Lawsuits challenge how those internet cookies crumble
Is clicking on a website and agreeing to allow those ubiquitous cookies the same as having someone bug your phone? And can a 1968 Massachusetts law intended to prohibit such invasions of privacy — a law that predates by decades the rise of internet searches — be used as a legal cudgel against some of the state’s most respected institutions?
The Massachusetts Supreme Judicial Court will be asked to wade through that legal maze, defining what privacy means under the 55-year-old Massachusetts Wiretap Act and whether it applies to hospital websites that share and transmit data to third parties such as Meta Pixel or Google Analytics.
The case being heard Wednesday by the high court was brought against New England Baptist Hospital and Beth Israel Deaconess Medical Center by a Revere woman — but as lawyers for the two hospitals note in their brief, “These are two among at least two dozen putative class action lawsuits that plaintiffs’ lawyers have recently commenced against Massachusetts hospitals and other organizations, seeking to weaponize the Wiretap Act to create massive liability for website owners arising from website analytics and advertising technologies (‘AdTech’) that are ubiquitous in the 2020s.”
Why hospitals? Well, as the old joke goes, why did Al Capone rob banks? Because that’s where the money is.
In fact, when confronted with a similar class action lawsuit filed in 2019 by two anonymous parties, Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana-Farber settled the case for $18.4 million. And while denying any wrongdoing, they said they settled to avoid protracted and costly litigation.
Like the cases at hand, there were no allegations of a breach of patient medical or financial records, simply the collection of data.
But the named plaintiff in the current case alleges that the “intercepted communications provided a rich source of information that bolstered Google and Facebook’s ability to target advertising to individual consumers.” As a friend of the court brief filed by the Greater Boston Chamber of Commerce notes, “the plaintiffs do not even allege any actual harm resulting from the alleged violation of the Wiretap Act.”
The Chamber brief, filed in conjunction with the Massachusetts Nonprofit Network, said that while the two organizations “share the concern of all Massachusetts citizens and taxpayers over protecting consumer data and privacy,” that a “jerry-rigged interpretation of the 1968 Wiretap Act, which could not possibly have been intended to regulate the use of advertising technology on the internet, is not the way to do it.”
The fact is that the state’s Wiretap Act — which, despite its name, covers more than just government surveillance — is tougher than its federal counterpart and the law in some other states. Except for court-authorized wiretaps by law enforcement (which are rare), the law requires both parties to consent to being recorded. Its definition of “wire communication” has been broadened in recent years (through court decisions), as the hospitals’ brief notes, to protect people from secret eavesdropping on email, text messages, or videoconferencing. That makes sense. Mobile phone calls are the logical successors to landlines, and text messages and emails “successors to interpersonal telegrams.”
But the brief adds, “What Plaintiffs seek here: to interpret the language of this pre-internet age statute in a way that creates unintended, absurd, and calamitous internet age consequences.”
It even cites the privacy notice used by the hospitals at the time the suit was filed last year was the very same used by the Mass.gov website for a section where people can search under the heading Treatment and Recovery Services.
The scary fact is that those two dozen cases still pending here — most filed against hospitals or health care practices — and awaiting some kind of definitive answer from the SJC on the cases being heard Wednesday represent merely one branch of a huge and growing national “industry” — one in which any business or nonprofit could be vulnerable.
The Philadelphia Inquirer faces a federal lawsuit filed by two subscribers to its website for its use of Meta Pixel tracking software.
BJ’s Wholesale Club faces a class action suit filed by Joe Alves alleging the store’s use of a particular computer code, known as Session Replay Code, which tracks keystrokes and mouse movements and replays them for analysis violates the Wiretap Act. The rather busy Alves also filed a suit against Goodyear Tire and Rubber Co. in federal court in Boston for using the same technology. The latter was dismissed for “lack of personal jurisdiction.”
The cases at hand have little to do with requiring sensible policies on regulating the collection of information by the nation’s internet giants — something that Congress has been wrestling with for years without a great deal of success or progress. Hitting up the region’s major health care institutions for millions of dollars in penalties won’t impact the bottom lines of Google or Meta one bit. It’s not even about whether those often overlooked privacy policies offer sufficient disclosure. They remain a work in progress and some legislative guidance would help.
What this is about is a cynical misuse of a 1968 law — one that admittedly could use a legislative update to the current hodgepodge of case law that has grown around it in an attempt to adapt it to the 21st century. But broadening its scope beyond recognition isn’t some backdoor approach to internet regulation. It’s merely an open door to litigation without end.
What this is about is a cynical misuse of a 1968 law — one that admittedly could use a legislative update to the current hodgepodge of case law that has grown around it in an attempt to adapt it to the 21st century.