THE SUPREME JUDICIAL COURT ruled the state’s highly protective wiretap statute doesn’t necessarily apply to businesses using special software to track people browsing websites, but a single justice said the decision clearly runs contrary to what the Legislature intended when it passed the statute.
The 1960s-era Wiretap Act prohibits covertly intercepting communications, but the majority of Supreme Judicial Court justices concluded Thursday that use of popular AdTech tools that monitored a Revere resident’s browsing on the New England Baptist Hospital and Beth Israel Deaconess Medical Center websites doesn’t fall under that definition.
“We cannot conclude with any confidence that the Legislature intended ‘communication’ to extend so broadly as to criminalize the interception of web browsing and other such interactions,” Justice Scott Kafker wrote for the 5-1 court. If the Legislature wants to restrict the practice under the statute, he wrote, “it must say so expressly.”
Justice Dalila Wendlandt offered a scathing dissent, describing the majority as “blinded” by its view that collecting the tracking data so common that prohibiting it without direction from lawmakers would be disruptive to the companies’ bottom lines.
“In words too plain to question, the Legislature told us that the secret recordings alleged to have occurred here fall squarely within the threat to privacy it enacted the wiretap act to curb,” Wendlandt wrote. She dissented “because those same words show that the Legislature intended that such secret surveillance would not escape the act’s reach when it occurs over a website on the Internet rather than over a telephone or telegraph.”
Justices took up the case of Kathleen Vita, who says she was browsing the medical sites for details on doctors and other health information when a pop-up told her that the site used “cookies and other tools to enhance your experience on our website and to analyze our web traffic.”
Data from site users would be collected on an “aggregate, anonymous” basis by the hospital and its “third-party service provider,” in this case a group including Meta Pixel and Google Analytics. The data could then be used for advertising purposes.
Vita’s attorneys argued that this tracking behavior violated her expectation of privacy on the site and was comparable to surreptitiously collecting sensitive communications between a person and the health care site.
“Unbeknownst to their patients, the hospitals aided third parties to record this healthcare information, allowing the third parties to create detailed portraits of the patients’ medical needs and to monetize this information for advertisements targeted to those patients,” Wendlandt wrote. “Rather than candidly disclose this arrangement, the hospitals assured patients that, on their websites, the patients’ identities and privacy would be maintained. In short, the hospitals lied.”
Vita sued New England Baptist Hospital and Beth Israel Deaconess Medical Center separately, and a Superior Court judge denied the hospitals’ motion to dismiss the cases. The Supreme Judicial Court agreed to bundle the cases and hear the hospitals’ appeal directly.
The hospitals and business groups argue that the website tracking technology is widespread, and banning the practice as “wiretapping” would harm both underlying businesses like Google and Meta and their users by making it more difficult to target ads based on anonymized user data. These cases are popping up across the country, the hospital’s attorney said during arguments before the court, seeking large payouts for negligible, if any, harm.
Mass General Brigham and Dana-Farber settled a similar case in 2019 for $18.4 million with no admission of wrongdoing.
Business groups argued in the Vita case that there is no intercepting device being used in the tracking process. The Chamber of Commerce of the United States of America, in a brief supporting the hospitals’ position, said there must be some sort of specific tool or equipment being used, “not intangible computer code.”
In the majority opinion, the justices attempted to balance medical privacy with a textual analysis of the wiretap law itself. They disagreed with Wendlandt that private healthcare information was impacted, noting that there is no allegation that information contained within the private patient portals was accessed or shared, and pointed to the disclosure made by the websites that data tracking would occur.
“Make no mistake, the hospitals’ alleged conduct here raises serious concerns, and may indeed violate various other statutes and give rise to common-law causes of action more specifically directed at the improper handling of confidential information, particularly confidential medical information,” Kafker wrote. “And we do not in any way minimize the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.”
The wiretap law itself is “ambiguous,” the court majority concluded, and the “rule of lenity” should apply. The rule of lenity means that the courts should interpret an unclear or ambiguous law in a way that favors the defendant – in this case, the hospitals. The court reversed the Superior Court’s decision, allowing the case to be dismissed.
Handing off the responsibility to the Legislature is hardly a quick fix. Lawmakers have been considering changes to data privacy law for years, with the latest version of a proposed Massachusetts Information Privacy and Security Act sitting in the House Ways and Means committee since May.
“Lamentably,” Wendlandt concluded in her dissent, “the court is right about one thing; the Legislature will need to correct today’s error.”
The post Tracking cookies doesn’t violate wiretap law, SJC rules appeared first on CommonWealth Beacon.