Kane v. Univ. of Rochester

1

CAROL KANE and BONNIE WILSON, on behalf of themselves and all others similarly situated, Plaintiffs, v. UNIVERSITY OF ROCHESTER, Defendant.

No. 23-CV-6027-FPG

United States District Court, W.D. New York

March 19, 2024

DECISION AND ORDER

HON FRANK P. GERACI, JR. UNITED STATES DISTRICT JUDGE WESTERN DISTRICT OF NEW YORK

INTRODUCTION

Plaintiffs Carol Kane and Bonnie Wilson bring this putative healthcare data privacy class action against the University of Rochester (“Defendant”). See generally ECF No. 8. Plaintiffs' claims arise out of Defendant's alleged disclosure, through certain web analytics and marketing tools, of their private health-related information to Facebook. Defendant has moved to dismiss Plaintiffs' amended complaint in its entirety. See ECF No. 11. As explained below, Defendant's motion is GRANTED in part and DENIED in part.

BACKGROUND

Defendant operates one of the largest facilities for medical treatment and research in New York state, employing over 26,000 employees and nearly 3,000 clinical researchers. ECF No. 8 ¶ 33.^[1] Plaintiff Bonnie Wilson, a citizen of New York, and Plaintiff Carol Kane, a citizen of Florida, have accessed Defendant's website to search for, make appointments with, and communicate with healthcare providers. Id. ¶ 37. They allege that, using two web tracking products, the Facebook Tracking Pixel (the “Pixel”) and Conversions Application Programming Interface (“CAPI”) Defendant transmitted their personally identifiable information (“PII”) and non-public personal health information (“PHI,” collectively with PII “Private Information”) to Facebook without authorization.

I. Facebook's Web Tracking Technology

Facebook operates the world's largest social media platform and generated $117 billion in revenue in 2021, about ninety-seven percent of which came from advertising. See ECF No. 8 ¶ 61. Facebook profiles include users' real names, locations, friends, likes, and other communications. Id. ¶ 62. Facebook associates that information with personal identifiers, including IP addresses. Id. Facebook also tracks non-Facebook users through its marketing products. Id. ¶ 63. Facebook sells advertising by highlighting its ability to effectively target users by tracking activity both inside and outside of its own website. Id. ¶¶ 64-65.

This tracking allows Facebook to “make inferences about users beyond what they explicitly disclose.” Id. ¶ 66. Facebook compiles this information into a dataset called “Core Audiences.” Id. ¶ 67. Advertisers can use this dataset to target their advertisements by using “highly specific filters and parameters.” Id. They can also build “Custom Audiences,” which enable advertisers to reach “people who have already shown an interest in [their] business, whether they're loyal customers or people who have used [their] app or visited [their] website.” Id. ¶ 69. Finally, Facebook allows advertisers to build “Lookalike Audiences” by “leveraging information from [a] source audience to find new people who share similar qualities.” Id. In order to build Custom Audiences and Lookalike Audiences, advertisers must provide Facebook with data either by manually uploading customer contact information or using Facebook's “Business Tools.” Id. ¶ 70.

Facebook's Business Tools, such as the Pixel and CAPI, are designed to “help website owners . . . and business partners, including advertisers and others, integrate with Facebook, understand and measure their products and services, and better reach and serve people who might be interested in their products and services.” ECF No. 8 ¶ 71. These Business Tools are configured to capture certain data by default, such as when a user visits a webpage or that webpage's Universal Resource Locator (“URL”) and metadata, or when a user downloads a mobile application or makes a purchase. Id. ¶ 73. The Business Tools can also track other events. Id. ¶ 74. Along with Facebook's “menu of ‘standard events' from which advertisers can choose,” advertisers can create their own tracking parameters by building a “custom event.” Id.

The Pixel is a piece of code that “tracks the people and [the] type of actions they take as they interact with a website (or other digital property),” including, among other things, how long they spend on a particular page, which buttons they click, which pages they view, and the text they enter into search bars, chats, or text boxes. Id. ¶ 8 (internal quotation marks omitted). When a user accesses a website hosting the Pixel, it directs the user's web browser to send a separate message to Facebook's servers. Id. ¶ 76. This separate transmission contains the original request to the host website (known as a “GET” request), along with the additional data that the Pixel has been configured to collect. Id.

