SLC: Web Tracking Does Not Violate Wiretap Act, But Businesses May Not Be Totally in the Clear
by Seth Berman and Natalia Peña
In a win for Massachusetts businesses and a blow to class action plaintiffs, the Supreme Judicial Court of Massachusetts (“SJC”) ruled in favor of two hospitals who were alleged in a civil complaint to have violated the 1968 Massachusetts Wiretap Act (the “Wiretap Act”). Vita v. New England Baptist Hospital, 494 Mass. 824 (2024), presented the SJC with a putative class action asserting that the hospitals’ use of common advertising technology software amounted to illegal interception of wire communications. The SJC held that the Wiretap Act did not extend to web browsing interactions not involving person-to-person communications. Though the suit targeted only hospitals, if the SJC had ruled in favor of the plaintiff, it likely would have opened the door to a wave of class action litigation against other Massachusetts organizations that use common web tracking tools such as Google Analytics or Meta Pixels. Despite finding in favor of the hospitals by refusing to interpret a 1968 statute as regulating twenty-first century web browsing, the Court acknowledged that plaintiff raised serious privacy concerns, but deemed it the legislature’s role to address these issues.
Case Background
Plaintiff, Kathleen Vita, filed separate lawsuits against New England Baptist Hospital and Beth Israel Deaconess Medical Center (collectively the “Hospitals”) alleging violations of the Wiretap Act. The Wiretap Act provides criminal and civil penalties for any aggrieved person whose communications are intercepted without authorization. Unlike most states, the Massachusetts Wiretap Act requires all parties to a communication to consent or at least have prior knowledge of any interception. G L. c. 272, § 99(B)(4). Violations of the Act are a criminal offense that can lead to a jail sentence. The Act can also be enforced through a private right of action. It provides a minimum liquidated damage amount for civil violations of $100 per day for each day of violation or $1,000, whichever is higher. Id. § 99(Q)(1). Thus, a class action lawsuit could generate potentially tens of millions of dollars in penalties against each hospital (as much as $1,000 for each visit to its website by a person in Massachusetts).
Plaintiff claimed the Hospitals violated the Wiretap Act by using software products like Meta Pixel and Google Analytics to record information about her website interactions without her knowledge or consent. These nearly ubiquitous website analysis tools provide organizations with insights into how their websites are used. They also transmit information about browsing activities to third parties, like Facebook and Google, who then may use the information for targeted advertising. The recorded browsing activities allegedly included plaintiff’s searches for public information on the website about doctors, specialties, and specific medical conditions, and her interactions with the website such as scrolling, clicking, navigating to specific pages, and selecting options on the Hospitals’ websites. Notably, plaintiff did not allege interception of any person-to-person communications.
Plaintiff claimed the Hospitals’ disclosures about the use of cookies and data collection policies were not sufficient to alert her to the tracking. As with many privacy policies, the Hospitals’ policies claimed that tracking data was collected anonymously and information about individuals was not shared with outside parties. Plaintiff asserted that these representations were inadequate to inform her of the interception because, as is true of many commercial websites, the Hospitals tracked not only aggregate users’ history of webpage visits, but for each user they correlated this information with data about the user’s browser and IP address, allowing the creation of “browser fingerprints,” which effectively allowed third parties to identify a specific individual’s browsing history.
Both Hospitals filed motions to dismiss, claiming that the Wiretap Act did not prohibit the recording of browsing activity as captured by advertising technology software. After a Superior Court judge denied the motions, the SJC granted direct appellate review.
The SJC’s Opinion
The SJC sided with the Hospitals, reversed the Superior Court’s denial of the motions to dismiss, and held that the Legislature did not clearly intend to include web browsing under the Wiretap Act. Consequently, the rule of lenity, which resolves ambiguities in criminal statutes in favor of defendants, required that the statute be read narrowly to exclude web browsing activity from its scope. Vita, 494 Mass. at 847-50.
