Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Monday, April 15, 2024 | Back issues
Courthouse News Service Courthouse News Service

Microsoft must face privacy class action over Kaiser website data

Claims of unjust enrichment, invasion of privacy and unfair competition are still in play.

SEATTLE (CN) — A federal judge on Tuesday allowed a class to move forward with four claims against Microsoft and Qualtrics, after dismissing another five claims involving the two software companies’ collection of private health data from Kaiser Permanente patients online.

The underlying lawsuit from May accuses Microsoft and Qualtrics, which specializes in survey technology, of violating Kaiser members’ right to privacy under the Health Insurance Portability and Accountability Act. The unnamed California lead plaintiff claims the companies implemented code on Kaiser’s patient portal to illegally extract information about her search history, health care appointments, medical records and communications with doctors.

“Unbeknownst to Kaiser members, code on the Kaiser website includes software development kits (“SDKs”) offered by defendants Microsoft and Qualtrics that intercept and collect Kaiser members’ activity and their private medical data,” the plaintiff writes in the complaint.

In a subsequent motion to dismiss, however, Microsoft denied the existence of any “Microsoft SDKs,” writing that the plaintiff may have confused the service with the company’s "universal event tracking" service.  

“Indeed, the UET service code enables website operators to understand how their websites are used in order to improve the websites and the advertisements shown on them, much like other similar website analytics and advertising offerings in the industry,” Microsoft wrote in July.

The company contends that its tracking service is “privacy-protective” by requiring website operators that use the code to comply with consent obligations, and by disclosing Microsoft’s user data collection through the website operator’s privacy policy.

Microsoft also pointed to Kaiser’s publicly available privacy statement, which states that Kaiser records data from anyone who uses its website, and that it may disclose its users’ personal information to third parties with services that improve Kaiser’s business activities.

Likewise, Qualtrics argued in its motion to dismiss that the company is “just a vendor whose sole purpose is to provide tools to customers” like Kaiser — allowing them to collect and analyze their website data.

“Qualtrics does nothing with this data for itself,” Qualtrics wrote. “Unlike other third-party data companies that have been the subject of recent litigation, Qualtrics does not sell user data, use the data for advertising, or use the data for its own purposes. Qualtrics’ business model is selling software services, not data.”

Qualtrics also argued that its Kaiser data is anonymous, thanks to a “randomized alphanumeric string” assigned to all Kaiser website users.

“Consequently, though all of plaintiff’s claims are premised on the collection of her personal identifiable information, she does not allege that Qualtrics collected anything that specifically and personally identifies plaintiff,” Qualtrics added, echoing other similar arguments from Microsoft.

Having considered the record since May, U.S. District Judge John C. Coughenour issued a ruling on Tuesday dismissing the plaintiffs' claims of computer fraud, statutory larceny and conversion, as well as two counts under the California Invasion of Privacy Act so long as they relied on the basis of intentional wiretapping.

Still in play are claims of unjust enrichment, invasion of privacy and violations of California’s Unfair Competition Law and the state’s constitutional right to privacy.

In dismissing claims under sections 630 and 631 of the California Invasion of Privacy Act — a law that prohibits the recording of confidential conversations without the consent of everyone involved — Coughenour explained that the plaintiff “does not suggest that defendants tapped her communications using telegraph or telephone wires” beyond a conclusion that the companies intercepted private data that had been transmitted or passed through a wire, line or cable.

Coughenour also dismissed the claims for Microsoft because the plaintiff could not prove that the company intercepted the contents of her communications with Kaiser.

Yet Qualtrics was not so lucky in dodging the second claim under the act for penal code section 632 — a decision that leaned on technicalities over what constitutes an “electronic amplifying or recording device” to collect information.

Coughenour explained that, under case law, software like Google Maps or Chrome are not devices under the California act because they are not “equipment.” Servers are different, though, Coughenour wrote, adding that while the lead plaintiff asserts that both companies broke the law by “using their SKDs and receiving servers," her complaint alleges that only Qualtrics used such servers while Microsoft used software.

Furthermore, Coughenour rejected Qualtrics’ argument blaming Kaiser for using a recording device and that it did not intend to record confidential information without consent.

“The first argument is unpersuasive because plaintiff adequately pleads Qualtrics’ use of a recording device,” Coughenour wrote, adding that Qualtrics’ alleged involvement was not as minimal as the case law it cites.

Only the Computer Fraud and Abuse Act and statutory larceny claims were dismissed with prejudice.

Attorneys for Microsoft, Qualtrics and the plaintiff did not immediately respond to requests for comment.

Follow @alannamayhampdx
Categories / Business, Technology

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Loading...