If you are participating in the digital advertising ecosystem, you likely are hearing a lot about pixels, tags, scripts and SDKs lately. But the terminology can be confusing, and terms are not always used consistently, making it difficult to wrap your arms around such technology or even to know what questions to ask.

What They Are

Cookies are small text files stored on a computer that are managed by a web browser. When your web browser interacts with different sites and servers (e.g., viewing a web page), it will allow those sites and servers to create, read and modify cookies stored on your device. This happens automatically in the background when your device communicates with those servers.

Pixels are the building blocks used to generate images – an image is formed by changing the color of individual pixels on a screen to create the desired picture when all the pixels are combined. However, in digital advertising, the term “pixel” is often used to describe a mechanism for collecting and transferring data. But how did we go from a pixel being a small dot on a screen to describing a mechanism for collecting and transferring data? An image on a website may be stored on a completely different server, e.g., a server belonging to an ad tech company or a social media company. By way of example, if you visit www.xyz-example-site.com, that page may contain within it an instruction like , which tells your browser to display the picture on the page but also tells your browser it needs to reach out to another server, the example-adtech-co server, to get the picture. The picture itself may in fact be a single pixel you will never actually see on the screen, but in the background your browser is now communicating with the example-adtech-co.com server and exchanging information with that server, potentially including information stored in cookies, as described above. Though the term pixel triggers thoughts about pictures and images, when used in the digital advertising context, it’s all about collecting and exchanging data.

Scripts are portions of computer code written in a programming language such as JavaScript, which can be embedded in webpages and add functionality to webpages, e.g., making pages interactive instead of containing just static content. Like pixels, scripts can be used to facilitate the collection and exchange of data by telling your browser to reach out to a server to get the script, and in the process, your browser will exchange data with that server. And there are various other ways scripts can be used in webpages to exchange data with other servers.

So, what is a “tag”?

An HTML tag is the piece of markup language that defines the elements on a page. The <img> and <script> tags used here are two types of HTML tags. But within the digital advertising space, the term “tag” has taken on a broad/general meaning, referring to the image and script tags described here as well as other code that can be embedded in websites or applications to facilitate the collection and transfer of data.

And, you guessed it, the term “SDK” (Software Development Kit), when used in connection with digital advertising, is also used to describe a mechanism that allows data to be collected and exchanged with third-party platforms, servers and sites. SDK refers generally to a set of tools developers can use in building applications, including things like prewritten code libraries and documentation, providing a framework for developers to easily add certain features and functionality to their applications. SDKs developed by social platforms, ad tech companies, data aggregators and similar players are provided to mobile app developers to embed in their applications and facilitate the exchange of data between these apps and those third parties.

In sum, the terms cookie, pixel, tag, script and SDK, when used in the digital advertising space, usually refer to mechanisms and means for collecting data on a website or mobile application and exchanging that data with third parties. But why is this important, and why are you hearing so much about these technologies right now?

What the Fuss Is About

One of the reasons these technologies have received increased attention and scrutiny is that there have been significant developments in the U.S. privacy landscape, with the addition of various new state privacy laws (e.g., in California, Connecticut, Colorado, Utah, Virginia, Montana, Tennessee, Iowa, Indiana, Texas, Oregon, Delaware, Washington, etc.). And these laws contain specific obligations and requirements related to the exchange of personal data, including data exchanged via these technologies. For example, these laws may require certain notices be provided to users about the collection and use of their data and, in some cases, that users be provided an opportunity to opt out of the use or sharing of their data for targeted advertising. Many of these laws also have provisions requiring that certain specific agreements be in place between parties exchanging user data. Some of these laws are applicable generally to all types of personal data, while some are geared toward specific types of data, such as the Washington My Health My Data Act, which focuses on consumer health data.

