The Massachusetts Supreme Judicial Court, in Kathleen Vita v. New England Baptist Hospital, has sparked significant debate by ruling that the state’s Wiretap Act (G. L. c. 272, § 99) does not apply to website tracking software.

The case centered on allegations that two hospitals, New England Baptist Hospital and Beth Israel Deaconess Medical Center, Inc., violated the state’s Massachusetts Wiretap Act by using undisclosed tracking software, such as Meta or Google’s pixels, to collect and disclose patients’ private health information. The court ultimately reversed the lower court’s denial of the hospitals’ motions to dismiss, finding the statute ambiguous in this context and applying the rule of lenity in the hospitals’ favor.

Background Facts

Kathleen Vita alleged that the hospitals “intercepted” her communications by tracking her activity on their websites. This tracking included information like information about doctors (including their credentials and backgrounds), search for information on particular symptoms, conditions, and medical procedures, the URLs visited, webpage titles, browser and device configurations, unique identifiers used by third-party software, and IP addresses. Vita further alleged that the hospitals collected data on user scrolling, clicking, form navigation (including department selection but excluding form contents), search terms, “Find a Doctor” filtering criteria, navigation to billing and patient portal pages (excluding the contents within the portal), and login/signup activity. Critically, she asserted that this information was shared with third parties without her consent and used to create unique “browser fingerprints” for the purpose of targeted advertising.

The hospitals included a pop-up message on their websites disclosing, “We use cookies and other tools to enhance your experience on our website and to analyze our web traffic.” The pop-up messages linked to privacy policies that reassured users as follows:

“[the hospital] is committed to protecting your privacy. The [hospital’s] website allows you to visit most areas without identifying yourself or providing personal information. For those areas where you elect to provide identifiable information, we assure you that we make every effort to protect your privacy.”

The hospitals also disclosed that they “routinely gather[ed] data on website activity, such as how many people visit the site, the pages they visit, where they come from, how long they stay, etc.,” to “improve site content and overall usage.” However, they claimed that this information is not shared with other organizations. The privacy policies disclosed some third-party data tracking or sharing of “default information” including “date and time, originating IP address and domain name . . . object requested, and completion status of the request.”

The Ambiguous Meaning of “Communication”

§ 99 C1 of the Wiretap Act makes it a crime to “willfully commit an interception, attempt to commit an interception, or procure any other person to commit an interception or to attempt to commit an interception of any wire or oral communication.” (Emphasis added.)

§ 99 B 1 defines “Wire communication” as “any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception” while § 99 B 2 defines “oral communication” as “speech, except such speech as is transmitted over the public air waves by radio or other similar device.” Notably, the majority opined that these clauses do not define the word “communication,” but rather the means or method of “communication” — i.e., wire or oral.

After delving into the Wiretap Act’s text, legislative history, and case law, the court ultimately found that “nothing in the text of the statute makes unambiguously clear that the Legislature intended to reach so far as to criminalize the secret recording of such web browsing activities.” The court reasoned that while the statute anticipates evolving technologies, its legislative history emphasizes person-to-person communications rather than interactions with a website. The law highlights concerns about eavesdropping on private conversations through hidden devices or telephone line taps, a far cry from the web analytics at issue in this case.

“[N]othing in the text of the statute makes unambiguously clear that the Legislature intended to reach so far as to criminalize the secret recording of such web browsing activities.”

Due to the ambiguity in the statute’s wording, the court applied the rule of lenity, resolving the doubt in favor of the defendants. This principle was found to be particularly relevant given the Wiretap Act’s criminal penalties, which include imprisonment of upto five years. The court stated that if the Legislature intended the act to cover the tracking of website browsing for advertising, it should explicitly state so.

The court also emphasised that Vita alleged the intercepted communications as being between Vita and each hospital’s website, not between Vita and hospital personnel, noting that the outcome may be different if the latter was alleged. Further, the court pointed to other avenues available to address the plaintiff’s privacy concerns, such as statutes and common-law causes of action regarding the handling of confidential information.

Dissenting Opinion

Justice Wendlandt disagreed with the majority opinion, arguing that the Wiretap Act’s use of “any communication” clearly encompasses the interactions between Vita and the hospitals’ websites. The dissent emphasized the interactive nature of the websites, likening them to a virtual customer service representative. He argued that the hospitals’ disclosures regarding data collection were misleading, as they did not adequately reveal the extent of third-party tracking. Justice Wendlandt further contended that the legislative intent, as expressed in the Wiretap Act’s preamble, was to protect privacy against evolving surveillance techniques, including the type of website tracking at issue.

Key Takeaways

The Vita decision highlights the challenges of applying a statute drafted in the pre-internet era to modern online activity. The application of the rule of lenity emphasizes the court’s reluctance to impose criminal penalties for conduct not explicitly proscribed by the statute. However, the court acknowledged the privacy concerns raised by the plaintiff, and emphasized the existence of other legal avenues, such as common-law claims and consumer protection statutes, to address these issues.

You can read the court’s judgement here: Kathleen Vita v. New England Baptist Hospital (and a consolidated case), SJC-13542 (Oct. 24, 2024)