Federal Wiretap Law: Illinois Court Rejects Claim Against Hospital Deployment of Web Analytics Tools Mannat, Phelps & Phillips, LLP

Wireless claims have been made of Attention to the privacy plaintiff bar. These cases are everywhere, and the hospital industry in particular has been embroiled in recent filings (with up to a dozen new asserted class actions per day). Wireless laws have a long history in the civil and cyber worlds, dating back largely to the 1960s. Applying outdated laws and case law to modern technology is often a challenge. And that’s a recurring theme in the realm of privacy litigation—much of the impetus for new state privacy laws (such as the CCPA, Virginia’s CPDA, and Illinois’ BIPA) is a chance for the plaintiff bar to project old theories and claims. New technology. These laws are in favor of judicial frustration.

Wiretap Act. Many of these recent cases involve claims for violations of the federal wiretap statute as well as state wiretapping laws, sometimes based on the plaintiff’s state of residence and other times the state in which the website operator or defendant is based. This is often the starting point of contention: which of these wiring rules apply to whom. Importantly, federal wiretapping laws and each state’s wiretapping laws can differ in meaningful ways. For example, Illinois differs from California, Alabama from New York, and Connecticut from Massachusetts. Of relevance here, the federal wiretapping statute generally prohibits the interception of electronic communications by another party without the consent of one party, and even then the interception may not be for purposes of criminal or malicious conduct. look out 18 USC §§ 2511(1)(a), (c)-(d), (3)(a)..

Illinois federal court decision. A recent decision by the US District Court for the Northern District of Illinois illustrates this point. In a class action lawsuit against a Chicago hospital, the plaintiff alleges that the hospital consensually and fraudulently included third-party code on its website and patient portal in violation of the federal wiretapping statute and various state and tort laws. Plaintiff claims this code is invisible to website and portal users and allows personally identifiable patient data to be transferred to social media and adtech companies for advertising purposes. This follows other recent lawsuits alleging that plaintiffs use website performance and adtech tracking mechanisms (such as cookies, pixels, or web beacons) or generally other third-party material to collect personal information and share that information with others without their knowledge or consent. Visit the website. For example, this plaintiff claims that when a user clicks on a hospital’s “schedule your appointment now” button, the hospital “transmits the patient’s personally identifiable information and redirects the patient’s click content.” Schedule your appointment button for third party social media companies now.

In its denial of the motion, the court held that there was no interception of the defendant hospital’s communications in violation of the federal wiretapping statute: “It shall not be unlawful under this chapter.” [i.e., the Federal Wiretap Act] Unless a person acting under color of law is a party to a communication to intercept a wire, oral or electronic communication, or such communication is intercepted unless one of the parties to the communication has given prior consent. With intent to commit any crime or tort in violation of the Constitution or laws of the United States or any state.

On its motion to dismiss, the court held that there was no interference with the defendant’s hospital being a party to the communications in violation of the federal wiretapping statute. Examining what the court described as a split between the First, Seventh and Ninth Circuit Courts and the Third Circuit, the court found the hospital sued under the federal wiretapping statute for interception of communications. In doing so, the Court considered the criminal or nuisance nature of the federal wiretapping statute and concluded that the gratuitous transmission of metadata or website activity is not a criminal or nuisance activity.

The court summed up the question nicely—the plaintiff violated the federal wiretapping statute:

Any person who—(a) knowingly intercepts, attempts to intercept, or procures the interception of, or procures the interception of, any wire, oral, or electronic communication” (among other things) may be subject to civil penalties; 18 USC § 2511(1)(a), (5)(a)(ii). The same applies to any person who intentionally discloses or uses, or attempts to disclose or use, the content of the intercepted communication. 18 USC § 2511(1)(c), (d). Section 2511(2)(d) of the Act provides an exception if the person objecting to the relationship “is a party to the relationship or one of the parties to the relationship has given prior consent to such intervention.” This so-called “party exception” does not apply if “the communication is intercepted in violation of the constitution or laws of the United States or any state to commit any crime or tort.” 18 USC § 2511(2)(d). Additionally, section 2511(3)(a) provides that “a person or entity Providing electronic communication services to the public It must not intentionally disclose the content of any communication. . . When the Service is transferred from the recipient of the address or the recipient of such communication to another person or entity. . . He said. 18 USC § 2511(3)(a) (emphasis added).

According to this court, the Third Circuit held that the defendant was necessarily “one of the parties” to the purported communication and that the interruption of the communication was protected by the parties.

This court disagreed with the Ninth Circuit’s interpretation of the parties. Although Plaintiffs relied heavily on recent guidance from the Department of Health and Human Services (HHS) to argue that online tracking technologies may violate HIPAA, the Court agrees with Defendant that the regulatory guidance (whether applicable or not, the Court does not decide). “It only concerns the future.” Meaning, the court will examine the technical aspects of the case and find that “the hypotheses presented by [plaintiff] It seems to show only what happens when an individual – patient or not – clicks on certain areas [defendant’s] Public website. [Plaintiff] It does not describe what patient data looks like when disclosed. [] The patient entered her [online] Portal and navigate through it.

The court then found that the defendant hospital was not a provider of “electronic communication services” as contemplated in the Federal Wiretap Act, simply because it licensed the software in the ordinary course of business; Instead, the company that provides the software for patient portal services or the software itself falls into that category. Ultimately, the court dismisses four of the five counts in the complaint (including a claim for violation of the Illinois Consumer Protection Act) pending only the plaintiff’s claim for violation of the Illinois Deceptive Trade Practices Act.

Why is this important? More lawsuits are coming; Prepare yourself immediately. And more innovation and reliance on websites and the Internet to deliver your goods and services will lead to many complaints, especially in the healthcare sector, as seen here. Legal teams must closely review their organization’s website activity and functionality, review and update their organization’s privacy and security statements, and understand and mitigate their organization’s risks.