPA compliance challenges: Limited Data Use, Search Engine Land, https://searchengineland.com/facebook-ccpa-compliance-challenges-limited-data-use-337170 (July 2, 2020).

[14] What Is First-Party Data? How to Build A First-Party Data Strategy, The Customer Data Platform Resource, https://cdp.com/articles/what-is-first-party-data-and-why-is-it-so-important/ (last visited Mar. 29, 2025).

[15] How to Conduct a Data Privacy Compliance Audit, Osano, https://www.osano.com/articles/privacy-compliance-audit (Oct. 14, 2024).

Julianna Simpson
Previous

An Economic Analysis of President Trump’s New Tariff Policy and The Impact on American Consumers
Next

Clean Water Act Compliance Post-San Francisco v. EPA