The Privacy Ghost of TransUnion: The Continuing Struggle to Prove Harm
By Hannah Moore; Photo Credit: Justin Sullivan/Getty Images
Earlier this fall, in Howard v. Laboratory Corp. of America, No. 1:23-cv-00758, 2024 WL 4326898 (M.D.N.C., 2024), Plaintiffs, individually and on behalf of a class, raised privacy concerns, alleging that Labcorp embedded hidden tracking codes, known as “Third-Party Trackers,” from Meta (formerly Facebook) and Google, among others, on Labcorp’s website. (Am. Compl. ¶ 2). Labcorp is a global life sciences company providing various healthcare services like diagnostics and drug development.[1] Its website allows individuals “to access their medical testing results, book medical testing appointments, request medical testing supplies, and pay for Labcorp services they have received.” (Am. Compl. ¶ 54). Plaintiffs allege that the trackers collected personal information, including users’ identities, medical search terms, and visits to specific pages related to medical conditions, all without their consent. (Am. Compl. ¶¶ 3, 55–56). Labcorp’s configuration of these trackers allegedly enabled Meta and Google to gather the sensitive data, combining it with other personal information to use in digital advertising, in violation of California’s Invasion of Privacy Act (“CIPA”) and Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”). (Am. Compl. ¶¶ 4,5). Both CIPA and WESCA require the explicit consent of all parties involved in electronic communications. (Am. Compl. ¶ 115).
At the most basic level, when a user conducted a medical search on Labcorp’s website, such as searching for information on cancer screening, the trackers allegedly captured the search term and the user’s unique Facebook ID (FID). (Am. Compl. ¶¶ 30,66). This FID was linked to that individual’s Facebook account so that Meta could match the user’s Labcorp site activity with their Facebook profile. (Am. Compl. ¶¶ 28, 29). This allowed Meta to know who was searching for specific medical conditions or tests, combining this data with other information gathered from the user’s online activities. (Am. Compl. ¶ 30). Similarly, Google used its unique tracking IDs to tie browsing data back to individuals, even across different devices and sessions. (Am. Compl. ¶ 49).
The case is being heard in the U.S. District Court for the Middle District of North Carolina, overseen by Judge William L. Osteen, Jr.[2] Recently, Judge Osteen allowed the case to move forward after denying Labcorp’s motion to dismiss.[3] He ruled that the Plaintiffs had made a strong enough case that sensitive medical data was collected and shared without consent, potentially violating California and Pennsylvania privacy laws.[4] However, Judge Osteen also cautioned the Plaintiffs to be mindful of how they frame their presently vague class allegations––alluding to Justice Kavanaugh’s on-topic phrase, “no harm, no standing.”[5]
Quantifying privacy harms is a challenge to showing a tangible injury-in-fact for standing.[6] Privacy harm often involves intangible injuries, like infringements on personal autonomy or the potential risk of future misuse of information, while traditional metrics focus on economic loss or physical damage.[7] Unlike such easily identifiable harms, privacy harms are diffuse and often occur as downstream effects across a large population.[8] While some people may not perceive targeted advertising as harmful,[9] Daniel Solove argues that broadly speaking, such identification[10] and surveillance (i.e., “record[ing] behavior [and] social interaction”) subtly shapes behavior and decision-making, thereby eroding individual control and privacy.[11]
Plaintiffs will need to establish concrete, individualized harm beyond merely claiming their personal health information was sent to Google and Meta without consent. Violations of personal autonomy in such a context will likely not substantiate Plaintiff’s harm, nor take their claims any further. Discovery will provide a more expansive view of what type of information was transmitted and the level of its sensitivity, which will likely impact the court’s assessment of standing.[12]
Hannah Moore is a 2L at Vanderbilt University Law School. She hopes to focus on Data Privacy and Healthcare after law school.
[1] Company Information, Labcorp, https://www.labcorp.com/frequently-asked-questions/patient/general/company-information (last visited Nov. 4, 2024).
[2] Cassandre Coyer, Labcorp Will Face Claims It Sent Patient Data to Google, Meta, Bloomberg L. (Sept. 30, 2024), https://news.bloomberglaw.com/privacy-and-data-security/labcorp-will-face-claims-it-sent-patient-data-to-google-meta?context=search&index=0.
[3] Id.
[4] Id.
[5] Howard v. Laboratory Corp. of America, No. 1:23-cv-00758, 2024 WL 4326898 (M.D.N.C. 2024) (“Plaintiffs are forewarned that these vague pleadings cause this court substantial concern with Plaintiffs’ class allegations.”); see TransUnion LLC v. Ramirez, 549 U.S. 413, 417–18 (2021).
[6] See id. at 417–18 (explaining that of the 8,185 class members, most did not suffer a concrete injury because TransUnion had not provided credit reports for these individuals to third-party businesses).
[7] Danielle Keats Citron and Daniel J. Solove, Privacy Harms, 102 B.U. L. Rev. 793, 797, 817 (2022), https://www.bu.edu/bulawreview/files/2022/04/CITRON-SOLOVE.pdf.
[8] Id. (“For many privacy harms, the injury may appear small when viewed in isolation, such as the inconvenience of receiving an unwanted email or advertisement… But when done by hundreds or thousands of companies, the harm adds up. Moreover, these small harms are dispersed among millions—and sometimes billions—of people.”).
[9] I admit, I find it helpful when an ad for cute shoes appears.
[10] “… it is primarily a form of connecting data to people.” Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477, 513 (2006), https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=1376&context=penn_law_review.
[11] Id. at 495.
[12] Coyer, supra note 2.