Amid the continued wave of consumer class action lawsuits targeting the use of cookies, pixels, beacons, and other tracking tools on organizations’ websites, a recent decision from the Massachusetts Supreme Judicial Court departed from other jurisdictions by holding that the state’s wiretap act did not apply to the use of these emerging technologies.
Kathleen Vita alleged that her interactions with several hospital websites, which included searching for doctor credentials and medical information, met the definition of “wire communications” under the Massachusetts wiretap act. Ms. Vita alleged that these interactions were then “intercepted” by the hospitals’ use of website analytic software (such as Google Analytics and the Meta Pixel) to monetize her personal information and deliver targeted advertising.
The hospitals filed motions to dismiss the lawsuit, contending that the wiretap act did not apply to the use of analytic software on a website. A lower court denied the motions and allowed the case to go forward. The defendants then requested review by the Supreme Judicial Court.
The Supreme Judicial Court disagreed with the lower court and said that Ms. Vita’s lawsuit should have been dismissed. The Court focused on whether her interactions with the hospitals’ websites met the wiretap act’s definition of “communications” to support the allegation of unlawful interception by the hospitals.
The Court noted that the state’s wiretap act did not define “communication” but defined “wire communications” as those transmitted via wire, cable, or other similar methods. Focusing on the statutory text, legislative history, and dictionary definitions, the Court concluded that a “communication” in the meaning of the wiretap act refers primarily to a person-to-person exchange. Browsing on a website -- clicking links, entering search terms, and the like -- fundamentally differed from person-to-person communications, such as emails, texts, and telephone calls. Only the latter were the core focus of the legislature when it enacted the wiretap act, according to the Court.
When a user visits a public website and accesses databases and other information readily available to anyone on the Internet, the user is not speaking or messaging with another person but rather is engaging with the website.
The Court noted that Ms. Vita did not allege that her communications with any health care professional were intercepted. If she had, the Court said, “these would be much different cases.”
The Court also made clear that it was not attempting to minimize the alleged conduct of the defendants:
Make no mistake, the hospitals’ alleged conduct here raises serious concerns, and may indeed violate other statutes and give rise to common-law causes of action more specifically directed at the improper handling of confidential information, particularly confidential medical information. And we do not in any way minimize the serious threat to privacy presented by third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.
Although the Court’s opinion (and the dissent) contains a detailed discussion of statutory construction, the nature of web browsing, and policy implications, the Court primarily focused on the principle that only the Legislature could expand the scope of the wiretap act to address emerging privacy issues.
The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
