California healthcare provider TrueCare was sued for sharing user health data without consent. Now, a federal court has ruled that the class action lawsuit can proceed. TrueCare operates a website, https://truecare.org/, that patients visit to get information and schedule appointments. When patients fill out forms on the website, they expect that their personal data will remain confidential. However, the company allegedly used pixel-tracking software to collect user data. TrueCare also allegedly shared patient information with Facebook parent company Meta, which allowed them to associate a user’s searches about their healthcare with their Facebook profile to derive sensitive healthcare information that no third party should have a right to access without permission.
If and when the case reaches trial, TrueCare may have to answer for alleged violations of both federal and California state data privacy laws, including the California Invasion of Privacy Act (CIPA) and California’s Trap & Trace Law. To learn more, keep reading this blog.
TrueCare Accused of Sharing Confidential Customer Data with Meta
TrueCare is a healthcare service provider with clinics located across Southern California. They offer community health services that include primary care, pediatric care, women’s health, and dental care.
A lawsuit filed in federal court accuses TrueCare of installing Meta Pixel Software on its website to track patient activity and collect patient information. The tracking software allegedly gathers data about which website pages users visit and then shares the data with Meta, the parent company of popular social media platforms like Facebook, Instagram, and WhatsApp. Once collected, the data is allegedly deanonymized and associated with a user’s Facebook identification number, which allows Meta to create personalized advertisements that target individual users.
Class Action Lawsuit: TrueCare Sued for Violating California Data Privacy Laws
The main plaintiff in the class action case, Wright v. TrueCare Property Holdings, LLC., is a California resident who visited the health care company’s website on multiple occasions. According to the complaint, the plaintiff learned that her internet activity was tracked by TrueCare. Specifically, the plaintiff alleged that TrueCare used Meta pixel-tracking software on its website to intercept users’ personal information.
The lawsuit accuses TrueCare of violating multiple data privacy laws, including:
- Confidentiality of Medical Information Act (CMIA)
- Electronic Communications Privacy Act (ECPA)
- California Constitution
- California Invasion of Privacy Act (CIPA)
- California Trap & Trace Law
Court: Trap & Trace Claim Against TrueCare Can Proceed
The class action lawsuit was filed in the U.S. District Court for the Southern District of California. Prior to trial, TrueCare filed a motion to dismiss the lawsuit for supposedly failing to state a valid claim under the Trap and Trace Law.
The federal court heard arguments from both sides and ultimately denied the motion to dismiss the Trap & Trace claim. This means that the lawsuit can potentially go to trial.
What Is California’s Trap and Trace Law?
The heart of the lawsuit against TrueCare is the Trap and Trace claim, which alleges that the healthcare provider used a trap & trace device or pen register to unlawfully collect user data without consent.
California’s Trap & Trace Law provides consumers with much-needed protection against companies that might try to acquire customer data without consent. This is particularly important these days when so much information is shared online: internet users trust companies not to unlawfully collect and share their data with third parties, but far too many companies violate this trust because the data is so valuable. Social media platforms like Facebook and TikTok can benefit greatly from user data that allows for targeted advertising to hundreds of millions of Americans, while data broker companies can monetize user data on a mass scale as well.
The Trap and Trace Law is codified at § 638.51 of the California Invasion of Privacy Act (CIPA). Importantly, CIPA provides a private right of action to California residents to file a civil lawsuit against companies that violate the statute. Additionally, the statute imposes a penalty of $2,500 for each trap & trace violation, which is another deterrent for companies that might otherwise try to collect and sell customer data without consent.
Court: TrueCare Used a Trap & Trace Device on Its Website
As set forth by the California Invasion of Privacy Act (CIPA), a trap and trace claim must show that the defendant used a device capable of recording “dialing, routing, addressing, or signaling information but not the contents of a communication,” and that the information came from a wire or electronic communication. Although there is an exception when the data was collected with a court order, that is not an issue in the TrueCare case.
According to the lawsuit, Meta used data collected on the TrueCare website to identify users through their Facebook identification numbers, so the data would qualify as “addressing information” under the statute. The U.S. District Court agreed, pointing to previous rulings that the Trap & Trace Law applied to websites that used software to track visitors’ IP addresses.
The district court also found that the Meta Pixel Software embedded on the TrueCare website meets the statutory definition of a pen register or trap & trace device because it is “software that identifies consumers, gathers data, and correlates that data through unique fingerprinting.” Here, the court cited Moody v. C2 Educational Systems as precedent. This was an important data privacy case where Tauler Smith LLP represented the plaintiffs who filed a CIPA class action against the nation’s leading provider of tutoring services.
C2 Educational Systems: Precedent for CIPA Claims
In C2 Educational Systems, the U.S. District Court for the Central District of California ruled that TikTok Software used to track browser and form data qualified as a trap and trace device. The court in the class action against TrueCare noted the similarity to the earlier case: TrueCare allegedly used the Metal Pixel on their website to track visitors’ record or identifying information regarding their use of the site.
Ultimately, the court ruled that the plaintiff stated a valid trap & trace claim against TrueCare because they plausibly showed that the Defendant used a device to record or capture addressing information without a court order.
Call the Los Angeles Data Privacy Attorneys at Tauler Smith LLP
California residents have strong protections against the unauthorized collection of their personal data online. If you visited a website and your personal information was intercepted without permission, or if your data was shared with a third party, you may be able to file a civil suit for monetary damages. The Los Angeles data privacy lawyers at Tauler Smith LLP can help you.
