Unrecognizable clinician subjected to an advanced persistent threat at an access point to a healthcare data network. Cyber security concept for hacking attack and malware exploiting vulnerabilities.

Dolce Vita Ruling a Win for Cookies and Pixels Alike

Dolce Vita Ruling a Win for Cookies and Pixels Alike

November 21, 2024

Dolce Vita Ruling a Win for Cookies and Pixels Alike

By: Robert Ward

In recent years, companies in industries from media to healthcare have faced a rash of lawsuits challenging their use of common web tracking technologies such as the Meta Pixel. These cases generally allege that the use of such tracking technologies violates common law privacy protections and a wide range of state and federal privacy statutes. Late last month, in Vita v. New England Baptist Hospital, the Massachusetts Supreme Judicial Court shut the door on such claims under the Massachusetts Wiretap Act (“MWA”).[1]

The Vita Case

The Vita case is a typical Pixel case. The plaintiff alleged that the defendant hospitals improperly used the Pixel, along with Google Analytics, to collect and share information regarding her web browsing activity with third parties for advertising purposes without her consent.[2] In particular, the plaintiff alleged that the hospitals websites collected, among other things, the URLs of the webpages she visited, her IP address, and certain unique identifiers used by third-party software providers. She also claimed that the websites collected certain health-related data, including whether she navigated to an appointment request page and any filtering criteria selected on the “Find a Doctor” webpage.[3]

The plaintiff also alleged that by deploying the Pixel, the defendants simultaneously collected and transmitted this information to third parties, who subsequently marketed the data to merchants and delivered targeted advertisements to users.[4] While the defendants’ privacy policies disclosed some third-party data tracking and sharing, the plaintiff argued that the disclosures were incomplete and misleading.[5]

The lawsuit’s premise is that the hospitals’ use of the Pixel violated the MWA.  The MWA makes it unlawful to willfully commit an “interception” of any “wire or oral communication.”[6] It defines “wire communication” as “any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception.”[7] An “oral communication” is “speech, except such speech as is transmitted over the public air waves by radio or other similar device.”[8]

The court’s decision turned on whether the information transmitted to third parties was a “communication” for the purposes of the MWA. Relying on the text of the statute and the legislative history, the court concluded that it was not, and rejected the argument that the use of tracking technologies like the Pixel violates the MWA.[9] In doing so, the court distinguished between person-to-person internet communications, such as e-mail or chat messages, and user-website interactions, concluding that the text did not unambiguously encompass the latter.[10] Turning to the legislative history for guidance, the court found concerns about the “secret interception of person-to-person conversations and messaging,” and a “frightening” future of electronic surveillance devices that “could be used to ‘bug’ one’s home or business or tap one’s telephone.”[11]  While this demonstrated a “focus on addressing the privacy threats posed by evolving surveillance methods,” it did not provide a basis for expanding the definition of “communication” beyond person-to-person communications.[12] Because neither the text nor the legislative history were “helpful” in determining whether information regarding the plaintiff’s web browsing activity was a “communication” under the MWA, the court applied the rule of lenity and concluded that the plaintiffs MWA claims should be dismissed.[13]

A Partial Victory

While the Vita decision is a victory for companies that develop and deploy third-party web tracking technologies like the Pixel, it is only a partial victory. The court took pains to point to other common law protections, as well as state and federal statutes that might give rise to liability for the use of third-party tracking technologies.[14] Such statutes include, for example, the federal Wiretap Act, the federal Video Privacy Protection Act, and the California Invasion of Privacy Act (“CIPA”), as well as state consumer protection law.[15]

It is also unclear whether other courts will follow the Supreme Judicial Court’s lead. There is now an established body of cases analyzing Pixel claims under state and federal law, many of which have permitted claims similar to those in Vita to proceed.[16] Moreover, in cases involving defendants subject to industry-specific privacy regulation, like the hospitals in Vita, courts have often focused on other issues, such as whether the party exception under the Wiretap Act, or the “crime-tort” carve-out to that exception, applies.[17]

Finally, while the majority rejected the plaintiff’s claims under the MWA, it nevertheless appeared concerned about what it called “the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes.”[18] The dissent was even more forceful, concluding that the legislature would “need to correct” the court’s “error.”[19] If the legislature takes up this invitation, Vita may provide only a temporary reprieve from the threat of Pixel-based liability in Massachusetts.

Whether Vita is the last word on Pixel cases under the MWA or not, companies deploying the Pixel and similar technologies will likely continue to face litigation under the still-evolving patchwork of state and federal privacy protections.

[1] Vita v. New England Baptist Hosp., 494 Mass. 824, 243 N.E.3d 1185 (Mass. 2024).

[2] Id. at 1188.

[3] See id. at 1190-91.

[4] Id.

[5] Id. at 1192.

[6] Mass. Gen. Laws ch. 272, § 99 C 1.

[7] Mass. Gen. Laws ch. 272, § 99 B 1.

[8] Mass. Gen. Laws ch. 272, § 99 B 2.

[9] Vita, 243 N.E.3d at 1195.

[10] Id. at 1197.

[11] Id. at 1201.

[12] Id. at 1201-02.

[13] Id. at 1206-07.

[14] Id. at 1206.

[15] See e.g., In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606 (9th Cir. 2020); Sweat v. Houston Methodist Hosp., No. H-24-775, 2024 WL 3070184, at *4 (S.D. Tex. Jun. 20, 2024); Ambrose v. Boston Globe Media Partners LLC, No. 21-CV-10810, 2022 WL 4329373, at *4 (D. Mass. Sept. 19, 2022).

[16] See e.g., St. Aubin v. Carbon Health Techs., Inc., No. 24-CV-00667-JST, 2024 WL 4369675, at *4 (N.D. Cal. Oct. 1, 2024); In re BetterHelp, Inc. Data Disclosure Cases, No. 23-cv-1033, 2024 WL 3416511, at *4 (N.D. Cal. Jul. 15, 2024); Ambrose, 2022 WL 4329373, at *4.

[17] See e.g., Gay v. Garnet Health, No. 23-CV-6950, 2024 WL 4203263, at *4 (S.D.N.Y. Sept. 16, 2024) (permitting Wiretap Act claim to proceed because plaintiffs sufficiently alleged that the crime-tort exception to the party exception applied).

[18] Vita, 243 N.E.3d at 1189.

[19] Id. at 1226.

Robert Ward

Robert Ward

Robert Ward’s diverse background in criminal, civil, and regulatory law enables him to strategically navigate complex legal landscapes and develop efficient and effective solutions to clients’ challenges.

Related Practice(s)
Other Posts
TCPA Prior Express Consent Via Business Card? Third Circuit Says “Yes, It Counts”
Apr 1, 2020

TCPA Prior Express Consent Via Business Card? Third Circuit Says “Yes, It Counts”

By: Ifrah Law
Privacy Pointers for Employees of the Teleworking World
Mar 26, 2020

Privacy Pointers for Employees of the Teleworking World

By: Nicole Kardell
Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices
Mar 25, 2020

Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices

By: Nicole Kardell
Allowances Made for COVID-19 Don’t Mean Telehealth Providers and Employers Can Share Protected Information Without Consequences
Mar 23, 2020

Allowances Made for COVID-19 Don’t Mean Telehealth Providers and Employers Can Share Protected Information Without Consequences

By: Drew Barnholtz

Subscribe to Ifrah Law’s Insights