Eric B. Gyasi has joined BakerHostetler’s New York office as counsel in the firm’s Digital Assets and Data Management Practice Group, and he will be a member of the Digital Risk Advisory and Cybersecurity team. With more than 15 years of professional experience, Gyasi directs cybersecurity incident response investigations, advises boards of directors regarding their cybersecurity fiduciary obligations, and develops information security and governance programs. Gyasi previously led digital forensics investigations at Stroz Friedberg, an incident response company, and he brings deep technical proficiency along with the ability to synthesize highly technical issues for clients so that they can assess and operationalize cybersecurity regulatory guidelines. Gyasi’s addition follows the arrival of advertising commercial transactions DADM partner Sarah La Voi, who joined the firm’s Chicago office earlier this month.
On Friday, July 14, 2023, on the heels of the California Attorney General’s (AG) announcement seeking information from California employers on their compliance with the California Consumer Privacy Act (CCPA), the California Privacy Protection Agency (CPPA) Board of Directors (the Board) held a public meeting to discuss a number of highly anticipated topics.
Washington’s groundbreaking “My Health My Data Act” (HB 1155) (the Act) was signed into law on April 27, 2023. This Act imposes new requirements on the processing and sale of consumer health data by organizations with a nexus to Washington state, as our earlier blog posts explain. In this blog post, we examine the private right of action available under the Act, including how it interacts with the state’s Consumer Protection Act and the risk of class actions.
The Private Right of Action’s Extensive Scope
The Act provides for a private right of action in Section 11 by establishing that a violation of the Act is an unfair or deceptive act under the Washington Consumer Protection Act (CPA). It is one of the most far-reaching private rights of action of any state privacy law, for several reasons:
First, the private right of action appears to broadly apply to any violation of the statute (unlike, for instance, the private right of action under the California Consumer Privacy Act (CCPA) which applies only to a data breach). Every provision—including those relating to consumer rights, notice and consent obligations, and restrictions on selling and sharing—appears to be fair game. This exposes businesses to a wide range of potential violations within the Act’s four corners.
Second, other than certain narrow exceptions, there appear to be no meaningful prerequisites or deterrents to exercising the private right of action. For example, the Act includes no opportunity to cure and does not limit actions based on a violation’s severity (e.g., willful or reckless versus negligent violations) or procedural posture (e.g., class actions versus individual plaintiff suits). Nor does the Act require a plaintiff to exceed a minimum harm threshold before suing. This, combined with the CPA’s right to attorneys’ fees and the Act’s broadly worded provisions, could invite plaintiffs’ counsel to test hyper-technical interpretations, exposing businesses to various nuisance claims that are unlikely to promote the Act’s original goals.
Third, the Act’s broad definitions bring an expansive range of consumers and data within the private right of action’s scope. A “consumer” is defined to include not only Washington residents but any natural person whose health data is “collected in Washington,” subject to certain narrow exceptions. And because the Act defines “collect” to also include any processing, the Act appears to let non-Washington residents file suit if their “consumer health data” has merely been processed in Washington. “Consumer health data” is also broadly defined, as we explained in an earlier blog post, extending well beyond what most typically conceive of as medical history, diagnosis and treatment information. In other words, any natural person anywhere whose health data is processed in Washington could bring suit under the Act for any violation against an entity that meets the Act’s minimal nexus requirements to qualify as a regulated entity, subject to some narrow entity-level exceptions. This could significantly expand the pool of putative class members in a class action lawsuit and helps illustrate why early preparation to mitigate the risk of a class action lawsuit is critical.
In summary, plaintiffs’ counsel may target nearly any business that processes consumer health data of a Washington resident or individual whose consumer health data is processed in Washington. Because of how the Act defines “collected,” this risk extends to any regulated entity that processes any natural person’s consumer health data in Washington state. This broad scope helps illustrate why early preparation and ongoing compliance are important for any such business.
