Massachusetts Supreme Judicial Court Rejects Wiretap Claims Based on Website Tracking

In a closely watched decision, the highest court in Massachusetts has rejected the theory that third-party website tracking technology violates G. L. c. 272, § 99, the Massachusetts Wiretap Act.

In Vita v. New England Baptist Hospital et al, SJC-13542, plaintiff Kathleen Vita alleged that the websites of two hospital defendants illegally collected information about her browsing activities with tracking software, and simultaneously transmitted that information to third-party software developers that commercialized her data. No private medical records or messages with health care providers were alleged to have been intercepted or transmitted. The SJC rejected the plaintiff’s theory that the Wiretap Act prohibited website tracking and reversed the trial court’s denial of the hospitals’ motions to dismiss.

“Communications” Do Not Include Website Tracking under the Wiretap Act

The SJC based its ruling on a close review of the text and legislative history of the Wiretap Act. Enacted in 1968, the Act was intended to prohibit aiding the secret recording of the "contents" of "any wire or oral communication." G. L. c. 272, § 99 A, C. The Legislature’s concern was the interception of person-to-person conversations and messages using hidden electronic surveillance devices. While the Legislature crafted the statute to flexibly prohibit secret electronic eavesdropping by new and evolving technologies, it did not define “communications.”

Relying on context and dictionary definitions for the term “communications” to parse whether the statute might include website browsing activity, the SJC reasoned, “we cannot conclude with any confidence that the Legislature intended ‘communication’ to extend so broadly as to criminalize the interception of web browsing and other such interactions.”

Given this ambiguity, the court invoked the rule of lenity, that when it is “unable to ascertain the intent of the Legislature, the defendant is entitled to the benefit of any rational doubt." Because Vita’s allegations fell within this ambiguity, as she did not claim any person-to-person communication was recorded, her claims were not “clearly within the Wiretap Act's ambit.” Her interactions were “not with another person but with a website” on which the hospitals published information.

The Court Looks to the Legislature and Other Laws

The SJC concluded, “[i]f the Legislature intends for the Wiretap Act's criminal and civil penalties to prohibit the tracking of a person's browsing of, and interaction with, published information on websites, it must say so expressly.” While the court acknowledged “the serious threat to privacy by the proliferation of third-party tracking,” it said those concerns “should be addressed to the Legislature,” or through other statutes “more specifically directed at the improper handling of confidential information.” But the decision was clear that litigants cannot look to the Wiretap Act as a remedy for the alleged secret recording and transmission of website interactions without user consent.

Key Takeaways and Developments to Monitor

The Vita ruling is a victory for businesses that develop and use website tracking software, tools on which the modern digital economy relies. Businesses should continue to track closely this evolving area of law, particularly where plaintiffs in Massachusetts may heed the SJC’s guidance to look to statutes beyond the Wiretap Act. Privacy proponents are also likely to answer the dissent’s impassioned call for the Massachusetts Legislature to broaden existing laws to encompass the tracking alleged in Vita.

Companies should also remain mindful that their websites will remain subject to a patchwork of shifting and sometimes inconsistent state and federal laws. It is important to note that other states may not follow the example in Massachusetts for interpreting their own wiretap laws, particularly in light of the fact that the SJC’s ruling turned on the absence of a definition of “communications” in a nearly 60 year old law, when other statues have more updated definitions. Courts outside of the Commonwealth might also adopt the reasoning of the dissent, which argued for construing website tracking as encompassed by the term “communications” in the Wiretap Act.

Before adopting new technologies that interact with user data, businesses should consult with experienced counsel to ensure they adopt state-of-the-art risk mitigation measures.

Pierce Atwood continues to closely monitor developments in privacy law. If you have any questions about managing risks under wiretapping or other privacy laws, or would like help determining whether your business can take steps to improve its privacy compliance program, please contact Melanie Conroy, Kathleen Hamann, or Vivek Rao.