Cookies, Pixels, and Website Tracking: What Virginia Businesses Should Review Now

Cookies, Pixels, and Website Tracking: What Virginia Businesses Should Review Now

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

Most Virginia businesses operating a website give limited thought to the tracking technologies running underneath. Analytics tools, advertising pixels, embedded social media buttons, and tag management scripts have become so common in web development that they are often added without a systematic review of what data they collect, where that data goes, and what obligations they create.

Virginia law and federal enforcement activity have changed the stakes of that inattention. For businesses in Christiansburg, Blacksburg, and across the New River Valley that serve Virginia consumers, a review of website tracking practices is no longer optional compliance overhead. It is a concrete legal risk management question.

How Website Tracking Technologies Work

Understanding what the law requires begins with understanding what these technologies actually do.

First-party cookies are set by the website the user is visiting. They commonly store session information (keeping a user logged in), shopping cart contents, and user preferences. First-party cookies generally present lower privacy risk because the data stays with the website operator.

Third-party cookies are set by domains other than the website the user is visiting. When a website loads an advertising network’s script, that network may set a cookie in the user’s browser. That same network may set cookies on thousands of other websites, allowing it to build a profile of the user’s browsing behavior across the internet. Third-party cookies are the mechanism behind most behavioral advertising. Major browsers have been moving to restrict or phase out third-party cookies, though that transition remains incomplete.

Tracking pixels (also called web beacons or clear GIFs) are tiny image files, often a single pixel, embedded in web pages or emails. When the page or email loads, the image request is sent to the third party’s server, which can record the user’s IP address, browser, device type, and the fact that they viewed the page or opened the email. Meta (Facebook) and Google both use pixel technology extensively for advertising attribution and audience targeting.

Browser fingerprinting is a more invasive technique that collects a combination of browser and device attributes (screen resolution, installed fonts, browser version, hardware configuration) and uses them to create a unique identifier for the user without relying on cookies. Fingerprinting is difficult for users to avoid and persists across browser sessions.

Tag management systems such as Google Tag Manager allow marketers to deploy multiple tracking scripts through a single container, which can make it harder for website owners to maintain a complete inventory of what tracking they have actually deployed.

Virginia’s VCDPA and Targeted Advertising Opt-Out

The Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-571 et seq., gives consumers the right to opt out of targeted advertising, defined as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities across non-affiliated websites, applications, or online services to predict preferences or interests.

This definition encompasses most behavioral advertising delivered through third-party cookies, pixels, and data partnerships. If your website deploys tracking technologies that send visitor data to advertising networks that use it for behavioral targeting, your website visitors have a right under the VCDPA to opt out of that processing.

For VCDPA-covered businesses, honoring that opt-out right requires:

  • Disclosing in your privacy notice that you engage in targeted advertising
  • Providing a mechanism for consumers to opt out, which must be clearly and conspicuously presented
  • Actually honoring opt-out signals received through mechanisms such as the Global Privacy Control (GPC), a browser-based signal that tells websites the user has opted out of sale and targeted advertising

The GPC obligation is particularly significant. A consumer who has enabled GPC in their browser is signaling an opt-out preference before they even visit your site. VCDPA-covered businesses must recognize and honor that signal.

The HIPAA Meta Pixel Problem

Federal regulators have focused significant enforcement attention on the use of Meta Pixel (and similar tracking tools) on the websites and patient portals of HIPAA-covered entities.

The concern is straightforward. When a healthcare provider deploys a Meta Pixel on its website, the pixel can capture information about what pages a visitor views, including pages related to specific medical conditions, appointment booking for particular types of care, or prescription drug information. That information is transmitted to Meta’s servers and used for advertising. If the visitor is a patient, this data may constitute protected health information (PHI) under HIPAA, and disclosing it to Meta without a business associate agreement violates the HIPAA Privacy Rule.

The Department of Health and Human Services Office for Civil Rights issued guidance in 2022 specifically addressing this problem, and several healthcare systems have faced class action litigation as a result of pixel deployments on patient portals.

