Communications Litigation Today was a Warren News publication.
HIPAA Covered Entity

Eyewear Chain Tracks Website Users' Activity Without Their Consent: Class Action

Optical store chain Eyemart Express tracks users’ activity on its website without their consent and without disclosing the tracking practices, alleged a class action Wednesday (docket 3:24-cv-00621) in U.S. District Court for Northern Texas in Dallas.

Customers can browse health-related eye products on the Eyemart Express website and locate a doctor to schedule an appointment for an eye exam, the complaint said. Customers also use the website to search for eyewear products, which they can then buy at a local store, it said.

Unknown to users, Eyemart uses Meta’s Pixel tracking tool to “intercept communications” between tracked users and the website, the complaint said. Meta Pixel sends tracking entity information relating to users’ searches and activity on the Eyemart Express website -- including information such as “make, model and SKU,” plus details about their personal health information, such as attempts to schedule eye exams -- to marketers, the complaint said. That information is used outside of the website by Meta to target users with ads, it said.

Eyemart's website doesn’t inform users that its use of a search bar would cause Meta Pixel to intercept their queries, including products searched and attempts to schedule eye exams, the complaint said. It also doesn’t tell them that such interceptions will be used to benefit Eyemart and Meta "separate from the services being rendered” to the user, it said.

By collecting and analyzing users’ search data to determine their interests and demographics, defendants are able to monetize the information “to connect marketers selling advertising relevant to a user’s interests and/or demographics and to sell advertising across multiple websites to marketing firms” looking to target Eyemart users, it said.

Rachelle Rand, a resident of Carl Junction, Missouri, visited the Eyemart Express website in November to locate an eye doctor and schedule an appointment, said the complaint. She wasn’t given a chance to review or consent to share her personal information, to the use of tracking tools, or to the sharing of any personal information such as “statutorily protected health information,” the complaint said.

Visiting the Eyemart website and searching for information resulted in her personal health information (PHI) being shared with Facebook, the complaint said. Her Facebook profile included personally identifiable information (PII), including her name, personal photos location and gender, it said. Rand, one of the complaint's three named plaintiffs, didn’t consent to Eyemart collecting her data while visiting and using its website, the complaint said.

Esperanza Gottschau, a resident of Littleton, Colorado, visited the Eyemart website several times over the past two years, including in October when she searched for prescription eyewear, the complaint said. She wasn’t given an opportunity to review or consent to share her PII, to the use of tracking tools, or to share any protected health information, the complaint said. Her PHI was also shared with Facebook, though she didn’t consent to Eyemart collecting her data while visiting and using the website, it said.

Ramon Soto of Chicago visited Eyemart’s website over the past two years, including in June 2022, when he searched for prescription eyewear, the complaint said. Soto, too, wasn’t given a chance to review or consent to the sharing of his PHI with Facebook, it said.

Eyemart refers to itself on its website as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), saying that any information it collects from users “will be handled in accordance with the terms of our HIPAA Privacy Statement," which is “required by applicable law to maintain the privacy of your health information,” the complaint said. HIPAA prohibits the knowing and wrongful disclosure of “individually identifiable health information” to a third party, the complaint said.

The plaintiffs allege violations of the Federal Wiretap, the Missouri Wiretap and the Illinois Eavesdropping acts. They also allege intrusion upon seclusion, breach of contract and implied contract. They seek an order of injunctive and declaratory relief, including requiring Eyemart to remove tracking tools from its website and to obtain appropriate consent from tracked users, the complaint said. They also seek statutory damages with prejudgment interest, plus an order of restitution and attorneys’ fees and court costs.