Transparency In Privacy Notices

In Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621 (Mass. Oct. 24, 2024), the Massachusetts Supreme Judicial Court decided that website operators’ usage of third-party tracking software from companies like Meta and Google does not violate Massachusetts’s 1968 Wiretap Act. This decision primarily limits remedies for Massachusetts consumers seeking to prevent the sharing of their personal data with third parties without consent. However, both the majority and dissenting opinions offer crucial insights regarding privacy notices and suggest practical takeaways for Massachusetts businesses utilizing such third-party tracking software on their websites.

Overview of the Facts and Allegations

Plaintiff Kathleen Vita asserted, on behalf of herself and those similarly situated, that two Massachusetts hospitals collected, transmitted, and profited from her personal information without her consent. Vita v. New England Baptist Hosp., __ Mass __, __ N.E.3d __, 2024 WL 4558621 (Mass. Oct. 24, 2024) at *1. Vita’s complaint alleged that the hospitals’ websites contained privacy notices noting that the hospitals would protect the privacy of all visitors, allowing consumers to visit certain areas of the website without providing any identifying information. Id. at *11-*12. The privacy notices similarly noted that website activity would be collected for site improvement and analytics, but that such information would be aggregated, anonymized, and not shared with any other organizations except for law enforcement or other legal processes. Id. at *12. The notices further assured that some third-party tracking or sharing might occur, but that the logged information by the website server software was retained solely for security and data integrity purposes. Id. at *12-*13. However, Vita’s complaint alleged that these privacy notices did not capture the entire usage of the collected personal information. Id. at *8-*9.

Third-Party Data Collection

Vita’s complaint alleged that the hospitals collected (1) URLs of the webpages she visited, (2) the titles of those webpages, (3) data about her web browser and device configurations (e.g. her laptop screen’s resolution, device info, and browser settings), (4) unique tracking identifiers from third-party software providers, and (5) her IP address when Vita would search the hospitals’ websites for information regarding potential health care providers, symptoms, and medical conditions Id. at *8-*9. The third-party software providers allegedly used the data to produce “browser fingerprints,” capable of identifying a particular individual with a certain combination of web browser settings. *Id. at 9. The software providers then allegedly sold the profiles to merchants, who delivered targeted, personalized digital ads to consumers like Ms. Vita.  Id. at *10-*11.

Privacy Notices Should Be Transparent

Both the majority and dissenting opinions had strong concerns regarding the alleged personal information sharing practices above. The majority noted that the lack of transparency surrounding the collection practices of the hospitals may cause actual harm to the plaintiffs, giving rise to other causes of action, while the dissent considered these practices to be undisclosed to the plaintiffs, with the actual usage of the collected information exceeding the scope of the information’s usage described in the privacy notices. Id. at *5, *40-*41, Dissent at *40-*42, *45-*46. The majority mentioned that the hospitals’ conduct (if proven to be true) would potentially violate common-law causes of action such as Massachusetts’s consumer protection statute, MA General Law c. 93A, which penalizes unfair or deceptive business practices. Id., at *45-*46.

A robust and accurate privacy notice might have mitigated the complaints noted in plaintiffs’ lawsuit. Though specific personal identifiers were not shared with third-party tracking analytics companies, enough indirect identifiers were captured and shared, which could create a profile attributable to a specific identifying address. The complaint asserts that the hospitals’ privacy notices did not disclose this transfer of indirect identifiers to these companies, which makes the privacy notice arguably misleading and not a full representation of the hospitals’ personal information collection policies. 

Tips For Crafting Strong Privacy Notices

1. Clearly state what personal information is or is not collected:

Privacy notices should ideally outline all direct identifiers (names, phone numbers, and email addresses) along with indirect identifiers (such as URLs, browsing activities, and information about a person’s computer) being collected. For Massachusetts consumers, no specific rules govern what information being collected must be noted, but the California Consumer Privacy Act (and its update, the California Privacy Rights Act) categorizes “sensitive personal information” that may need to be listed for California consumers if your business is covered under the law.  