The lesson for healthcare and healthcare-adjacent businesses in the New River Valley is clear: before deploying any tracking pixel on a website that collects health information or where patients interact with their records, get legal advice about HIPAA implications.

FTC Act Section 5 and Deceptive Privacy Practices

Even for businesses not subject to HIPAA or the VCDPA, Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in commerce. The FTC has made clear that representing your data practices in one way while actually operating differently is deceptive.

If your privacy policy says you do not sell personal data, but your website is sending visitor data to third parties through ad exchanges in exchange for advertising services, the FTC may view that as a deceptive practice. If your privacy policy describes limited data sharing but your site runs a dozen tracking scripts you have not reviewed, there is a meaningful gap between your representations and your actual practices.

The FTC’s enforcement in this area has resulted in substantial settlements and compliance obligations for companies of various sizes. The agency has been particularly focused on companies that deploy tracking technologies without reviewing what those technologies actually do.

Many Virginia businesses have added cookie consent banners to their websites following the spread of EU GDPR requirements. However, not all consent banners are created equal.

A consent banner that displays a notice but loads all tracking scripts regardless of whether the user clicks “Accept” or “Decline” provides compliance theater, not compliance. Under the VCDPA’s opt-out requirements and FTC standards, what matters is whether tracking is actually suppressed when a user exercises an opt-out choice.

An effective consent implementation:

  • Loads only strictly necessary scripts (those required for the website to function) before a user makes a choice
  • Delays loading of advertising and analytics scripts until consent is given or opt-out is not exercised
  • Stores the user’s preference and respects it on return visits
  • Recognizes and honors the Global Privacy Control signal

Building a compliant consent implementation requires coordination between your legal team, your web developers, and whoever manages your marketing technology stack. A compliance audit of a website’s tracking behavior, using tools that examine what scripts load under different consent conditions, frequently reveals gaps between intended policy and actual technical implementation.

A cookie audit is the starting point for understanding your website’s tracking posture. A basic audit involves:

  • Using a cookie scanning tool to identify all cookies and third-party scripts loaded on your site, including those loaded conditionally by tag managers
  • Categorizing each tracking element as strictly necessary, functional, analytics, or advertising/marketing
  • Mapping data flows to identify what information each script sends to third parties and on what basis
  • Comparing findings to your privacy policy to identify discrepancies between your stated data practices and your actual ones
  • Assessing consent mechanisms to verify that opt-out choices are technically honored

Many businesses that undergo a cookie audit for the first time discover trackers they did not know were there, often deployed by marketing vendors or inherited from previous developers.

Google Analytics is among the most common website analytics tools, including among small businesses in communities like Christiansburg and Blacksburg. Google’s Consent Mode is a configuration that adjusts how Google Analytics and Google Ads collect and process data based on a user’s consent choices.

When properly implemented, Consent Mode tells Google’s scripts not to read or write cookies, and not to use the data for advertising purposes, when a user has declined consent. Instead, Google uses modeled data for analytics purposes. This implementation is designed to allow businesses to maintain some analytics functionality while respecting user choices.

Correct Consent Mode implementation requires technical configuration in both your consent management platform and your Google Tag Manager or Analytics setup. Simply installing Consent Mode tags is not sufficient if the consent signals are not flowing correctly between systems.

For Virginia businesses seeking to honor VCDPA opt-out rights while maintaining analytics capability, proper Consent Mode configuration is an important part of the technical compliance picture.

Updating Your Privacy Policy

A privacy policy that does not accurately reflect your actual tracking practices creates both regulatory and litigation risk. Following a cookie audit, your privacy policy should be updated to:

  • List all categories of tracking technologies in use (cookies, pixels, fingerprinting)
  • Identify the categories of third parties receiving data (analytics, advertising, social media)
  • Explain how Virginia consumers can opt out of targeted advertising
  • Describe how the GPC signal is handled
  • Link to or describe your consent management process

The policy should be accurate at the time of posting. If you change your tracking setup, update the policy to reflect the change.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.