BOSTON (Legal Newsline) - A pair of Massachusetts hospitals didn’t violate a wiretapping law by monitoring the browsing habits of website users although they may be liable under other statutes, the state’s highest court ruled.
Dashing the hopes of some privacy advocates, the Massachusetts Supreme Judicial Court dismissed a proposed class action by a woman who claimed they were illegally monitoring her private communications when they collected browsing data, including her Internet protocol address, and sold it to outside marketers.
The decision hinged upon the ambiguous meaning of “communications,” which the high court concluded meant person-to-person voice or written communications, not a user’s interaction with a website. One justice dissented, saying the state wiretapping law was broadly written to anticipate new technology with the capability to eavesdrop on private communications.
Kathleen Vita sued New England Baptist Hospital and Beth Israel Deaconess Medical Center under the wiretapping law, which provides criminal and civil penalties. The hospitals moved to dismiss and when a trial judge refused, they appealed to the Supreme Court.
“While the Legislature plainly intended the wiretap act to prohibit future technological means of such interceptions, it is not at all clear that the Legislature intended the statute's prohibition on intercepting `communications’ to include, as supposed `communications,’ the web browsing alleged here,” the court concluded.
The hospital’s conduct “raises serious concerns” and may violate other statutes covering confidential information, the court said, but those concerns must be addressed by the legislature.
The U.S. Chamber of Commerce, hospital associations and consumer and privacy advocates all filed briefs in the case.
The hospital websites didn’t collect any confidential medical information but used other clues including her computer configuration and Internet protocol address to assemble “browser fingerprints” that were sold to outside merchants for so they could target her with advertisements. The websites utilized Facebook’s “Meta Pixel” app and Google Analytics to compile the data, she claimed.
Other data the websites collected included when and where users scrolled through webpages, whether they went to a page for scheduling new appointments and submitted a form, the filtering criteria used in the “Find a Doctor” app, and whether users navigated to other pages for paying bills or to log in to a patient portal.
Both hospitals included pop-up messages detailing their privacy practices, including that they collected browsing information to "improve site content and overall usage." They said the information was collected on an aggregate, anonymous basis and wasn’t shared with outside organizations except for law enforcement. Other than police engaged in a legal investigation, the hospitals said, “we will not share any information we receive with any outside parties."
Vita argued the wiretap law applied because third parties were monitoring her communications with the website without her knowledge or consent. The law doesn’t go that far, the Supreme Court said. The law defines “interception” as secretly hearing or recording the contents of “oral or wire communications,” with the meaning of “communications” ambiguous.
Under the rule of lenity, that means the defendant must be given “the benefit of any rational doubt,” the court said. Applying that analysis, the court concluded the law concerns communications between people, not between a human and a website.
“When a user browses a public website, and accesses databases and other information readily available to anyone on the Internet, the user is not speaking or messaging with another person but rather interacting with the website; the user is also not engaged in personal conversation or messaging but rather browsing and interacting with the published information on the website,” the court said.
Vita cited the preamble to the law, which warned about “the uncontrolled development and unrestricted use of modern electronic surveillance devices.” But there’s a significant difference between using new technology to intercept personal communications and monitoring a user’s interaction with a website, the court concluded. Other laws including consumer-protection statutes may cover the interception of user actions, the court said.
Justice Dalila Argaez Wendlandt dissented, saying the hospitals told patients their websites were a private space for exchanging confidential information but were secretly selling it to outside parties. Those communications were just as deserving of protection as actual spoken or written interchanges with doctors and administrators she said.
“I agree with the court that the words of a statute must be read in context, but they must be read,” the justice wrote. “Courts generally describe exchanges of information on the Internet between website owners and website users as `communications,’ applying that word's plain and ordinary meaning.”