Relationship Between the Act and the CPA
As noted, the Act declares any violation of any of its provisions an unreasonable practice and unfair act, which then allows a plaintiff to sue under the CPA.
More specifically, to prevail on a CPA claim, a plaintiff must prove (1) an unfair or deceptive practice; (2) occurring in trade or commerce; (3) impacting the public interest; and (4) injuring a plaintiff in his or her business or property; as well as (5) causation between the unfair or deceptive practice and the injury suffered.
The Act provides plaintiffs with language establishing per se the first three (3) elements of a CPA claim for any violation of the Act: “The practices covered by [the Act] are matters vitally affecting the public interest for the purpose of applying the consumer protection act,” and a violation of the Act “is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the [CPA].” This language is consistent with Washington Pattern Jury Instructions, WPI 310.03, Per Se Violation of Consumer Protection Act.
We expect plaintiffs to reference this per se language in the Act in furtherance of establishing the first three elements of a CPA claim. We also expect them to argue that the remaining two elements (damages and causation) are not appropriate for resolution at the pleading stage, and that discovery is warranted, thus increasing the cost of litigation in hopes of gaining leverage for settlement.
In fact, the Washington Legislature had adopted an amendment to remove the per se language in March 2023. This amendment would have required a private plaintiff to prove in each case that an alleged violation (1) relates to a matter vitally affecting the public interest and (2) is an unfair or deceptive act in trade or commerce. In short, this amendment would have likely provided a barrier to nuisance claims. But in a last-minute amendment modifying several provisions before the Act passed, the Legislature added the per se language back in.
Like the Act, the CPA allows “natural persons” to bring claims and does not appear to limit the size or scope of a putative class, further increasing litigation risk and potential exposure.
Available Damages Under the Act
Unlike with the CCPA or Illinois’ Biometric Information Privacy Act (BIPA), statutory or liquidated damages are not available in private suits for a violation of the Act (as opposed to actions brought by the state, which allow for a civil penalty of up to $7,500 “for each violation” and another $5,000 for targeting people based on certain protected characteristics).
The Act is not toothless, however. It provides for:
- Actual damages sustained by “any person . . . injured by a violation” of the Act;
- Treble damages in the court’s discretion up to $25,000;
- Attorneys’ fees and costs; and
- Injunctive relief.
It remains to be seen whether each claim for a violation of the Act accrues only once—when consumer health data is first collected or disclosed—or, as with BIPA, a new claim accrues each time consumer health data is collected or disclosed. Although statutory damages are not in play, even nominal damages for each violation can add up to a substantial number, especially with a large putative class. The availability of attorneys’ fees is also likely to embolden plaintiffs.
Risk of Class Action Lawsuits
Although the legislature’s decision to exclude statutory damages may blunt the risk of class-action lawsuits under the Act, the risk remains high for at least the following reasons:
- As noted, any alleged violation of the Act is actionable, there are few restrictions on the private right of action, nonresidents can sue in some cases, and attorneys’ fees are available.
- The Act is rife with expansive yet vague provisions (e.g., the definition of “consumer health data”). The statements regarding the Act’s purpose are plaintiff friendly.
- Washington is home to some of the largest technology companies and cloud service providers in the world (ideal targets for plaintiffs’ lawyers).
- There is a significant risk of biometric class actions as the Act imposes several new requirements and restrictions on entities that collect and use biometric data, much like BIPA (minus the availability of statutory damages).
- The Act arises within a broader trend toward intense scrutiny of health information practices under state privacy laws, heightening the risk of private lawsuits and regulatory enforcement.
Moreover, although plaintiffs must prove an “injury” to their business or property that is caused by a defendant’s alleged violation of the Act, Washington courts have held that such injury need not be monetary, so long as the plaintiff can prove a specific harm to his or her business or property. The viability of an alleged injury under the Act will likely turn on the type of violation alleged and the type of consumer health data at issue, among other factors. This uncertainty alone is expected to elevate litigation risk for regulated entities as plaintiffs and their counsel test the uncharted waters of the Act.