Second, there is the recent focus by the Federal Trade Commission (FTC) on the collection and sharing of health-related data and other sensitive data, including exchanging data through pixels, scripts and SDKs. We have seen this in recent cases that the FTC brought against Better Help, Flo Health, Good Rx, Easy Healthcare/Premom and InMarket, alleging various unfair and/or deceptive acts and practices, and violation of other rules, related to sharing of sensitive data with social platforms and other third-party platforms for advertising purposes.

Lastly, layering on top of this, is the recent class litigation related to use of pixels, SDKs and other trackers. The most common causes of action in these cases are (a) contract claims based on website privacy policies or notices; (b) state law privacy claims (statutory, common law or constitutional) based on unauthorized disclosures of the user’s personal information; and (c) violations of the federal Video Privacy Protection Act and the Federal Wiretap Act or analogous state law claims based on interceptions of communications.

Against this backdrop and additional risk, and in the face of this heightened interest from regulators and the plaintiffs’ bar, it is not surprising that we are hearing a lot about these technologies right now.

What You Can Do

So, what should you be doing to reduce your risk? If you are in any way engaged in digital advertising, now is a good time to review your use of these technologies and the compliance framework you have built around them.

1. Make sure you understand what, if any, tags, scripts, pixels and SDKs you are embedding in your websites and mobile applications, what data is being collected, who it is being shared with, and what it is being used for. The first step is understanding the data flows. And this can be tricky. Because these technologies are embedded in your website or mobile app code and run in the background, it can be hard to identify all of them. This is especially true if there are multiple people who have access to your code and the ability to implement things within your site or applications, e.g., the software development team, the product team, the marketing team, third-party agencies and other contractors. There are many tools available to help you audit your sites and apps in order to identify these technologies, but this is an area where you will want to partner with someone who has a good grasp of the technology if you don’t have that yourself. On the flip side, if you are receiving data through these technologies, you will similarly want to understand the data flows and specifics of the data you are receiving.
2. Ensure you have an agreement in place with each entity receiving data from your site or app (or, on the flip side, sending you data), and review those agreements to understand each party’s respective obligations related to the exchange of data. For example, the agreement may require that certain notices be given to users, certain opt-out options be provided or consents be obtained; it may prohibit certain categories of data from being sent; and it may include restrictions on how the party receiving the data can use the data. In addition, you will want to vet the agreement terms against the requirements of the various laws (many require specific agreement terms) and consider adding terms to address issues raised in the various FTC actions and litigation.
3. Ensure you have an appropriate compliance framework in place. It may be helpful to put yourself in the position of the consumer. Are you provided notice about the collection and use of your data, including whom it is being shared with? If so, when and how does that happen, and does that notice enable you to fully understand how your data is being used? Are you provided options for consenting to the use of your data and/or opting out of such use, where that is required? Are you given an opportunity to exercise other rights you may have under data protection laws, such as right of access, deletion, etc.? From a user perspective, you should ensure that the processes for exercising these rights are accessible, understandable and easy to implement. You should also make sure the technical functionality is working properly on the back end, e.g., in the event of an opt- out, that opt-out will be handled and processed properly.

And, you guessed it, the term “SDK” (Software Development Kit), when used in connection with digital advertising, is also used to describe a mechanism that allows data to be collected and exchanged with third-party platforms, servers and sites. SDK refers generally to a set of tools developers can use in building applications, including things like prewritten code libraries and documentation, providing a framework for developers to easily add certain features and functionality to their applications. SDKs developed by social platforms, ad tech companies, data aggregators and similar players are provided to mobile app developers to embed in their applications and facilitate the exchange of data between these apps and those third parties.

In sum, the terms cookie, pixel, tag, script and SDK, when used in the digital advertising space, usually refer to mechanisms and means for collecting data on a website or mobile application and exchanging that data with third parties. But why is this important, and why are you hearing so much about these technologies right now?