2. Detail how personal information is collected.

Businesses should detail how personal information is collected on their website. If the website directly collects personal data, list how and when that data is collected (e.g. if a form is being filled out). If third-party tracking software is being utilized, note what information is kept by your organization and what information is being sent out to third parties.

3. Explain how personal information is being used.

After describing collection practices, there must be a specific description of how personal information is used. As shown in the Vita case, descriptions of personal information usage should be clearly noted in easily digestible formats. For instance, if personal information is being collected to target ads to website visitors, the privacy notice must clearly state such use and what collected information is being used for that purpose. This applies to all usages of personal information collected from a website, so routine mapping of the usage of website-collected personal information should be conducted to ensure that all personal information uses are appropriately captured and described in the privacy notice.

On the flip side, complete usage explanations may lead to some tough business decisions. Last year, savvy privacy policy readers noted an update to Zoom’s privacy policy stating that personal information would be randomly collected from Zoom meetings to train a new Zoom AI feature. The backlash from that usage led to Zoom dropping this (perfectly legal) usage of personal information. When contemplating a usage of collected personal information in a privacy notice, using such personal information in a way that does not frustrate targeted consumers is also recommended.

4. Say where personal information is going.

Privacy notices should contain descriptions of where personal information collected on a website gets sent. While general descriptions of where information is going are commonplace (i.e. “your personal information may be shared with third parties for marketing purposes”), there is an increasingly strong push to name the destinations of such personal information now. The EU’s General Data Protection Regulation requires that any entity or category of entities that receive personal information of a website visitor be listed in the website’s privacy notice. California’s CCPA/CPRA acts similarly require notice of processing of personal information and a list of categories describing third parties that will be receiving personal information of website visitors.

5. Tell users how personal information is protected:

When collecting personal information from users of a website, that information should be protected by a variety of security measures, such as keeping the collected information in a restricted-access database and encrypting that information, or otherwise making it inaccessible. These security measures should be described in privacy notices, but do not need to be so specific that the nature of the security measure is easily ascertainable.

6. Allow users to opt out of having their personal information processed and honor the request.

As a best practice, privacy notices should generally contain opt-out choices for website users who do not want their personal information collected, processed, or shared. These opt-out choices should be presented to the website user in very clear language (such as clearly stating “do not sell my personal information” in a pop-up on the website itself and presenting a checkbox that website users can toggle to “yes” or “no”). 19 US states have passed laws that provide a right for website users to opt out of having their personal information sold to a third party (if the website is subject to the applicable state privacy law), highlighting the growth of this trend. Additionally, if a website does contain an affirmative opt-out consent option, the user’s choice to opt- out should be honored by the website when collecting personal information. Failure to do so could lead to an investigation from the affected consumer’s state attorney general.

7. Describe data retention practices.

The time period for maintaining collection of personal information should be clearly listed in privacy policies, and such personal information should be used only for the time frame written in the privacy policy.

8. Note where to send complaints/administrative details.

Privacy policies should specify where complaints related to the collection of personal information should go, including the contact information of the relevant department or person that will handle the complaint. These policies should outline the steps for handling a complaint, along with a short explanation on how the complaint will be resolved or, if necessary, appealed.

9. If applicable, include privacy requirements for children.

In many circumstances, there are specific laws that govern the collection and use of personal information from children. The federal Children’s Online Privacy Protection Act (COPPA) has very specific requirements for how personal information of teenagers between 13-18 and children under 13 are handled, for instance, so any website that may permit children under 18 from accessing the site should clearly state data processing practices as they relate to children. 

10. If applicable, note data subject rights.

If personal consumer information is collected in a jurisdiction that has specific data subject rights (such as the European Union or the state of California), then those rights should be clearly explained in the website privacy notice. Data subject rights include the right to access data that is being collected by the website, the right to request correction(s) or deletion(s) of certain information, and to opt out of data processing activities.

Privacy policies should also have legal input from a qualified attorney or data privacy expert. If you have questions concerning the creation, review, or implementation of a privacy policy, please do not hesitate to reach out to us at H&M Law at info@hmlawco.com.

Authored by: Eric Mason