Determination of whether a class may be certified is a critical juncture in healthcare-related privacy class actions. There are strong grounds, including decisions our team has recently achieved (see, e.g., here), for finding these types of cases are not suitable for class treatment.
Interestingly, the Act includes a provision obligating a committee to review actions brought by consumers and prepare a report including “the number of civil actions where a judge determined the position of the nonprevailing party was frivolous” and “recommendations for potential changes to enforcement provisions of the act.” This inclusion suggests the legislature is aware of the risk that the Act’s broad language will lead to plaintiffs abusing the private right of action.
Finally, unlike CCPA section 1798.192, the Act does not contain a provision prohibiting contract terms that limit the exercise of consumer rights. Accordingly, companies should evaluate whether risk-mitigating contract provisions such as class action waivers may be enforceable, yet weigh the risk of a court finding that such limitations may be contrary to public policy or inconsistent with the private right of action allowed under the Act through the CPA.
As with many websites, hospitals often deploy third-party analytics tools to measure browser traffic in order to increase awareness of their websites, ensure website optimization and provide health care information to the public. But recently there has been a proliferation of class action lawsuits alleging that through those analytics tools, hospitals actually disclose patients’ identities and online activities without their knowledge and consent (“Hospital Website Pixel Cases”).
The BakerHostetler Privacy and Digital Risk Class Action and Litigation team is currently defending numerous hospital systems in Hospital Website Pixel Cases across various jurisdictions, including but not limited to California, Florida, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, Missouri, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Washington and Wisconsin. The purpose of this blog post is to shed light on the current litigation landscape, present high-level strategic considerations and promote best practices to mitigate litigation risk.
Since June 2022, over 100 Hospital Website Pixel Cases have been filed against hospitals in federal and state courts around the country. Despite the growing number of cases, there is limited precedent regarding potential liability. None of the cases have gone to trial, and we are unaware of any summary judgment or summary adjudication rulings. In most instances, motions to dismiss have successfully disposed of certain claims but not entire cases. One state court in Washington certified a class, while another state court in Maryland denied class certification. Only two settlements have been made public. The first, in Massachusetts state court, was settled for $18.4 million. More recently, a Wisconsin state court granted preliminary approval of a $2 million settlement. In short, the ultimate question of liability and potential settlement exposure is unknown to date.
Plaintiffs in Hospital Website Pixel Cases have asserted (a) contract claims based on website privacy policies or notices; (b) state law privacy claims (statutory, common law or constitutional) based on unauthorized disclosures of patients’ personal and/or medical information; and (c) Federal Wiretap Act or analogous state law claims based on interceptions of communications. Other types of claims, including those based on statutes that have traditionally targeted “computer hacking,” have also been asserted. See, e.g., California Comprehensive Computer Data Access and Fraud Act – Cal. Penal Code § 502.
On July 12, 2023, the Southern District of California granted a motion to dismiss a Hospital Website Pixel Case in its entirety, with leave to amend. Plaintiffs had asserted state common law and constitutional privacy claims, a breach of fiduciary duty claim, a California state wiretap act claim, and a California Medical Information Act claim. The Court held, among other notable rulings, that as a matter of law, “Plaintiffs cannot maintain their claims based upon the theory that Defendant’s sharing of their browsing activity, collected on its publicly facing website, is a disclosure of their sensitive medical information.”
Considerations for hospitals facing website pixel litigation
As noted, motions to dismiss have been successful in disposing of certain claims, depending on the particular allegations in the complaint and the controlling law. Multiple courts, for instance, have held that HIPAA-required privacy notices cannot form the basis of plaintiffs’ contract claims. Rather, these notices are merely provided to patients in order to comply with federal law. Another argument to consider is whether plaintiffs have alleged specific contract provisions that a hospital defendant allegedly breached (e.g., to not disclose patient data).
