Greetings CIPAWorld!
I’m back with the latest scoop on a fascinating case! In St. Aubin v. Carbon Health Technologies, Inc., the United States District Court for the Northern District of California recently analyzed a claim under the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq., in the context of alleged interceptions of medical data by third-party tracking technologies. See St. Aubin v. Carbon Health Technologies, Inc., 2024 U.S. Dist. LEXIS 179067 (N.D. Cal. Oct. 1, 2024). This is a hot-button issue right now, especially as digital privacy concerns continue to rise.
The Court’s opinion offers valuable insights into how CIPA claims are evaluated, particularly regarding digital privacy issues and third-party tracking technologies. So, what’s the breakdown? Let’s dive into the factors step by step.
CIPA imposes liability for unauthorized interceptions of communications under four main theories set out in subsection (a) of § 631:
1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”;
2) where a person “willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit”;
3) where a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained”; and
4) where a person “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above.”
See Cal. Penal Code § 631(a).
Here, the Plaintiff in Carbon Health alleged a violation under the fourth theory—essentially, that Carbon Health conspired with third parties to intercept patient data. However, the Court began by analyzing underlying violations under the first and second theories, which the fourth theory relies on.
The Court quickly rejected the 1st theory of CIPA liability (unauthorized “tapping” of a “telegraph or telephone wire”), finding it did not apply to internet communications.
In Swarts v. Home Depot, Inc., 689 F. Supp. 3d 732, 743 (N.D. Cal. 2023), the Court explained that the statute’s plain terms limit it to “transmissions related to ‘telegraph or telephone technologies.'” This makes sense, in essence, given CIPA’s concerns about wiretapping. Although some courts have considered applying the First Clause to internet data, the Court here joined the growing number of decisions restricting it to phone and telegraph communications. The bottom line? CIPA’s first clause is staying in its lane.
Here is where things get interesting under the 2nd clause. Under the 2nd clause of CIPA § 631(a), which prohibits unauthorized interception of the “contents or meaning” of a communication, the parties disputed whether website URLs transmitted to Facebook and Google conveyed “content” under the statute. In re Zynga Priv. Litig. provided a context in which the Court explained that “a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” In re Zynga Privacy Litig., 750 F.3d 1098, 1108-09 (9th Cir. 2014).
However, Zynga held that basic URL data like identification and address information would not qualify. Id. The critical question is whether the URL itself contains “a search term or similar communication made by the user.” Id.
With this in mind, the Court found Plaintiff’s allegations that Carbon Health transmitted detailed URLs revealing her medical appointment reasons and symptoms to be more like the content-heavy search terms in Zynga rather than generic website information. By pleading that the URLs contained information about her specific health conditions and planned treatments, Plaintiff sufficiently alleged the interception of “content” under CIPA. Take note… if URLs reveal enough detail, they can be considered protected content under the law.
Beyond just the “content” question, the Court also considered whether the alleged interceptions occurred while the communications were “in transit,” as required by CIPA’s second clause.
The Court explained that under Valenzuela v. Keurig Green Mountain, Inc., 674 F. Supp. 3d 751, 758-59 (N.D. Cal. 2023), CIPA requires an interception to occur “contemporaneous[ly] with the sending or receipt of the message.” This means timing is everything—any delay between the transmission and interception could disqualify the claim.
While acknowledging that a plaintiff is “not required to allege how and when their communications are captured” at the pleading stage, In re Vizio, Inc. Consumer Priv. Litig., 238 F. Supp. 3d 1204, 1228 (C.D. Cal. 2017), the Court found Plaintiff’s allegations sufficient as to Facebook’s tracking, which she claimed intercepted her communications “concurrent[ly]” via an “automatic[] and secret[]” process. Basically, the Court was satisfied that Facebook’s tracking technology was set up to intercept data in real time, meeting the ‘in transit’ requirement.
However, regarding Google’s tracking, the Court found that Plaintiff didn’t provide enough detail with specificity about how Google intercepted her communications at the exact moment they were being transmitted. As a result, the Court granted leave to amend the complaint to cure this deficiency.
So, what’s the deal, and why do I find it fascinating? Well, it demonstrates that courts are increasingly grappling with how to sensibly apply their provisions to online tracking, which may compromise digital privacy. There is this ongoing tension between online data-sharing practices and user privacy rights, especially in sensitive areas like medical information.
The clear takeaway for health tech companies is that their data practices and relationships with third-party trackers, advertisers, and analytics providers are coming under increasing scrutiny. If you’re in the healthcare business, you must ensure that data-sharing practices are compliant, transparent, and consent-based.
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!