Courts have recently been grappling with an influx of class actions alleging that company websites are in violation of wiretapping and other privacy laws when using third-party technology to provide services on their websites. Three different federal courts recently dismissed cases on similar grounds, demonstrating the challenges plaintiffs face with maintaining them and strategies defendants should keep in mind to defeat them.
Two of the cases accuse healthcare providers of improperly sharing personal health information with third-party technology companies through the use of pixel technologies on the healthcare provider’s website. In the first case, Doe v. Davita, Inc., plaintiffs accused Davita—a kidney dialysis provider—of violating the California Invasion of Privacy Act (“CIPA”) and other laws by purportedly collecting “patients’ personal and sensitive medical information on the Online Platforms and … improperly shar[ing] [this information] with the Tracking Technologies without patients’ consent.” 2024 WL 1772854, at *2 (S.D. Cal. April 24, 2024). The court disagreed and dismissed the claims, holding that plaintiffs did “not explain what specific information they provided to Defendant” and calling their claims “conclusory.” Id. The complaint, said the court, was “devoid of any facts supporting” plaintiffs’ contentions that Davita disclosed “personal, confidential, and sensitive medical information; medical treatment; and payment information” with the third party. Id.
Similarly, in Santoro v. Tower Health, plaintiffs accused a regional healthcare provider, Tower Health, of violating the Electronic Communications Privacy Act and common law by using embedded website features to allegedly share their health information obtained on Tower’s website with a third party. 2024 WL 1773371, at *1-2 (E.D. Pa. April 24, 2024). Like in Davita, the Santoro court rejected plaintiffs’ claims because plaintiffs failed to explain “what HIPAA-protected information from plaintiffs was transferred” to the third party. Id. at *4. Plaintiffs’ general allegations said “nothing about the specific pages [visited], [plaintiffs’] medical condition[s], or [their] history of medical care with Tower Health,” id., and thus failed to state a claim.
The third case, Smidga v. Spirit Airlines Inc., alleged that Spirit Airlines used third-party software on its website that captured Spirit customers’ website interactions purportedly in violation of several statutes, including the Pennsylvania Wiretap Act, and common law. 2024 WL 1485853, at *1 (W.D. Pa. April 5, 2024). Plaintiffs claimed that the software “intercept[ed] and record[ed] the website visitor’s electronic communications with Spirit’s website.” Id. The court dismissed the case, this time analyzing the issue under Article III standing principles. It held that two of the plaintiffs lacked an injury to confer standing because they did not allege that they provided sensitive personal information (e.g., credit card information) to Spirit. Id. at *5. The third plaintiff also lacked an injury because she did nothing to rebut Spirit’s sworn declarations that Spirit does not record personal data. Id.
Following the trend of these cases, companies facing similar lawsuits should carefully review the information that plaintiffs allege has been tracked or shared when facing wiretapping or privacy lawsuits, and consider arguments that such information is insufficient to state a claim or confer standing.