With respect to state law privacy claims, one item to consider is whether plaintiffs consented to the alleged analytics practices. For instance, at least one Ninth Circuit decision has affirmed dismissal of plaintiffs’ claims on the ground that plaintiffs’ consent to analytics and data disclosure practices on a hospital website barred their statutory and common-law privacy claims.In other cases, courts have dismissed intrusion upon seclusion claims, finding that plaintiffs failed to allege that hospital defendants obtained patient data.
Additionally, a subsumption argument may enable hospitals to successfully defeat some tort claims if their state has created a common-law tort for the unauthorized disclosure of nonpublic medical information to a third party. For instance, a state court in Ohio agreed with this subsumption argument and dismissed a plaintiff’s breach of confidence, negligence and breach of fiduciary duty claims.
Other defenses will depend on the precise statutes implicated and facts alleged. For instance, courts have rejected statutory claims requiring disclosure of “medical information” where none was identified. Additionally, courts have dismissed state consumer protection act claims for failure to identify damages sufficient to state an identifiable loss.
With respect to statutory wiretap-related claims, depending on the precise statute at issue, hospital defendants have successfully defeated these claims by arguing that, as parties to the communications, hospitals cannot be held liable for interception, and wiretap acts’ criminal or tortious conduct exceptions do not apply. Courts have also dismissed wiretap act claims because, among other reasons, some statutes contain no private right of action, hospitals are not “electronic communication service” providers, and plaintiffs failed to establish that the “contents” of any communications were transmitted, that any “interception” occurred or that an interception occurred “in transit.”
Lastly, hospital defendants may find that plaintiffs’ claims are subject to binding arbitration and/or class action waivers, which may form the basis of a successful motion to compel arbitration and/or a motion to strike class allegations, respectively.
Plaintiffs have also brought motions for preliminary injunction at the outset. To date, these motions have been unsuccessful, in part because plaintiffs can always disable the collection of their data through various opt-out tools, or refrain from using the hospital website at issue.
Opposing class certification
In opposing class certification, hospitals may raise various arguments to support the conclusion that the issues are too individualized to support class treatment. For instance, there may be key differences in putative class members’ experiences (including but not limited to their purpose for visiting the website, the pages they visited, and their browser and device settings). We are aware of one state court to date that has granted class certification and one that has denied class certification. In denying class certification, the court held that plaintiffs failed to show that common issues of law and fact predominated over individual issues. Moreover, the court held that because plaintiffs raised novel questions under state law, their claims were ill-suited for class certification.
The only class certification rulings issued so far in cases brought against hospitals have been unpublished state court decisions. In an instructive ruling involving similar alleged tracking technology, the Northern District of California denied class certification, holding that substantial issues about remaining logged into Facebook and clearing and blocking cookies meant that individualized issues predominated over any common issues. The court also held that the proposed class was not identifiable because class status turned on whether c_user cookies were sent to Facebook, which could not be easily determined.
In addition to individualized issues that may preclude class certification, plaintiffs’ proposed classwide damages theories may be unreliable because they do not reflect the economic realities of website interactions and/or do not fit with plaintiffs’ classwide claims. Lastly, depending on plaintiffs’ particular circumstances, discovery may show that the named plaintiffs are inadequate class representatives because their claims are subject to unique defenses.
Moving for summary judgment or summary adjudication
As noted, we are unaware of any summary judgment or summary adjudication rulings in Hospital Website Pixel Cases yet. From a merits standpoint, hospitals may consider (a) whether patients consented to the use of analytics technology that was deployed, and to what extent; (b) whether the analytics technology was deployed on the online patient portal (as opposed to the public-facing website), as that is often not the case and may be case-dispositive; (c) whether state law prohibits the disclosure of the specific information that was allegedly disclosed; and (d) the precise information allegedly disclosed and to whom, among other considerations.
