Amex 'Conspired' With Facebook to Intercept Sensitive Consumer Data: Class Action
American Express aided and “conspired with” Facebook to intercept communications sent and received by customers in violation of the California Invasion of Privacy Act, alleged a class action Friday (docket 1:24-cv-02408) in U.S. District Court for Southern New York in Manhattan.
Philip Camacho of Chatsworth, California, applied for an Amex card on the company’s website in March 2023, said the complaint. As part of the application, Camacho provided “multiple pieces of sensitive information,” including his Social Security number, total annual income, and income source. Amex used the Facebook tracking pixel integrated into the website “to send all of this information to Meta without Plaintiff’s knowledge, consent, or express written authorization,” it said.
By failing to receive consent, Amex breached its duties of confidentiality and unlawfully disclosed Camacho’s personally identifiable information (PII) and protected financial information, the complaint said.
Facebook sells advertising space by its ability to target its 2.9 billion users based on surveilling user activity “both on and off the site,” the complaint said. That allows the social media platform to “make inferences about users beyond what they explicitly disclose,” including interests, behavior and connections, it said. It compiles the information into segmented audiences, which advertisers use to apply “highly specific filters and parameters for their targeted advertisements,” it said.
“Custom audiences” allow advertisers to target existing customers directly and require an advertiser to supply the underlying data to Facebook, said the complaint. Advertisers do so by either manually uploading contact information for customers or by using the Facebook Pixel that collects and transmits the data automatically. Once activated, the Pixel tracks website visitors and the actions they take, then sends a record to Facebook, it said. Data tracked includes URLs visited and text typed into boxes, it said. Facebook processes, analyzes and assimilates the information into audience datasets, it said.
Amex’s website has applications for credit cards, and the Pixel is installed on each webpage used for the applications, the complaint said. Applicants must provide name, birth date, email address, phone number and home address, plus Social Security numbers and sensitive financial information, it said.
When someone who is logged into Facebook, such as Camacho, applies for a credit card on the Amex website, the Pixel transmits PII from Facebook cookies to Facebook, along with event data and financial information, the complaint said. The combination of event data and PII from Facebook’s cookies embedded on the Amex website “permits Facebook to see sensitive financial information for specific individuals,” it said.
Consumers must agree to Amex’s terms and conditions before submitting a credit card application on the website, but unlike the card member agreement, the terms don’t include an arbitration provision, the complaint said. The terms state applicants are bound by the card member agreement only if their application is accepted. Consumers such as Camacho, whose credit card applications are denied, “never agree to the Card Member Agreement or the arbitration provision contained therein,” it said.
Camacho seeks awards of statutory and punitive damages, prejudgment interest and attorneys' fees and costs. Amex didn't comment Monday.