Glossary · Privacy

Meta Pixel (Facebook Pixel): How It Tracks You and the Privacy Class Actions It Sparked

By Steve Levine · Updated July 2, 2026 · 8 min read

Quick Answer

The Meta Pixel (formerly the Facebook Pixel) is a snippet of JavaScript tracking code that website owners embed on their pages. Each time a visitor loads a page or takes an action, the pixel sends that event to Meta — often with the page URL, button text, form information, and cookies (like the c_user Facebook login cookie and the _fbp browser cookie) that can tie the activity to a specific person. Because hospitals and other websites allegedly let the pixel transmit sensitive information — including patient-portal activity — without visitor consent, the pixel sits at the center of one of the largest privacy-litigation waves in the country, and it has produced a steady stream of pro rata cash settlements for website and portal users.

What the Meta Pixel Is and How It Works

The Meta Pixel is a free analytics and advertising tool Meta offers to website operators. Despite the name, it is not really a “pixel” anymore — the original version was a one-pixel invisible image, but the modern tool is a block of JavaScript code that the site owner pastes into its web pages. When a visitor's browser loads a page carrying the code, the pixel “fires”: it collects information about the visit and transmits it to Meta's servers in the background, invisibly to the visitor.

Site owners install it because it makes their Facebook and Instagram advertising more effective. The pixel lets a retailer measure which ads led to purchases, build “custom audiences” of past visitors to re-target with ads, and find new customers who resemble existing ones. Millions of websites use it, which is exactly why litigation over it has been so broad — the same snippet of code appears on retailers, streaming services, tax-prep sites, and, most consequentially, hospital websites and patient portals.

What Data the Pixel Sends to Meta

The core of every pixel lawsuit is what the code transmits. Depending on how a site configures it, the pixel can send:

  1. Page URLs and titles. The full address of each page viewed — which matters enormously when the URL itself reveals something (a condition searched, a doctor's name, a video watched, an appointment page).
  2. Button clicks and events. Standard events like “Schedule,” “Search,” or “Add to Cart,” including the text of the button the visitor clicked.
  3. Form information. With optional features such as automatic advanced matching, data typed into forms — names, email addresses, phone numbers — can be captured (in hashed form) and sent to Meta to improve ad matching.
  4. Identifying cookies. The c_user cookie, which contains the visitor's Facebook user ID when they are logged in, and the _fbp cookie, a browser identifier the pixel sets — plus IP address and device information.
The combination is what plaintiffs emphasize: a page URL alone may be anonymous, but a page URL plus a cookie containing a Facebook user ID can, in the plaintiffs' telling, tell Meta exactly who viewed exactly what. Meta's own policies require advertisers not to send it sensitive health or financial information, and Meta has said it has filtering systems designed to screen such data out — points the litigation has explored at length.

The Healthcare Pixel Litigation Wave

The pixel became a mass-litigation phenomenon in 2022, after investigative reporting by the nonprofit newsroom The Markup found the Meta Pixel on the websites of roughly a third of the 100 largest U.S. hospitals — and, at a handful of systems, inside password-protected patient portals such as MyChart. Class action complaints followed against dozens of hospitals and health systems.

The complaints generally allege — and these are allegations, which the defendants have largely disputed — that the pixel on a health system's website or portal transmitted patient status, appointment scheduling details, provider and condition searches, and similar health-related browsing data to Meta without patient knowledge or consent. Plaintiffs argue that patients reasonably expected their portal activity to stay between them and their provider, and that a hospital cannot share it with an advertising company without authorization. Health systems have responded that they never intended sensitive data to be transmitted, that configurations varied, and that much of what was sent was not identifying. Many of these cases have since settled without any admission of wrongdoing — see the Allina Health, Memorial Health Services MyChart, and Atrium Health pixel settlements currently accepting claims.

The wave is not limited to healthcare. Similar pixel claims have targeted streaming and video sites (where sharing what a user watched implicates the Video Privacy Protection Act), tax-preparation services, and membership organizations — the $12.5M AARP video-privacy settlement resolved claims that pixel code on aarp.org shared members' video-viewing data with Meta.

The Legal Theories Behind Pixel Lawsuits

There is no single “pixel statute,” so complaints stack several theories:

Federal Wiretap Act (ECPA). Plaintiffs allege the pixel “intercepts” the contents of their communications with the website and discloses them to a third party. In the healthcare cases, plaintiffs invoke the crime-tort exception to argue the one-party-consent defense should not apply.
CIPA § 631. The California Invasion of Privacy Act bars reading a communication in transit without all-party consent and carries $5,000 per-violation statutory damages. It is the workhorse state claim, alongside similar wiretap statutes in states like Pennsylvania and Florida.
VPPA. Where the page involved video, plaintiffs claim the pixel disclosed “personally identifiable information” about what videos a consumer requested or watched.
Confidentiality and privacy torts. Healthcare complaints add breach of medical confidentiality, breach of fiduciary duty, invasion of privacy, breach of contract, and unjust enrichment. HIPAA has no private right of action, but plaintiffs cite it as the standard of care that providers allegedly fell short of.
State privacy and consumer-protection statutes, which vary by forum.

