No. 17-16206 (9th Cir. Dec. 6, 2018)
Case Debrief and Analysis by Rayana Jamasi
Following the tracking of users across third-party sites, Winston Smith and two others filed a class action lawsuit. Smith alleged that Facebook were able to track their identities through the share/like toggles on health-related internet sites. Moreover, the plaintiffs believed that this collection of health-related information was a violation of their right to privacy and of federal law.
Terms and Relevant Laws: - Browser finger printing: Refers to the identification of a user through tracking their browsing sessions - Cookies: Small pieces of data that record your browser information to personalize and save data regarding your online session - Wiretap Act: “Title I of the ECPA, which is often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or "procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication." Title I also prohibits the use of illegally obtained communications as evidence. 18 U.S.C. § 2515"1 - California Civil Code 1798.912: “A business may not orally request medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information" - Health Information Portability and Accountability Act of 1996: Protects patient’s health information from being disclosed without their knowledge or consent3
Background
In 2017, Mr. Winston Smith and two Jane Does filed a class action lawsuit concerning the tracking of Facebook’s users and the third-party websites they visit. The plaintiffs asserted that their health information was released withouttheir consent and that they were personally identifiable based on the data. Moreover, they claimed that Facebook was able to track their digital activity through 1) the individual IP address, 2) the cookies that are in each browser, and 3) through a method known as browser fingerprinting. The data collection is typically used for the development of targeted advertisements towards the user or sold to advertising companies. This case was significant as Federal Law in the United States has higher punishments for the collection of health-care related information due to thesensitivity of its nature. Furthermore, the Plaintiffs claimed that Facebook violated these laws as the tracking disregarded their right to privacy as it breached the Wiretap Act, the California Constitution, and the California Invasion of Privacy Act. Decisions The district court held that Mr. Smith and the others had consented to Facebook’s data collection policies in the terms and agreements. This was agreed upon by the plaintiffs and not disputed, as the terms and agreements clearly outlined their collection practices especially related to third-party websites. Most notably, Facebook’s terms contain a section that states: ““We collect information when you visit or use third-party websites and apps that use our Services . . . . This includes information about the websites and apps you visit, your use of our Services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” 4 and “we use all of the information we have about you to show you relevant ads.” 5 1 https://www.law.cornell.edu/uscode/text/18/2515 2 https://law.justia.com/codes/california/2018/code-civ/division-3/part-4/title-1.81.26.a/section-1798.91.04/ 3 https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996 4 https://epic.org/documents/smith-v-facebook/ 5 https://epic.org/documents/smith-v-facebook/
In response to this decision, the plaintiffs claimed that while they did consent to the general collection of their data, they did not agree to sensitive data such as health-related information being collected. The Court disagreed with this assertion as it held that this information still fell within the scope of Facebook’s Terms and Conditions. Moreover, the Court believed that Facebook’s policies never explicitly assured that they would not share data with healthcare websites, thus affirming the district court’s decision to reject the Plaintiff’s claims. Even with the Plaintiffs’ argument using the Health Information Portability and Accountability Act of 1996 and California’s Civil Code, the claims are still to be rejected as information on websites that are available online to the public does not contain identifiable health information and patient data, therefore the HIPAA or section 1798.91 of the Code were not applicable to the case.
Implications
Since Facebook was not held liable for collecting user health data, it might set a precedent that could influence how other companies handle sensitive user data. The decision could also impact the interpretation and enforcement of data protection laws and regulations in the relevant jurisdiction. Since the case was decided in favour of Facebook, it clearly indicates that current laws and regulations are not sufficient to address health data privacy concerns adequately. The case also underscores the importance of user awareness and consent when it comes to data collection.This decision also highlights the need for companies to be transparent about their data practices and obtain clear and informed consent from users when collecting sensitive information. Moreover, this case could influence future legal actions related to data privacy and data collection. Plaintiffs might face greater challenges in pursuing similar cases, or they might need to build stronger arguments to demonstrate harm or legal violations. The case outcome might affect how companies, including Facebook, handle the collection of health data and other sensitive information. Companies may choose to revisit their data collection and sharing policies to align with the legal standards established by the case.
Related Cases
• FBI v. Fazaga • Lloyd v Google LLC • Australian Competition and Consumer Commission v Google LLC • Warren v DSG Retail Ltd
Additional Sources
Smith v. Facebook, EPIC, https://epic.org/documents/smith-v-facebook/ (last visited Oct 25, 2023). Smith v. Facebook, inc.., Legal research tools from Casetext (2018), https:// casetext.com/case/smith-v-facebook-inc-2 (last visited Oct 25, 2023). Winston Smith v. Facebook, Inc., no. 17-16206 (9th cir. 2018), Justia Law, https://law.justia.com/cases/federal/appellate-courts/ ca9/17-16206/17-16206-2018-12-06.html (last visited Oct 25, 2023)
Comentarios