The FTC is Not the Only One Tracking Your Use of Health Information

The FTC has made news recently with its recent enforcement activity regarding companies’ alleged disclosures of consumer health data, as detailed in our recent post FTC to Advertisers: We’re tracking Your Use of Health information, and as evidenced by the FTC’s tentative agenda for its next open meeting later this month on potential rulemaking regarding amending the Health Data Breach Notification Rule (a point which is curious given its prior policy statement already attempting to expand its scope, which we discussed here).

Aside from regulators, however, Plaintiffs’ lawyers also are paying attention to the FTC’s activity of law, and, on a parallel track, has initiated a wave of consumer class actions regarding the use of tracking pixels and consumers’ health information” have followed. We anticipate this wave will only increase in response to Washington’s My Health, My Data Act once in effect.

The Trend: More than 50 class actions have been filed across the country in recent months, all of which rely upon similar factual allegations.

These recent lawsuits assert similar claims to ones brought by the FTC, and allege that companies in the healthcare sector (and beyond) are using advertising pixels on their websites and patient portals to harvest user data, including medical information from users accessing the relevant sites for a medical purpose. These actions claim that these companies then transmit that information to third parties, such as social media platforms, to target advertising for that user, who then begins to receive targeted advertising related to her particular medical condition.

The Legal Theory: While these lawsuits all rely upon a similar factual predicate, plaintiffs have been relying upon a variety of legal theories to seek relief including:

  • State specific privacy and consumer protection statutes across the country, such as the California Invasion of Privacy Act (“CIPA”), as well as other similar statutes in Illinois, Wisconsin, Pennsylvania, and Florida,
  • Federal privacy law statutes, such as the Federal Wiretap Act Stored Communications Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act (“ECPA”), and
  • Common law claims such as negligent misrepresentation, negligence, breach of confidence, breach of contract, breach of warranties, invasion of privacy, intrusion upon seclusion, unjust enrichment, and breach of fiduciary duty.

Cases to Watch: As we monitor this developing trend, below are examples of the cases we are watching most closely:

  • In In Re Meta Pixel Healthcare Litigation, plaintiffs filed suit against Meta inthe Northern District of California, asserting claims under the federal Wiretap Act, CIPA, in addition to common law claims. The plaintiffs sought a preliminary injunction to require Meta to immediately cease the collection, dissemination, and retention of patient information acquired by the Meta Pixel on hospital webpages. The court ultimately denied the injunction request because Meta was able to show that it had systems in place to detect and filter potentially sensitive information transmitted by the Pixel that were sufficient to warrant denial of the injunction request at the early stage of the proceedings. The court, however, indicated it would revisit the issue following discovery. The court also concluded that: (i) Meta Pixel does, in fact, track patient status, and (ii) patient status is considered Protected Health Information under the Health Insurance Portability and Accountability Act (“HIPAA”). The court also rejected, for purposes of the preliminary injunction phase, Meta’s argument that consumers consent to the sharing of their information through the Pixel through its privacy policy. The case is now continuing beyond the preliminary injunction context.
  • In Wilson v. GoodRX Holdings, Inc., Criteo Corp., Meta Platforms, Inc., and Google LLC, plaintiffs filed suit against a number of defendants in the Northern District of California asserting claims under CIPA, the California Confidentiality of Medical Information Act (“CMIA”), California Consumers Legal Remedies Act (“CLRA”), Unfair Competition Law (“UCL”), and common law invasion of privacy claims. These cases were consolidated on May 3, 2023. While this case is still in early stages, there is suggestion that certain defendants may move to compel arbitration. The deadline for GoodRX to file motion to compel arbitration is June 9, 2023.
  • In another Northern District of California case, plaintiffs in Doe v. Hey Favor, FullStory, Meta Platforms, TikTok and Bytedonel filed suit regarding sensitive health information provided to Favor, which provides at-home delivery of birth control products. Plaintiffs allege that this information was allegedly sent to Meta and TikTok and have asserted common law invasion of privacy claims, as well as claims under CMIA and CIPA. This litigation also remains in the early stages, pending a motion by Meta to sever claims against it and consolidate with In re Meta Pixel Healthcare Litigation cases.

What’s Next: As companies assess new privacy risks associated with their advertising practices, it’s clear that the use of consumer information related to health for advertising purposes is not only on the agenda for the FTC and legislators, but also on the radar of the plaintiffs’ bar.

Companies offering health and wellness-related products or services would be wise to evaluate their adtech practices and consider whether:

  • Their privacy policies clearly state the type of information that is collected, with whom it can be shared. If your company also chooses to provide a cookie banner, evaluate whether it is appropriate to update the banner disclosure and type of permissions you are seeking in light of the data being shared and business practices at issue in the litigation wave.
  • Any of the information collected and processed may qualify as health information at issue in these cases, even if hashed.
    • If so, evaluate your disclosures and permission settings along with a risk analysis with your legal counsel.
  • You have a process in place that identifies, at a granular level, what information you are sharing with third parties through pixels or otherwise.
    • You may need to update current training to advertising team and review and update current processes when engaging with adtech and how it is applied to your digital properties.
  • Your business is in the hot zone” of federal scrutiny (or adjacent), or whether any of your partners are.
    • Review contract terms to make sure you have the strongest possible protection.
  • You can implement a risk plan (immediate and longer-term) to address the current legal developments and the new laws that are coming, and re-assess at a reasonable cadence given how quickly this landscape is shifting.

If you’d like an overview of this subject, you can also Click here for a recording of our recent webinar titled, Privacy, Health and Pixels – What You Need to Know Now.” If you have questions about your privacy practices, or this litigation trend, feel free to reach out to discuss.