Ninth Circuit Affirms Dismissal of Complaint Against Facebook for Collection of Browsing Data
Data Privacy & Security Alert 01/07/19 Meghan C. O'Connor, Rachel H. Weiss and Sarah A. Erdmann
District Court Suit: Users Consented to Facebook’s Tracking and Collection Practices.
The suit began in March 2016 (pre-California’s Consumer Privacy Act) when Facebook users sought a preliminary injunction against Facebook and various health care-related websites (that had installed a Facebook plug-in to transmit browsing data) to stop Facebook from tracking certain browsing data, which they alleged included sensitive medical and personal information, in violation of various state and federal laws. The district court rejected the claims, basing its decision largely on the fact that Facebook users consented to Facebook’s data tracking and collection practices.
Ninth Circuit Appeal: No Additional Consent Required; Browsing Data Does not Constitute PHI under HIPAA.
On appeal, the Facebook users did not dispute that they accepted Facebook’s Terms and Policies but instead argued that they did not consent to the collection of health-related data and so the general consent was not applicable. The Facebook users further argued that because the health care-related sites’ privacy policies promised not to share data with third parties, Facebook could not have obtained the Facebook users’ consent to the collection of this data. Finally, the Facebook users asserted that the collection of the data from health care-related websites was subject to more stringent protections than other data collected by Facebook because the data constituted PHI under HIPAA.
The Ninth Circuit affirmed the lower court's ruling, explaining that Facebook users consented to Facebook’s data tracking and collection practices and that the collection of this specific browsing data is not so “qualitatively different” or “sensitive” as to require an additional consent. Specifically, the Ninth Circuit explained that the particular data at issue “show only that [the Facebook users] searched and viewed publicly available information that cannot, in and of itself, reveal details of an individual’s health state or medical history.” In addition, the health care-related sites’ privacy policies (promising not to share data with third parties) were not determinative for the Ninth Circuit, which found that Facebook’s terms and policies did not make such assurances. The court noted that Facebook is not bound by the privacy policies of third parties.
The Ninth Circuit explained that the browsing data (information available on publicly accessible websites) does not constitute PHI subject to HIPAA and state laws. Instead, the court drew a distinction between the browsing data and personally identifiable patient records and medical histories protected by HIPAA and California law. The Ninth Circuit elaborated stating that “the connection between a person’s browsing history and his or her own state of health is too tenuous to support [the Facebook users’] contention that the disclosure requirements of HIPAA . . . apply.”
The Ninth Circuit’s decision is short and sweet (a mere five pages) and is focused on collection of specific data—browsing data—from publically accessible websites. The decision does beg the question—at what point would such data (and other data collected by entities) constitute PHI (subject to HIPAA) or other personal information subject to more restrictive state law? PHI can be an expansive term, covering, among other things, device identifiers, web URLs, IP addresses, and a broad catchall for other unique identifying numbers, characteristics, or codes. It is not farfetched to imagine that such identifiers—(1) collected by an individual or created by a health care provider/payer; and (2) relating to the provision/payment of health care to an individual—could be used to identify an individual. At such point, that information constitutes PHI subject to HIPAA, and a HIPAA-compliant authorization is required for use and disclosure of such data. The court’s focus on publicly available websites also begs the question—where is the distinction between browsing data collected on a provider/plan website versus a patient/member portal accessed via a public landing page, and would users (or the U.S. Department of Health and Human Services Office for Civil Rights) distinguish between the two?
As entities continue to incorporate data collection and tracking into consumer facing and health care companies’ websites and apps, it is likely that continued litigation will help answer these questions. In the meantime, Facebook’s collection and use of browsing data will continue… you better watch out, you better not cry.
For questions about this update, please contact:
- Meghan O’Connor at (414) 277-5423/[email protected]
- Rachel Weiss at (414) 277-5829/[email protected]
- Sarah Erdmann at (414) 277-5512/[email protected]
- or your Quarles & Brady Health Information Technology, Privacy & Security attorney.