Since the beacon needs to be sent "in the clear" from the user's browser to AA's server, the user (and anyone who intercepts the user's network traffic) will be able to see the data that you are tracking to AA.

Normally, there's no issue with that because the data is about general website usage, e.g. which page is viewed, what link is clicked, etc. But if you're sending personally identifiable information (PII) like names, credit card numbers, etc., then you should really be asking yourself why you're tracking that in the first place.