Photo of Steven Boranian

We reported a few months ago on a California court that largely gutted a pharma-related privacy class action centered on the alleged disclosure of personal information through the use of computer pixels.  Today we bring you another pixel case, but with a different outcome.  In Jancik v. WebMD LLC, No. 1:22-cv-644, 2025 U.S. Dist. LEXIS 30054 (N.D. Ga. Feb. 20, 2025), a federal court in Georgia certified a class of individuals who allegedly viewed videos on a health information website, only to have their video viewing history allegedly disclosed to a third party via pixels. 

You might ask, what’s wrong with that?  Well, according to the plaintiffs, disclosure of video viewing violated the Video Privacy Protection Act, a federal law enacted in 1988 to regulate when video rental shops could tell other people what videotapes you were renting.  Some readers might recall the hubbub in the 1980s when a too-clever reporter obtained and published a list of videotapes that Supreme Court nominee Robert Bork rented from his local video store.  Judge Bork did not succeed in being appointed to the Supreme Court in 1987, but Congress successfully (and very quickly) passed a law the next year to avoid comparable leaks.  We do not recall anything remotely controversial in Judge Bork’s video rentals, but still, we see the point.

Fast forward to the Internet age, and the issue in Jancik was pixels, which are small pieces of code that websites can deploy to gather information on website visitors—what they searched for, which links they clicked on, etc.  As we surmised in our prior post, when you make travel plans online and then start receiving ads from airlines and hotels in Facebook or on Instagram, that might be the work of tracking pixels.  The Jancik plaintiffs alleged that the defendant’s health information website used pixels to track their video viewing (called “Event Data”) and then shared that information with a third party.  They sought certification of a class of individuals who used the same email addresses in connection with the website and the third party and whose “Event Data” was in the third party’s possession.

We have no idea whether this defendant violated the Video Privacy Protection Act.  We do not know, for example, whether its terms of use covered this scenario, whether certain user settings were relevant, whether website visitors gave consent, or whether other circumstances would place the defendant within one of the Act’s exceptions or outside the Act’s purview altogether.  This defendant, after all, was not Blockbuster Video.  Regardless, the district court ruled that the lawsuit presented sufficient common issues and otherwise met Rule 23’s requirements for a class action. 

First, the court ruled that the class was ascertainable, even though neither the plaintiffs nor the defendant has possession of information sufficient to know who would be in the class.  For that, the plaintiffs asserted that they would obtain information from the third party, which then could be compared to other information, which then would generate a list of putative class members.  But a software engineer from the third party testified that “he suspected” that analysis would be “possible” and that he “believe[d] you could probably do that.”  Id. at *12-*13.  Not exactly a vote of confidence, or an opinion to a “reasonable degree” of certainty.  The court nevertheless found it sufficient and noted that the defendant (who did not have any burden of proof or production under Rule 23) had “not offered testimony to the contrary.”  Id. at *13.  Put a pin in that. 

Second, the court found the proposed class met the other requirements of Rule 23(a).  It found the class to be numerous, citing “common sense.”  Given that numerosity is easily demonstrated and rarely contested, we won’t dwell on this.  The court also found commonality and typicality, which we will dwell on.  The defendants argued that the putative class members’ claims presented individual issues because myriad factors would affect whether and how tracking pixels would operate, including privacy setting, usage of different devices, and sharing of accounts by different individuals.  The court ruled, however, that the plaintiffs had “circumvented” these concerns by defining the class to include individuals whose Event Data was already in the third party’s possession.  The court similarly rejected more technical arguments offered by the defendant “without diving too far into the specifics” and found that the defendant (there’s that burden of proof problem again) had not shown why other differences between class members were significant.  Having found the class representative’s claims were typical of the class, the court found the class representative adequate, too.  Id. at *22-*27. 

Third, the court ruled that common issues predominated over individual issues and that a class action would be superior to other forms of resolution under Rule 23(b)(3).  Common issues included whether website subscribers were “consumers,” whether the defendant was a “video tape service provider,” whether the type of data allegedly transmitted was personally identifiable information, and whether the defendant obtained consent.  Id. at *28-*29.  We cannot help but think, however, that it is not quite so simple.  The defendant urged that each class member would need to prove individually that his or her private information was shared with the third party, and even the court acknowledged that just ascertaining the class would have to “account[ ] for device, browser, and other settings.”  Some of those “other settings” might be game changers.  We can’t tell.  The court also banked on a “class action administrator” performing “quality assurance checks” to exclude class members whose claims are without merit.  We have seen this play before, and when a certified class includes class members without valid claims, it is little solace to hear that a class administrator will sort it all out after the fact. 

Finally, the court certified an injunctive relief class under Rule 23(b)(3), although it seems the relief sought was only vaguely described as “protect the interests” of the class and comply with the law. 

The result is a relatively rare certification of a privacy class action in the healthcare space.  We observe in closing that this court seems to have given the moving party the benefit of the doubt—for example, by finding ascertainability based on equivocal evidence, while chiding the defendant for not offering contrary testimony.  Another example is the court’s note that the defendant had not shown why differences among the putative class members were significant.  The plaintiff bore the burden on this motion. 

Drug & Device Resources

Bexis’ Book

FDA-regulated products now account for an estimated one-fifth of overall economic activity in the U.S. They have also been the focus of a litigation explosion. This timely guide covers all aspects of litigation involving drugs, medical devices, vaccines and other FDA-regulated prescription products.
Learn More About This Book