Related web-tracking theories — session-replay recording, chat wiretapping, and the pen-register theory — frequently appear in the same complaints, because a site running the pixel often runs other tracking tools too.

The HHS Tracking Bulletin — and Its Partial Vacatur

In December 2022, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a bulletin on the use of online tracking technologies by HIPAA-regulated entities. The guidance warned that hospitals and other covered entities generally may not use tools like the Meta Pixel in ways that disclose protected health information to tracking vendors without patient authorization or a business-associate agreement — and it swept broadly, treating even some combinations of IP address and page visit as potentially protected.

The bulletin is guidance, not a statute or regulation, and it did not survive intact. In June 2024, a federal district court in Texas, in a suit brought by the American Hospital Association and others, vacated the portion of the guidance that treated a visitor's IP address combined with a visit to a public-facing, unauthenticated webpage as protected health information. OCR's positions on authenticated pages such as patient portals were not the focus of that ruling. Practically, the bulletin still matters: it pushed health systems to strip tracking code from their sites, and plaintiffs continue to cite it as evidence of the confidentiality standards the industry understood to apply. But it should be described for what it is — partially vacated agency guidance, not binding law.

What Pixel Settlements Have Looked Like

Most resolved pixel cases follow a familiar template. The defendant creates a common settlement fund — without admitting wrongdoing — and the fund is divided pro rata among class members who file valid claims. The class is usually defined as people who used the defendant's website, patient portal, or app during the period the tracking code was allegedly active. Because portal users were often mailed or emailed a notice with a Class Member ID or PIN, many of these settlements require that identifier to file, which OCA treats as proof required.

Individual payouts scale with the fund and the claims rate — smaller funds have paid single- or low-double-digit amounts per claimant, while larger funds and lower-claims classes have paid substantially more. Some settlements also include non-monetary terms, such as commitments to remove or restrict tracking technologies. A settlement resolves the claims; it is not a finding that the defendant broke the law. If you receive a pixel-settlement notice, the identifier printed on it is usually the key to filing — and a claimant who needs help recovering one can use the contact form on the official settlement website. For the broader landscape of health-data litigation, see our guide to data breach class actions.

Frequently Asked Questions

What is the Meta Pixel?

The Meta Pixel (formerly the Facebook Pixel) is a piece of JavaScript tracking code that website owners install on their pages. When a visitor loads a page or takes an action — clicking a button, submitting a form, adding an item to a cart — the pixel sends that event to Meta, often together with the page URL and cookies that can identify the visitor's Facebook account. Meta uses the data for ad targeting and measurement; the website owner uses it for analytics and advertising.

Why are hospitals being sued over the Meta Pixel?

A wave of class actions alleges that hospitals and health systems embedded the Meta Pixel on their public websites and inside password-protected patient portals such as MyChart, and that the pixel transmitted patient status, appointment details, provider searches, and other health-related browsing data to Meta without patient consent. These are allegations that the defendants have generally disputed; many of the cases have settled without any admission of wrongdoing.

What laws do Meta Pixel lawsuits rely on?

Common claims include the federal Wiretap Act (ECPA) for intercepting communications, the California Invasion of Privacy Act (CIPA) § 631, the Video Privacy Protection Act (VPPA) where video-viewing data was shared, state wiretap and consumer-protection statutes, and common-law theories such as breach of medical confidentiality, invasion of privacy, and unjust enrichment. HIPAA itself does not allow private lawsuits, but plaintiffs argue it helps define a healthcare provider's duty of confidentiality.

What have Meta Pixel settlements paid?

Most healthcare pixel settlements create a common fund that is divided pro rata among class members who file valid claims — typically patients who used the defendant's website or patient portal during a defined period. Payouts vary widely with the fund size and the number of claims. Many of these settlements require an identifier from the mailed or emailed notice to file, and the defendants settle without admitting wrongdoing.

What is the HHS tracking-technology bulletin?

In December 2022, the U.S. Department of Health and Human Services' Office for Civil Rights issued guidance warning that HIPAA-regulated entities generally may not use tracking technologies like the Meta Pixel in ways that disclose protected health information to third parties without authorization. In June 2024, a federal court in Texas vacated part of the guidance as it applied to certain visits to public-facing webpages. The bulletin is agency guidance, not a statute, but it is frequently cited in pixel litigation.


About This Page

General legal-information about the Meta Pixel and the privacy litigation surrounding it, not legal advice. OpenClassActions.com is a consumer news site and is not a law firm or a settlement administrator. Pixel-related lawsuits involve allegations that the defendants generally dispute, and settlements resolve claims without any admission of wrongdoing. Statutes, agency guidance, and case law in this area change quickly, and how they apply depends on the facts of a particular website and configuration. If you think your rights were affected, consult a qualified attorney in your jurisdiction.


More on Web-Tracking Privacy Law