Among that data would be the user's IP address,^[2] device ID, and Facebook Id. Id. ¶ 80. A user's Facebook ID is linked to their Facebook profile, which “generally contains a wide range of demographic and other information . . . including pictures, personal interests, work history, relationship status, and other details.” Id. ¶ 84. When a user accesses a website equipped with the Pixel while logged into Facebook, Facebook receives the “cuser” cookie, which contains the user's unencrypted Facebook Id. Id. ¶ 96. When a user has recently logged out of Facebook, Facebook receives the “cuser” cookie as well as the “fr” cookie, which contains an encrypted Facebook ID and browser identifier. Id. ¶¶ 98-99. Defendant also used the “fbp” cookie, which like the “fr” cookie, identifies a user's browser. Id. ¶ 100. Because the Facebook ID “uniquely identifies an individual's Facebook account, Facebook-or any other person-can use the Facebook Profile ID to quickly and easily locate, access, and view the user's corresponding Facebook profile.” Id. ¶ 84. Facebook uses the fr, fbp, and cuser cookies to “link to [Facebook IDs] and corresponding Facebook profiles.” Id. ¶ 108. In other words, if a website visitor is a Facebook user, Facebook will associate the information that it collects through the Pixel with the visitor's name and Facebook profile, and, as a result, their real-world identity. Id. ¶ 83.

Defendant's implementation of the Pixel also shared information about user actions with Facebook. For example, when a user selects filters, such as specialty and gender, or enters keywords into the search bar, on Defendant's “Find a Provider” page, those filters and keywords are transmitted to Facebook. ECF No. 8 ¶ 91. While search parameters may be “coded,” that does not prevent Facebook from decoding that data to determine that a user searched for, for example, a bone cancer specialist. See id. ¶ 92. When a user then selects a physician, the Pixel transmits: “the [user]'s unique and persistent Facebook ID (cuser ID), (ii) the fact that the patient clicked on a specific provider's profile page . . ., (iii) the patient's search parameters (demonstrating that they specifically searched for a female or male doctor and their specialty), and (iv) the [user's] location.” Id. ¶ 93. Once a user has selected a physician, if the user then proceeded to click the “Schedule an Appointment” button on the physician's profile, the Pixel would transmit that action to Facebook as the “SubscribedButtonClick” event, along with the user's search parameters and Facebook Id. See id. ¶ 94.

II. Defendant's Privacy Policies

Defendant sets outs its policies and practices with respect to Private Information in its Privacy Statement and Notice of Privacy Practices (collectively, “Privacy Policies”). See ECF No. 8 ¶¶ 112, 113, 115.

In its Privacy Statement, Defendant informs users that it is “committed to protecting your privacy. Any information you provide to us through the URMC website-for example, name, address, and phone number-will never be sold to third parties.” Id. ¶ 113. Defendant further states that it does not “collect information that would personally identify you unless you choose to provide it. The protected health information that you submit, such as on the appointment request form, is shared only with those people in [Defendant] who need this information to respond to your question or request.” Id. ¶ 114. Nor does Defendant, according to its Privacy Statement, “share any visitor's protected health information with any third party unrelated to [Defendant], except in situations where we must provide information for legal purposes or investigations, or if so directed by the patient through a proper authorization.” Id.

With respect to marketing services, the Privacy Statement discloses that Defendant uses “Google AdWords remarketing service to advertise URMC services to previous visitors to our site,” and that “[a]ny data collected will be used in accordance with our privacy policy and Google's privacy policy.” Id. ¶ 118. The Privacy Statement also explains Defendant's use of web analytics software, which it uses “to track visitor activity and to better understand how the website can be improved.” Id. ¶ 120. According to the Privacy Statement, Defendant “does not allow any third party to track or collect personally identifiable information from users,” but “[i]f personally identifiable data is collected . . . none of that data will be associated with any other data gathered during the use of this website.” Id. Defendant “may provide third parties with aggregate statistics about visitors, traffic patterns and related site information,” which, according to the Privacy Statement, “reflect site-usage patterns gathered during visits to our website,” but do not “contain behavioral or identifying information about any individual user unless that user has given us permission to share that information.” Id.

Defendant's Notice of Privacy...