Mitigating the risk of a lawsuit
On July 10, 1962, NASA launched Telstar 1, the first active communications satellite linking Europe and the United States through live television transmission. Sixty-one years later, on July 10, 2023, the European Commission announced that it had adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF), the third attempt at creating a bridge across the Atlantic for transferring personal data from the European Union to the United States. The DPF re-establishes a popular legal mechanism for permitting personal data flows between these two major economic players, potentially alleviating business concerns for many while also addressing concerns about how U.S. intelligence agencies handle Europeans’ personal information. This long-awaited decision has been met with cautious optimism, and most companies should carefully consider whether and how to use this newly approved personal data transfer mechanism.
Sarah La Voi joins BakerHostetler’s Chicago office as a partner in the firm’s Digital Assets and Data Management Practice Group and a member of the Advertising, Marketing and Digital Media team. La Voi joins from WPP, where she served as general counsel, Commercial Legal and Business Affairs, Americas; her previous roles also include assistant deputy general counsel for Publicis Groupe and senior counsel for McDonald’s Corporation. La Voi brings nearly two decades’ worth of experience in commercial transactions and advertising law, including key competence in change management, corporate governance, commercial negotiations and data ethics.
On June 29, 2023, the Superior Court of California for the County of Sacramento (Court) issued a tentative ruling staying the California Privacy Protection Agency (Agency) from enforcing the California Consumer Privacy Act of 2018 (CCPA) regulations until one year after the final enactment of any individual regulation.
The Agency Was Required to Publish Final Regulations by July 1, 2022
The California Chamber of Commerce (Petitioner) argued that the California Privacy Rights Act of 2020 (CPRA) required the Agency to have published final regulations by July 1, 2022, per Cal. Civ. Code § 1798.185(d) (“the timeline for adopting final regulations … shall be July 1, 2022.”).
The Agency argued that the phrasing “timeline for adopting” in Cal. Civ. Code § 1798.185(d) is ambiguous, and the July 1, 2022 deadline is meaningless.
The Court agreed with Petitioner that the timeline for adopting final regulations required by the Act shall be July 1, 2022, and the term “shall” indicates command, and there is no contrary intent elsewhere in the Act’s text. Further, the Court indicated that the voters’ intent was not for the Agency to have unlimited time to ultimately pass the final regulations.
Texas, long lauded as one of the most “business-friendly” states, has passed a comprehensive privacy law that will bring new regulations to consumer personal data. The new Texas Data Privacy and Security Act (“TDPSA”), H.B. 4, was passed by the State Senate on May 10, 2023, was signed by Governor Greg Abbott on June 18, 2023, and will take effect on July 1, 2024.
The TDPSA is a comprehensive privacy law that was largely modeled on Virginia’s Consumer Data Protection Act (“VCDPA”), which went into effect on January 1, 2023. Similar to VCDPA and other state privacy laws, the TDPSA aims to establish a comprehensive framework for the interaction between consumers and businesses regarding the privacy and security of personal data, with the goal of maximizing consumer rights’ effectiveness. Although one of the goals of the TDPSA is to maximize interoperability with other state privacy laws, there are key differences in definitions, provisions, and exemptions that place the Lone Star State’s new law in a category of its own.
Guests Jerry Ferguson and Scott Kominers discuss NFTs and how they can create opportunities for brands in the marketplace with the help of some Really Awesome Raccoons.
Questions and comments: email@example.com.
Subscribe to BakerHosts
On May 22, 2023, the New York City Department of Consumer and Worker Protection (“DCWP”) held an employer roundtable about Local Law 144, New York City’s law regulating the use of Artificial Intelligence in the employment context—specifically, automated employment decision tools (“AEDT”). With the July 5, 2023 enforcement date rapidly approaching, the DCWP addressed several open questions that remained after its issuance of the final rules, including the applicability of the AEDT law, bias audit data and notice requirements, and talent-sourcing AEDTs.
The DCWP additionally stated its intention to release FAQ guidance to assist employers with compliance. While no indication has been given as to when those FAQs will be released, the DCWP emphasized its intention to still begin enforcement on July 5.