To date, 19 states have adopted comprehensive data privacy laws, but Massachusetts is not among them. Thus, Massachusetts residents whose web browsing activities result in an unexpected loss of privacy sometimes base their claims on laws that were enacted before the internet existed. Such was the case with Kathleen Vita, who found that her use of hospital websites had been tracked and made available to advertisers.

In its website privacy policy, Beth Israel Deaconess Medical Center (BIDMC) says that it routinely gathers data regarding the use of its website. It also says that the data is collected on an aggregate, anonymous basis, so that no personally identifiable information is associated with the data, and that the usage information is not shared with other organizations. The policy mentions an external third party service provider that also collects the data, but is vague as to whom that party is, the data that is shared, and the uses to which the date might be put.

Until it recently stopped the practice, BIDMC used Google Analytics and Facebook Meta Pixel technology to track user activity on its website. This involved placing code on the BIMDC website that tracked each user’s browsing experience and transmitted the data to Google and Facebook.

The tracking software collected user IP addresses, which permitted Google to identify the individuals and to associate that data with other browsing data of the same individual. This enabled Google to feed ever more focused advertising to the individual users. The information collected on the BIMDC website included requests to make appointments with particular doctors, thus potentially revealing details about the health problems of the visitors.

In 2023, Ms. Vita commenced a purported class action lawsuit against BIDMC (and a parallel case against New England Baptist Hospital) claiming that BIDMC’s use of Google and Facebook tracking technology was a violation of the Massachusetts wiretap statute, a law that was modelled after a similar federal statute. The Massachusetts statute includes both civil and criminal penalties.

At the trial court level, Ms. Vita survived a motion to dismiss the case. BIDMC argued that its privacy policy provided sufficient notice to support the notion that its sharing of data with Google was authorized by consumers. The trial court disagreed, noting that the privacy policy was too vague, not mentioning the recipients of the data, the type of data being shared, or the purposes to which the shared data might be put. The court also said that the privacy policy obscured the fact that the data was shared with multiple parties, not just one.

The court noted other Massachusetts cases that had refused to limit the statute’s term “communication” to person-to-person conversations. Following that precedent, the court ruled that the interaction of the consumer and the BIDMC website was a communication subject to the wiretap act. Because of the novelty and importance of this ruling, the court asked for an appellate review of its ruling.

The Massachusetts Supreme Judicial Court (SJC) took a direct appeal of the ruling, bypassing the intermediate Court of Appeals. The case was of national significant because most states have wiretap statutes similar to the Massachusetts statute and none has yet been applied to ad tech browsing technologies. Amicus briefs were filed on behalf of the United States Chamber of Commerce, the National Consumer Law Center, the National Retail Federation and the New England Legal Foundation, among others.

In October 2024, the SJC ruled that the BIDMC’s website practices did not violate the Massachusetts wiretap statute. The court’s logic was that the wiretap statute prohibits unauthorized interception of communications, and an individual’s interaction with the public portion of a website does not constitute a such “communication”.

The SCJ said that this determination was a close call, but that it was necessitated because of the statute’s criminal penalties and a policy against an expansive reading of criminal statutes. It also noted a policy of refraining from having different interpretations of the same statutory language in the criminal and civil contexts.

According to one study, 49 U.S. states (excluding only Vermont) and Washington D.C. have wiretap statutes with both criminal and civil penalties. Thus, SJC’s ruling may thus be influential on a national basis.

This ruling does not mean that companies are free to use ad tech in any manner that they wish. In fact, the SJC opinion pointed to a number of laws that could be used to pursue claims based upon the bad behavior of website owners, including MGL ch. 93A, an antifraud statute that allows for recovery of treble damages and legal fees.

The court’s summary of legal theories that could be used to pursue website owners for privacy violations was limited to Massachusetts laws and statutes, and thus omitted any reference to the Video Privacy Protection Act (VPPA). The VPPA is a federal statute that is the basis for a purported class action lawsuit against the New England Patriots based upon allegedly unlawful sharing of user data involving viewing of website videos. We wrote about this case soon after the complaint was filed. No ruling on the merits of that case has yet occurred, but suffice it to say that collecting and distributing data that tracks website video viewing is far riskier than tracking the viewing of ordinary web pages.

It is striking that the BIDMC website’s privacy policy has not changed in response to the criticism levelled at it by the Superior Court. The plaintiff’s brief indicates that BIDMC has changed its business practices, no longer sharing data with Google or Facebook. Nonetheless, the case is another example of the problems that can arise when a website privacy policy made grand statements about protection of privacy that turn out not to be true.

The SJC’s ruling closes the door on one possible legal risk associated with ad tech software, but it does not by any means give the use of such technology a carte blanche, particularly if the website privacy policy is unclear or misleading about the collection of data its use by third parties. In fact, the plaintiffs have asked the court for permission to file an amended complaint.

Most websites seek an audience that extends beyond the boundaries of a single state. This Massachusetts ruling eliminates one possible vulnerability associated with ad tech tools, but only in Massachusetts. Whether other states will reach a similar conclusion about their wiretap statutes remains to be seen.