What the Fuss Is About

One of the reasons these technologies have received increased attention and scrutiny is that there have been significant developments in the U.S. privacy landscape, with the addition of various new state privacy laws (e.g., in California, Connecticut, Colorado, Utah, Virginia, Montana, Tennessee, Iowa, Indiana, Texas, Oregon, Delaware, Washington, etc.). And these laws contain specific obligations and requirements related to the exchange of personal data, including data exchanged via these technologies. For example, these laws may require certain notices be provided to users about the collection and use of their data and, in some cases, that users be provided an opportunity to opt out of the use or sharing of their data for targeted advertising. Many of these laws also have provisions requiring that certain specific agreements be in place between parties exchanging user data. Some of these laws are applicable generally to all types of personal data, while some are geared toward specific types of data, such as the Washington My Health My Data Act, which focuses on consumer health data.

Second, there is the recent focus by the Federal Trade Commission (FTC) on the collection and sharing of health-related data and other sensitive data, including exchanging data through pixels, scripts and SDKs. We have seen this in recent cases that the FTC brought against Better Help, Flo Health, Good Rx, Easy Healthcare/Premom and InMarket, alleging various unfair and/or deceptive acts and practices, and violation of other rules, related to sharing of sensitive data with social platforms and other third-party platforms for advertising purposes.

Lastly, layering on top of this, is the recent class litigation related to use of pixels, SDKs and other trackers. The most common causes of action in these cases are (a) contract claims based on website privacy policies or notices; (b) state law privacy claims (statutory, common law or constitutional) based on unauthorized disclosures of the user’s personal information; and (c) violations of the federal Video Privacy Protection Act and the Federal Wiretap Act or analogous state law claims based on interceptions of communications.

Against this backdrop and additional risk, and in the face of this heightened interest from regulators and the plaintiffs’ bar, it is not surprising that we are hearing a lot about these technologies right now.

What You Can Do

So, what should you be doing to reduce your risk? If you are in any way engaged in digital advertising, now is a good time to review your use of these technologies and the compliance framework you have built around them.

1. Make sure you understand what, if any, tags, scripts, pixels and SDKs you are embedding in your websites and mobile applications, what data is being collected, who it is being shared with, and what it is being used for. The first step is understanding the data flows. And this can be tricky. Because these technologies are embedded in your website or mobile app code and run in the background, it can be hard to identify all of them. This is especially true if there are multiple people who have access to your code and the ability to implement things within your site or applications, e.g., the software development team, the product team, the marketing team, third-party agencies and other contractors. There are many tools available to help you audit your sites and apps in order to identify these technologies, but this is an area where you will want to partner with someone who has a good grasp of the technology if you don’t have that yourself. On the flip side, if you are receiving data through these technologies, you will similarly want to understand the data flows and specifics of the data you are receiving.
2. Ensure you have an agreement in place with each entity receiving data from your site or app (or, on the flip side, sending you data), and review those agreements to understand each party’s respective obligations related to the exchange of data. For example, the agreement may require that certain notices be given to users, certain opt-out options be provided or consents be obtained; it may prohibit certain categories of data from being sent; and it may include restrictions on how the party receiving the data can use the data. In addition, you will want to vet the agreement terms against the requirements of the various laws (many require specific agreement terms) and consider adding terms to address issues raised in the various FTC actions and litigation.
3. Ensure you have an appropriate compliance framework in place. It may be helpful to put yourself in the position of the consumer. Are you provided notice about the collection and use of your data, including whom it is being shared with? If so, when and how does that happen, and does that notice enable you to fully understand how your data is being used? Are you provided options for consenting to the use of your data and/or opting out of such use, where that is required? Are you given an opportunity to exercise other rights you may have under data protection laws, such as right of access, deletion, etc.? From a user perspective, you should ensure that the processes for exercising these rights are accessible, understandable and easy to implement. You should also make sure the technical functionality is working properly on the back end, e.g., in the event of an opt- out, that opt-out will be handled and processed properly.

[View source.]