Recent decisions from New York and around the country suggest that courts are continuing to take online privacy violations quite seriously.

The new decisions involve pixel tracking, a surreptitious practice of placing tiny, invisible pictures (pixels) on emails or websites, including those sent or used by healthcare organizations, banks, family planning centers, and other sensitive businesses and service providers.  The intention is often to traffic in private data without consumer consent, and to track user behavior.

Meta Pixel is a one pixel tracking tool maintained by Meta (formerly known as Facebook) to give it access to what consumers are doing even when they are not logged into Facebook, Instagram, etc. and have no intention of sharing a deeply private matter with Meta and its legions of advertisers, data brokers, and sometimes leaky apps.

A 2024 Decision on Meta in the Health Care Sector

One court addressed surreptitious pixel tracking by hospitals or outpatient medical centers.  This causes consumers serious concerns and even distress about the damage to their health care privacy and threats to their financial and medical data.  The collection of this data has led to many breaches and harms in the past, and the loss of value of personal data, which can lose its utility by being leaked. 

Victims of pixel tracking have looked to the U.S. Wiretap Act, which regulates the interception of electronic communications.  It gives a right to sue those who obtain  unauthorized access to electronic communications, consent, access “in violation of the laws of the United States and New York” of some other state.

One law that regulated health care pixel violations is the Health Insurance Portability and Accountability Act (“HIPAA”).  This law bans health care centers or hospitals from  knowingly sending individually identifiable health information without authorization to another entity like Meta, “with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.” 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.103.  The information may be about past or future appointments, diagnoses, tests, or payments, and about physical or mental health.

Courts hearing cases about Mount Sinai and University of Rochester health facilities have condemned “as a crime under 42 U.S.C. § 1320d-6” acts such as “ knowingly disclosing [individually identifiable health information] without authorization for marketing purposes.”  The court in the Mount Sinai case added that the facility “disclosed Plaintiffs’ names, emails, computer IP addresses, device identifiers, web URLs, and the days on which they sought treatment, as well as the services they selected, and their patient statuses, medical conditions, treatments, and provider and appointment information.”  Facebook traditionally uses engagement with other users on its apps, or websites with whom it has relationships such as “Like” buttons, to tailor advertising to users.  However, the court in Mount Sinai’s case distinguished using Instagram or Facebook from using a hospital website or medical app: “Information available on publicly accessible websites stands in stark contrast to the personally identifiable patient records and medical histories protected by [federal law]—information that unequivocally provides a window into an individual’s personal medical history.”

A Decision on TikTok and Contraception Providers

Another court issued a similar decision to the one involving Mount Sinai, except that the decision was issued in another state.  The court stated, as to the use of a TikTok Pixel to send personal data to TikTok from a birth control and emergency contraception provider, that not only did TikTok know which provider consumers visited, but “TikTok knows [of they] sought specific healthcare products and services while on [a] site. That is fundamentally different.”  The difference is the sensitivity of the information.

Retailers and Session Replay Software That Shares Web Form Interactions

State wiretapping laws, such as those in Pennsylvania, have also come into play.  Such laws erect further barriers and prohibitions relating to electronic surveillance and intrusion into private communications, including those on websites as opposed to email. 

For example, one court heard a case relating to a non-health store using “session replay” software in violation of wiretapping laws.  The court ruled that a store could potentially intercept its own communications with customers by providing stored communications, or snapshots of them, to third parties.  The ruling paved the way for further proceedings on the store’s defenses, and statutory damages of potentially thousands of dollars.

Contact a New York Consumer and Employment Lawyer Today

These are just a few examples of the protections enjoyed by persons who may be experience interception of their digital communications, under federal and state law.  For more specific information geared to your situation, contact an attorney at Leeds Brown Law to see if you have a legal claim or claims.

Our efforts have resulted in millions of dollars in monetary and non-monetary compensation for consumers and employees throughout New York City and Long Island.  We can help answer your questions and evaluate your potential claim.

A free consultation can help you understand your rights and take action to protect them, including by contacting human resources or the government.