Blog

Lawsuit Over Patient Portal Trackers Overcomes Motion to Dismiss

Julie Rubash, General Counsel and Chief Privacy Officer
July 15, 2024
July 15 - Lawsuit Over Patient Portal Trackers Overcomes Dismissal in California

USA

Lawsuit Over Patient Portal Trackers Overcomes Motion to Dismiss

A California District Court denied, in part, the County of Santa Clara’s motion to dismiss a lawsuit (Case 3:23-cv-04411-WHO), alleging that tracking pixels on the County’s medical center websites and patient portal forwarded sensitive information to third parties, including Meta and Google. Notably, the court found that privacy disclosures on the website did not explicitly disclose the sharing of PII or PHI to third parties for those third parties’ own use and that there was no evidence the patients consented to such privacy disclosures or agreed to liability waivers “by some affirmative act demonstrating assent” at the time of account creation, thus barring any consent and waiver defenses to the plaintiff’s privacy and breach of contract claims.

TAKEAWAY

This and a multitude of recent similar cases based on third-party tracking pixels highlight the importance of having ongoing processes in place to scan for, identify, and understand every third-party cookie, pixel and tracker on an organization’s website or service, and to ensure that proper disclosures and consent are in place, particularly when sensitive data may be involved.

Understanding your organization’s privacy and the tracking technologies is vital to avoid unexpected regulatory penalties. Learn more about the latest data privacy audits and Consent Management Platforms (CMP) disclosure features from Sourcepoint.

EUROPE

Advocacy Group noyb Files GDPR Complaint Against AdTech Xandr

Noyb announced its filing with the Italian Data Protection Authority (Garante) of a complaint alleging violations of the data minimisation, accuracy and user rights provisions of the GDPR. Specifically, the complaint alleges that Xandr processes an unnecessary amount of often conflicting data to achieve the purpose of ad targeting and personalisation and that Xandr actively hinders the exercise of user rights to access and erase their data.

IN THE WEEDS

Noyb’s accuracy and data minimization arguments are based on articles 5(1)(d) GDPR, which states, in part, that personal data shall be “accurate and, where necessary, kept up to date”, and 5(1)(c) GDPR, which states that data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Noyb argues that Xandr’s ad targeting segments are based on inferences of users’ interests and habits based on “a huge amount of conflicting information”, which do not enable advertisers to bid on ads in an accurate way, thus eliminating any personalisation benefit consented to by the user and defeating the purpose of targeted advertising.

Noyb also alleges that Xandr cannot rely on the exception to data subject rights in GDPR stating that controllers shall not refuse to act on the request of the data subject “unless the controller is not in a position to identify the subject subject”. Specifically, noyb alleges that the complainant provided Xandr with the value of a Xandr cookie that uniquely identifies him, the URL of the website where the cookie was set and the date of the visit, which “enable Xandr to single out a specific user and to ascertain that the latter is not pretending to be someone else”, but that Xandr refused to act on the complainant’s request.

Dialog from Sourcepoint enables the accurate and up-to-date management of your user’s consent. Learn more about Dialog.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

New Privacy Requirements Took Effect October 1 In Three States

October 7, 2024

New Privacy Requirements Took Effect In Montana, Maryland &...

[WEBINAR] Consent is not enough: Protecting against new U.S. privacy litigation risks

October 2, 2024

Join Sourcepoint and privacy litigation expert Matthew Pearson, Partner...

How Haymarket Uses Sourcepoint to Manage Vendor Compliance

October 1, 2024

Haymarket sought to elevate their level of compliance by...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]