Lawsuit Over Patient Portal Trackers Overcomes Motion to Dismiss

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Lawsuit Over Patient Portal Trackers Overcomes Motion to Dismiss

A California District Court denied, in part, the County of Santa Clara’s motion to dismiss a lawsuit (Case 3:23-cv-04411-WHO), alleging that tracking pixels on the County’s medical center websites and patient portal forwarded sensitive information to third parties, including Meta and Google. Notably, the court found that privacy disclosures on the website did not explicitly disclose the sharing of PII or PHI to third parties for those third parties’ own use and that there was no evidence the patients consented to such privacy disclosures or agreed to liability waivers “by some affirmative act demonstrating assent” at the time of account creation, thus barring any consent and waiver defenses to the plaintiff’s privacy and breach of contract claims.

TAKEAWAY

This and a multitude of recent similar cases based on third-party tracking pixels highlight the importance of having ongoing processes in place to scan for, identify, and understand every third-party cookie, pixel and tracker on an organization’s website or service, and to ensure that proper disclosures and consent are in place, particularly when sensitive data may be involved.

Understanding your organization’s privacy and the tracking technologies is vital to avoid unexpected regulatory penalties. Learn more about the latest data privacy audits and Consent Management Platforms (CMP) disclosure features from Sourcepoint.

EUROPE

Advocacy Group noyb Files GDPR Complaint Against AdTech Xandr

Noyb announced its filing with the Italian Data Protection Authority (Garante) of a complaint alleging violations of the data minimisation, accuracy and user rights provisions of the GDPR. Specifically, the complaint alleges that Xandr processes an unnecessary amount of often conflicting data to achieve the purpose of ad targeting and personalisation and that Xandr actively hinders the exercise of user rights to access and erase their data.

IN THE WEEDS

Noyb’s accuracy and data minimization arguments are based on articles 5(1)(d) GDPR, which states, in part, that personal data shall be “accurate and, where necessary, kept up to date”, and 5(1)(c) GDPR, which states that data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Noyb argues that Xandr’s ad targeting segments are based on inferences of users’ interests and habits based on “a huge amount of conflicting information”, which do not enable advertisers to bid on ads in an accurate way, thus eliminating any personalisation benefit consented to by the user and defeating the purpose of targeted advertising.

Noyb also alleges that Xandr cannot rely on the exception to data subject rights in GDPR stating that controllers shall not refuse to act on the request of the data subject “unless the controller is not in a position to identify the subject subject”. Specifically, noyb alleges that the complainant provided Xandr with the value of a Xandr cookie that uniquely identifies him, the URL of the website where the cookie was set and the date of the visit, which “enable Xandr to single out a specific user and to ascertain that the latter is not pretending to be someone else”, but that Xandr refused to act on the complainant’s request.

Dialog from Sourcepoint enables the accurate and up-to-date management of your user’s consent. Learn more about Dialog.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.