Subscribe
Naughty and Nice: Recent Website Tracking Technology Cases Present Mixed Bag for Website Operators
Many people are thinking of holiday cookies at this time of year, but your favorite privacy lawyers are still thinking more about the non-delicious kind: those enabling common features on websites and online services. That’s because website operators continue to face litigation risk from prospective class action plaintiffs applying decades-old statutes to modern website tracking technologies, such as claims alleging that use of cookies, pixels, and similar online tracking tools violates state wiretap statutes, the federal Video Privacy Protection Act (“VPPA”), and even credit card transaction statutes.
Two recent appellate decisions in website tracking technology litigation present a rare gift to privacy lawyers seeking more certainty in this space, but are a mixed bag for website operators and the plaintiffs’ bar. In Vita v. New England Baptist Hospital, the Supreme Judicial Court of Massachusetts issued a favorable decision for website operators holding that a website user’s interactions with hospital websites are not communications subject to the Massachusetts Wiretap Act (the “MA Act”). On the other hand, the Second Circuit adopted a broad reading of the term “subscriber” under the VPPA in Salazar v. NBA. That holding means individuals who view videos on a website and exchange personal information for non-audiovisual services, such as newsletters, may have VPPA claims where their video viewing information is disclosed.
This post unwraps the Vita and Salazar decisions and takeaways for website operators to stay off the plaintiff’s bar’s naughty list.
Sugarplum: Website Interactions Are Not “Communications” Subject to Massachusetts Wiretap Act
The Vita case centered on claims that two hospitals’ use of common third-party tools to track user browsing activity on hospital websites violated the MA Act’s prohibition on intercepting wire or oral communications without consent from all parties involved in the communication. The plaintiff claimed that transmission of data regarding her website interactions to third-party tracking tool providers (such as Google and Meta) constituted protected “communications” and that she did not consent to their interception by third parties.
The hospitals moved to dismiss for failure to state a claim. The trial court denied those motions. The hospitals then requested and obtained direct appellate review by the Massachusetts Supreme Judicial Court.
The Supreme Judicial Court rejected the plaintiff’s argument that website interactions constitute “communications” under the MA Act. The court found that the statutory term “communication” was ambiguous in the context of hospital website interactions. The court then examined the MA Act’s legislative history. The court determined that history only reflected concerns with secret recording or monitoring of communications between human beings (as one might expect for a law enacted in 1968), which favored a narrow interpretation of covered “communications.”
The court then considered the analogous Federal Wiretap Act (“Federal Act”) as amended by the Electronic Communications Protection Act (“ECPA”) in 1986. The ECPA amended the Federal Act to expressly cover “electronic communications.” The court observed that the term “electronic communications” could cover website browsing activities, but noted that Massachusetts had not similarly amended the MA Wiretap Act. Additionally, the Federal Act only requires one party to consent to interception of “electronic communications,” such that the plaintiff’s consent would not be necessary to comply with the Federal Act. The court therefore did not hold that the Federal Act’s coverage of “electronic communications” meant the MA Act should be interpreted to do the same.
The court also held that the “rule of lenity,” which provides that ambiguity in statutes with criminal penalties should be resolved in favor of the defendant, supported a holding that website interactions are not “communications.” That doctrine was relevant to the MA Act because it includes both criminal and civil penalties. The court expressed hesitancy about holding that criminal penalties could apply to interceptions of a website user “running searches on the websites or accessing information about doctors published on the websites.”
Despite defeating the MA Act wiretap claims, the hospitals could still potentially be liable for third-party tracking claims under other legal theories. To that end, the court stated that plaintiffs could pursue other claims, such as for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, or privacy torts. The court also expressed concern with the hospitals’ alleged conduct, suggesting it may be more inclined to find for website users on other legal theories—especially where criminal penalties and the rule of lenity are not implicated.
Overall, though, the Vita decision is a win for website operators and will offer some ammo against website tracking claims filed in Massachusetts. Most of the recent cases against website operators using third-party tracking technologies, however, have been brought in California under that state’s Invasion of Privacy Act, where the Vita case will not be binding on interpretation of that statute. It remains to be seen whether courts interpreting the California statute will adopt the Vita court’s reasoning, especially given the Vita court’s focus on the Massachusetts legislature’s intent.
Lump of Coal: Users Who Exchange Personal Information for Non-Audiovisual Services Can Be “Subscribers” Under the VPPA
The Salazar case involved claims that the NBA’s website transmitted information about website users’ video viewing on that site to Meta via the Facebook pixel. The VPPA generally prohibits a “video tape service provider” (“VTSP”) from knowingly disclosing certain personally identifiable information about a “consumer” of the VTSP. “Consumer” is defined as “any renter, purchaser, or subscriber of goods or services” from a VTSP. The plaintiff alleged he became a “subscriber” under the VPPA by exchanging his email address in return for receiving NBA newsletters.
The district court granted the NBA’s motion to dismiss for failure to state a claim. The ruling held that the “goods or services” to which a VPPA consumer subscribes are limited to audiovisual goods or services and exclude newsletters.
The Second Circuit reversed the district court and vacated the dismissal. The Second Circuit reasoned that the plaintiff’s allegation that he exchanged personal information in return for receiving the newsletter sufficiently claimed that he was a “subscriber” and therefore a “consumer” under the VPPA.
The outcome in Salazar is obviously unfavorable for website operators. While it may be still be possible to defeat VPPA claims on other bases, the Salazar holding would remove one common avenue to argue the VPPA is inapplicable to a plaintiff. The opinion may also influence the Sixth and Seventh Circuits to adopt its reasoning in pending appeals considering similar and related issues, or lead to a circuit split if those courts disagree.
Making a List: Action Items to Manage Tracking Technology Litigation Risk
As tracking technology lawsuits proliferate, website operators can take the following proactive steps to manage their litigation risk:
- Inventory technologies used on websites, their purposes, whether third parties have access to data processed through those technologies, and what contractual restrictions are in place with respect to those third parties.
- Ensure website privacy policies accurately disclose the use of tracking technologies provided by third parties, the data those technologies collect, how that data is used, and how that data is shared.
- Consider obtaining agreement to the privacy policy in website terms of use.
- Deploy consent management tools on websites that use tracking technologies like cookies and pixels to inform users about, and obtain users’ consent to, their use. Implementation of those tools should also consider unique requirements for consent under the VPPA or other applicable laws where relevant.
* * * *
If you are concerned about tracking technologies on your website, or would just like to discuss what’s the best kind of holiday cookie (spoiler alert: it’s not anything with raisins in it), please contact any member of the Wyrick Robbins Privacy and Data Security Team.