Massachusetts Supreme Court Takes a Closer Look at Wiretap Laws, Potentially Narrowing Privacy Actions

The Massachusetts Supreme Judicial Court recently issued an important ruling in Vita v. New England Baptist Hospital et al., addressing whether tracking a user’s activities on a website and sharing that data with third parties constitutes intercepting communications in violation of the state’s 1968 Wiretap Act (the “Act”). In dismissing the plaintiff’s statutory claims, the court emphasized that it is the responsibility of the legislature – and not the court – to address gaps in statutory protections related to privacy and modern tracking technologies, highlighting that as technology and any corresponding digital privacy concerns evolve, legislative frameworks must be modified to adapt accordingly.

Plaintiff Kathleen Vita claimed that New England Baptist Hospital and Beth Israel Deaconess Medical Center violated the Act by “intercepting” communications without her consent or knowledge through the use of tracking tools on their websites. Specifically, the plaintiff alleged that the hospitals used third-party software to record her activity when she browsed the hospitals’ websites to obtain information about doctors, search for information about medical symptoms and other healthcare-related issues, and obtain and review medical records. The plaintiff alleged that the hospitals then shared this data with third parties that processed the data for targeted advertising campaigns tailored to the individual user’s data. The court concluded that although the web tracking practices raised valid privacy concerns, these issues fell outside the scope of the Act, which was enacted to prohibit secret electronic eavesdropping on person-to-person conversations or messaging. In reaching this conclusion, the court found that the term “communication” in the Act was ambiguous as applied to the plaintiff’s interactions with the websites, and the Act’s legislative history did not provide a basis for extending the scope of the Act beyond person-to-person communications, such as to encompass a person’s interaction with a website. Thus, the court dismissed the plaintiff’s claims for violation of the Act.

This ruling highlights how interpretations of the term “communication” can lead to diverging outcomes in wiretap cases. For example, California’s Invasion of Privacy Act (CIPA) specifically prohibits the intentional interception or recording of any “confidential communication” without the consent of all parties involved, and California courts have interpreted “communication” more expansively to include digital interactions. Unlike the Massachusetts Act, which was narrowly focused on traditional, person-to-person communications, the CIPA has been applied to protect one-way recordings (Gruber v. Yelp Inc.) and internet communications (Javier v. Assurance IQ, LLC).

It is important to note that the court also rejected the hospitals’ claim that the plaintiff and other website users had actual knowledge of the data collection and sharing practices through disclosures found in the website cookie banner and privacy policy. Specifically, the hospitals claimed that they had disclosed the use of third-party tracking technology and third-party data sharing by various express disclosures, including “We and our Third Party Service Provider collect and save the default information customarily logged by worldwide web server software.” After briefly reviewing these disclosures, both the majority and the dissenting opinions determined that the hospitals’ disclosure of website data collection and sharing practices was misleading, did not adequately reveal the extent of third-party tracking, and concealed the targeted advertising arrangements with third parties.

The Massachusetts Supreme Court’s ruling reinforces the limitations of legacy privacy laws in addressing new technologies and serves as a critical reminder that as digital privacy concerns evolve, so too must the legislative framework. The court’s opinion also emphasizes the importance of accurate and complete disclosures in privacy notifications and cookie banners; although not definitive shields against legal action, accurate and complete disclosures can play a helpful role for a defendant against allegations of improper tracking, collection, and sharing of user data.

You may also like...