Wiretapping claims have become the focus of the privacy plaintiff’s bar, and the healthcare industry in particular has been in the crosshairs of recent filings (with as many as a couple dozen new purported class actions filed daily). Wiretapping statutes have a long history in the privacy and cyber world, dating back to the 1960s in large part. Applying dated statutes and case law to modern technology frequently is challenging. And this is a recurring theme in the privacy litigation realm. While much of the hype is on new state privacy laws (such as the CCPA, Virginia’s CPDA and Illinois’s BIPA), the plaintiff’s bar is opportunistic in repurposing old theories and claims applied to new technology. These statutes are supporting a feeding frenzy of lawsuit filings.
Wiretap Act. Many of these recently filed wiretap cases will include a claim for violation of the Federal Wiretap Act and state wiretap laws, sometimes from the plaintiff’s state of residence and other times from the state where the website operator or defendant is based. Often this is a point of initial contention: which of these wiretap statutes applies to whom. Importantly, the Federal Wiretap Act and each state’s wiretap statute may differ in meaningful ways; for example, Illinois’s differs from California’s, Alabama’s from New York’s and Connecticut’s from Massachusetts’s. As relevant here, the Federal Wiretap Act prohibits, generally speaking, intercepting an electronic communication by a nonparty to the communication without consent of one party to the communication, and even then, the interception may not be for purposes of criminal or tortious conduct. See 18 U.S.C. §§ 2511(1)(a), (c)-(d), (3)(a).
Illinois Federal Court Decision. A recent decision in the U.S. District Court for the Northern District of Illinois illustrates this issue. In a purported class action brought against a Chicago hospital, plaintiff alleged that the hospital non-consensually and deceptively embedded third-party code on its website and its patient portal in violation of the Federal Wiretap Act and various state laws and torts. The plaintiff alleged that this code, which is not visible to users of the website and portal, causes her personally identifiable patient data to be transmitted to social media and adtech companies for advertising purposes. This follows other recent lawsuits in which plaintiffs allege that website performance and adtech tracking mechanisms (such as cookies, pixels or web beacons), or other third-party material in general, collect personal information and share that information with others without the knowledge and consent of the website visitor. For example, this plaintiff alleges that when a user clicks on the hospital’s “Schedule Your Appointment Now” button on its website, the hospital “causes the transmission of the patient’s personally identifiable data and re-directs the content of the patient’s click of the ‘Schedule Your Appointment Now’ button to” third-party social media companies.
On a motion to dismiss, the court evaluated whether the defendant hospital is a party to the communication such that there was no interception that violates the Federal Wiretap Act: “It shall not be unlawful under this chapter [i.e., the Federal Wiretap Act] for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.”
On a motion to dismiss, the court evaluated whether the defendant hospital is a party to the communication such that there was no interception that violates the Federal Wiretap Act. In examining what the court described as a circuit split between the First, Seventh and Ninth Circuits, on the one hand, and the Third Circuit, on the other hand, the court found that the hospital was not liable under the Federal Wiretap Act for alleged interception of the communication. In doing so, the court considered the Federal Wiretap Act’s criminal or tortious conduct exception and concluded that the transfer of metadata or website activity, without more, did not constitute criminal or tortious activity.
The court summarized its inquiry as to Plaintiff’s alleged violations of the Federal Wiretap Act:
“any person who—(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral or electronic communication” may be subject to (among other things) a civil penalty. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. 18 U.S.C. § 2511(1)(c), (d). Section 2511(2)(d) of the statute provides an exception when the person intercepting a communication “is a party to the communication or where one of the parties to the communication has given prior consent to such interception.” This so-called “party exception” does not apply, however, if the “communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). In addition, section 2511(3)(a) provides that “a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication . . . while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication. . . .” 18 U.S.C. § 2511(3)(a) (emphasis added).
According to this court, the Third Circuit has held “that when the defendant is the intended recipient of a communication, it is necessarily ‘one of its parties’ and its interception of the communication is therefore shielded by the party exception.”
This court juxtaposes that against the Ninth Circuit’s interpretation of the party exception. While plaintiff relies heavily on the Department of Health and Human Services (HHS) recent guidance to argue that online tracking technologies may violate HIPAA, the court agrees with defendant that the regulatory guidance (even if applicable, which the court does not decide upon) “only applies prospectively.” Meaningfully, the court wades into the technical aspects of the allegations to find that “the hypotheticals provided by [plaintiff] appear to illustrate only what occurs when an individual—whether a patient or not—clicks on certain areas of [defendant’s] public website. [Plaintiff] does not allege what surreptitious patient data disclosures occur when an actual  patient enters her [online] portal and navigates through it.”
The court then finds that the defendant hospital is not an “electronic communication service” provider as contemplated in the Federal Wiretap Act, because it simply licenses the software in the course of its ordinary business; instead, the company that provides the software for the patient portal services or the software itself would fall within that category. Ultimately, the court dismisses four of five counts in the complaint (including a claim for violation of Illinois’s consumer protection law), leaving pending only the plaintiff’s claim for violation of Illinois’s deceptive trade practices law.
Why this matters: More lawsuits are coming; prepare yourself immediately. For example, as various industries, such as healthcare, increasingly rely on websites to provide goods and services, there likely will be more complaints and lawsuits about how those websites operate and the data they collect. Legal teams must closely review their organization’s website activity and functionality, review and update their organization’s privacy and security disclosures routinely, and ensure that their organization’s risks are understood and mitigated.