The United States District Court for the Southern District of Iowa has dismissed on sovereign immunity grounds a putative class action against the University of Iowa Hospitals and Clinics (“UIHC”) for unjust enrichment and violations of the Electronic Communications Privacy Act and Computer Fraud and Abuse Act.  See Yeisley v. Univ. of Iowa Hosps. & Clinics, No. 3:23-cv-00025 (S.D. Iowa Feb. 16, 2024) (unpublished). 

The plaintiff, a patient of UIHC, had alleged that UIHC used a pixel on its website to share her personally identifiable information with third parties for marketing purposes and without her consent.  The Court did not reach the merits of the case and instead granted UIHC’s motion to dismiss on the basis that sovereign immunity barred each of the plaintiff’s claims.

The Court began its analysis by determining that UIHC was an “arm of the State” for purposes of sovereign immunity because (1) state law prescribed its “powers and characteristics”; (2) state law also governed its various affairs at length and in detail; (3) UIHC “must spend its money consistent with the directives of the Iowa Legislature, as implemented and controlled by state-appointed members of the Board of Regents”; and (4) “the State general fund would be the source of funds for any judgment or settlement” in this case.  The Court then rejected the plaintiffs’ argument that UIHC had waived sovereign immunity by adopting privacy policies concerning its handling of website visitor information, noting that those policies did not “expressly or implicitly” refer to either statute or “suggest an intention to waive sovereign immunity as to those laws.”  The Court further concluded that Congress did not abrogate sovereign immunity in enacting the ECPA and CFAA because neither law “unequivocally” expressed the requisite intent “to alter the usual constitutional balance between the States and the Federal Government.”  Finally, the Court held that sovereign immunity likewise barred the plaintiffs’ unjust enrichment claim under either federal or state law.

This case highlights a potential defense strategy for government entities facing litigation under the ECPA, CFAA, and related state laws, as it discusses in detail several aspects of the new and evolving case law applying sovereign immunity principles to these claims.

You can find more information about the latest developments and trends affecting class actions in our Inside Class Actions blog, including disclosure of collection in privacy policies, pixels embedded in videos, and wiretapping and other related privacy-related claims.