The Court examined the statutory interpretation of “communication” and “interception” under the Wiretap Act, noting that neither the statute’s text nor dictionary definitions clearly define whether web browsing activities constitute “communication.” In fact, the statute defines “communication” in terms of the means of communication (in other words, how the communication occurs), such as in-person or over the phone, but it does not define what is required for an interaction to constitute a communication in the first place. Id. at 836. The Court found examples in the statute and case law that used “communication” to mean person-to-person messages, including in-person conversations, phone calls, and text messages, but not interactions solely between a person and a computer. Id. at 836-37. Thus, the fact that plaintiff’s allegations related entirely to accessing pre-generated content on a website and did not include any direct person-to-person communication meant that they did not fall within the express meaning of the statute.
The Court also reviewed the legislative history of the Wiretap Act, which revealed a focus on preventing the secret recording of private conversations, with no indication of extending protections to web browsing. Id. at 841-44. This legislative history showed the Legislature was particularly concerned about wiretapping and eavesdropping through the use of electronic “bugs” used to covertly record conversations in homes, businesses or over the telephone. The Court acknowledged that, at the time of the Wiretap Act’s enactment, neither the Internet nor any of the website tracking technologies existed. The Court noted, however, that there had been no legislative discussion about then-existing potential analogies to website analytics, such as television monitoring or tracking purchasing decisions. Id. at 843.
Though the Court ultimately dismissed Vita’s claims, it acknowledged serious privacy concerns raised by third-party tracking of web browsing, especially as it relates to medical information, and suggested these issues could be addressed by the Legislature. Id. at 827.
A dissenting opinion argued for a broader interpretation of the term “any communication” in the Wiretap Act. The dissent argued that the Act was meant to protect against modern electronic surveillance and, thus, it ought to provide recourse for web tracking privacy violations as alleged against the Hospitals. Id. at 852. The dissent criticized the majority for not recognizing the privacy implications of its decision, arguing that the Hospitals’ websites functioned as interactive platforms for private communication, akin to traditional communications. Id. at 863-64.
Takeaways
Vita was a win not only for the Hospitals named as defendants but for all Massachusetts businesses. Nothing in the Wiretap Act could be construed to limit its reach to hospitals or medical data. It seems likely that plaintiff’s attorneys targeted hospitals to test the Wiretap Act’s reach in the context of web browsing that seems most personal. After all, it feels like a more significant privacy violation for hospitals to track that a person was searching for medical information than it would for a car manufacturer to record a person’s search for mileage rating. However, under the Wiretap Act either both of these are interceptions or neither are; there is no basis for a middle ground that includes hospitals but excludes car manufacturers. Thus, had the plaintiff prevailed, virtually all Massachusetts organizations with public websites could have faced similar claims.
Vita was also an important decision for maintaining the competitiveness of Massachusetts’ businesses. The Wiretap Act is generally not thought to have extraterritorial jurisdiction. In other words, it likely only applies if both sides of the communication occur in Massachusetts. Had the SJC found the person-to-website interactions to be “communications” under the Wiretap Act, companies based in Massachusetts would have faced lawsuits brought by people in Massachusetts, while their out-of-state competitors engaging in the same conduct would likely have avoided liability under the Act.
The Massachusetts business community should not interpret this decision as immunizing the use of tracking software. Just because the Wiretap Act cannot be used to enforce privacy violations, businesses are not free to do as they want. The Court highlighted that other statutory and common-law remedies exist for false or deceptive internet activities. These include negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and right to privacy actions. Under G L. c. 93A, deception or misrepresentation, such as in a privacy policy, might also form the basis of a claim. Further, there are laws that specifically protect a patient’s medical information, which might be implicated for these or other hospitals. Of note, plaintiff has moved to amend her complaint, asserting that the Federal Wiretap Act, 18 U.S.C. § 2511(2)(d), covers this conduct. Finally, businesses should remain focused on the Legislature which has been considering various proposals for a comprehensive privacy law, that would bring Massachusetts in line with many other states including our neighbors in Connecticut, New Hampshire and Rhode Island.
Seth Berman is a partner at Nutter, McClennen & Fish, LLP where he leads the firm’s Privacy and Data Security practice group and is a member of the firm’s White Collar Defense practice group.
Natalia Peña is a litigation associate at Nutter, McClennen & Fish, LLP and a member of the firm’s Business Litigation, Securities Enforcement and Litigation, and Labor and Employment Litigation practice groups. Seth, Natalia, and colleagues represented amicus the Greater Boston Chamber of Commerce in Vita v. New England Baptist Hospital.
