News & Resources

Publications & Media

Ninth Circuit Affirms Dismissal of Complaint Against Facebook for Collection of Browsing Data

Data Privacy & Security Alert Meghan C. O'Connor, Rachel H. Weiss and Sarah A. Erdmann

They see you when you’re sleeping, they know when you’re visiting health care-related websites… In December 2018, in the unpublished opinion of Smith vs. Facebook Inc., et. al., a Ninth Circuit panel affirmed the dismissal of a complaint alleging Facebook violated various federal and state laws when it collected and used its users’ browsing data, specifically from visits to health care-related websites. The court dismissed the complaint on the basis that Facebook users consented to Facebook’s data tracking and collection practices by agreed to its terms of use and privacy policy"Terms and Policies"). The court also concluded that browsing data associated with health care-related websites does not constitute protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

District Court Suit: Users Consented to Facebook’s Tracking and Collection Practices.

The suit began in March 2016 (pre-California’s Consumer Privacy Act) when Facebook users sought a preliminary injunction against Facebook and various health care-related websites (that had installed a Facebook plug-in to transmit browsing data) to stop Facebook from tracking certain browsing data, which they alleged included sensitive medical and personal information, in violation of various state and federal laws. The district court rejected the claims, basing its decision largely on the fact that Facebook users consented to Facebook’s data tracking and collection practices.

Ninth Circuit Appeal: No Additional Consent Required; Browsing Data Does not Constitute PHI under HIPAA.

On appeal, the Facebook users did not dispute that they accepted Facebook’s Terms and Policies but instead argued that they did not consent to the collection of health-related data and so the general consent was not applicable. The Facebook users further argued that because the health care-related sites’ privacy policies promised not to share data with third parties, Facebook could not have obtained the Facebook users’ consent to the collection of this data. Finally, the Facebook users asserted that the collection of the data from health care-related websites was subject to more stringent protections than other data collected by Facebook because the data constituted PHI under HIPAA.

The Ninth Circuit affirmed the lower court's ruling, explaining that Facebook users consented to Facebook’s data tracking and collection practices and that the collection of this specific browsing data is not so “qualitatively different” or “sensitive” as to require an additional consent. Specifically, the Ninth Circuit explained that the particular data at issue “show only that [the Facebook users] searched and viewed publicly available information that cannot, in and of itself, reveal details of an individual’s health state or medical history.” In addition, the health care-related sites’ privacy policies (promising not to share data with third parties) were not determinative for the Ninth Circuit, which found that Facebook’s terms and policies did not make such assurances. The court noted that Facebook is not bound by the privacy policies of third parties.

The Ninth Circuit explained that the browsing data (information available on publicly accessible websites) does not constitute PHI subject to HIPAA and state laws. Instead, the court drew a distinction between the browsing data and personally identifiable patient records and medical histories protected by HIPAA and California law. The Ninth Circuit elaborated stating that “the connection between a person’s browsing history and his or her own state of health is too tenuous to support [the Facebook users’] contention that the disclosure requirements of HIPAA . . . apply.”

Analysis: Well-Written Privacy Policy May Protect You

The outcome of this case rests almost entirely on the users’ acceptance of the Facebook Terms and Policies, specifically  a provision consenting to the use and collection of data from public sites (despite the fact that those sites’ privacy policies allegedly represent that they do not share personal information with third parties). While we often assume that consumers ignore the content of such language, this case demonstrates the power of privacy policies and terms of use; it serves as a good reminder for consumer-facing entities to review their privacy policies and terms of use to confirm that they accurately and appropriately describe the entities’ data practices, including interaction with third-party websites and apps.

This case is also a good reminder for health care entities to assess their privacy policies and terms of use to confirm that they mesh with obligations under HIPAA (and other applicable federal and state laws governing confidentiality of health information) and their institutional HIPAA compliance policies and procedures.  In particular, health care entities should consider how their website/portal privacy policy and terms of use describe tracking and collection of data and make sure practices are consistent with obligations under HIPAA, written policies, and actual practice.

The Ninth Circuit’s decision is short and sweet (a mere five pages) and is focused on collection of specific data—browsing data—from publically accessible websites. The decision does beg the question—at what point would such data (and other data collected by entities) constitute PHI (subject to HIPAA) or other personal information subject to more restrictive state law? PHI can be an expansive term, covering, among other things, device identifiers, web URLs, IP addresses, and a broad catchall for other unique identifying numbers, characteristics, or codes. It is not farfetched to imagine that such identifiers—(1) collected by an individual or created by a health care provider/payer; and (2) relating to the provision/payment of health care to an individual—could be used to identify an individual.  At such point, that information constitutes PHI subject to HIPAA, and a HIPAA-compliant authorization is required for use and disclosure of such data. The court’s focus on publicly available websites also begs the question—where is the distinction between browsing data collected on a provider/plan website versus a patient/member portal accessed via a public landing page, and would users (or the U.S. Department of Health and Human Services Office for Civil Rights) distinguish between the two?

As entities continue to incorporate data collection and tracking into consumer facing and health care companies’ websites and apps, it is likely that continued litigation will help answer these questions. In the meantime, Facebook’s collection and use of browsing data will continue… you better watch out, you better not cry.

For questions about this update, please contact: