Privacy Class Action Alleges Twilio Intercepts PHI, PII Without Consumers' Consent
Cloud communications platform company Twilio intercepts consumers’ personally identifiable information (PII) and protected health information (PHI), “and related confidential information” without their consent, alleged a privacy class action Friday (docket 4:24-cv-03741) in U.S. District Court for Northern California in Oakland.
Jonathon Perry-Hudson, a San Diego resident, purchased prescription hair loss medication from Keeps.com on May 8, said the complaint. As part of the purchase process, Perry-Hudson answered questions about his physical health. His responses were given to a licensed medical provider who curated a customized treatment plan for him, the complaint said.
When Perry-Hudson filled out a questionnaire for the Keeps.com website, he believed his responses "would only be used to obtain a recommendation for prescription hair growth medication,” the complaint said. He provided “highly sensitive” information to a healthcare provider “for the purpose of obtaining prescription medication,” it said. After placing his order, Perry-Hudson began receiving "targeted advertisements related to hair loss products on Facebook and other internet sites," the complaint alleged. Twilio intercepted Perry-Hudson’s communications without his knowledge, consent or written authorization in violation of the California Information Privacy Act (CIPA), the complaint alleged.
The complaint cited a 2022 Department of Health and Human Services’ guidance warning on online tracking technologies outlining regulations on third-party tracking tools, such as Twilio’s Segment API. Such tools can be used by healthcare organizations regulated under the Health Insurance Portability and Accountability Act (HIPPA), but they aren't permitted to use the tools in a way that could expose patients’ PHI to tracking technology vendors, it said. “Disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures,” the warning said.
The complaint also cited a July 2022 FTC and DHHS Office for Civil Rights news release sent to 130 healthcare providers cautioning them about privacy and security risks related to the use of online tracking technologies integrated into their websites or apps “that may be impermissibly disclosing consumers’ sensitive personal health data to third parties.” Twilio’s conduct as alleged “is directly contrary to clear pronouncements by the FTC and OCR,” the complaint said. A revision of the bulletin, published March 18, “clarified” that identifying information showing a patient’s visit to a public webpage is a “disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care,” the complaint said.
Once Twilio is integrated into a developer’s website, the Segment API provides the Twilio platform with “customer identification and segmentation” by “collecting and connecting data from other tools and aggregating the data to monitor performance, inform decision-making processes, and create uniquely customized user experiences,” the complaint said.
Keeps.com uses Segment on its website to send its consumers’ PII to Twilio to “assist with Keeps’ marketing, advertising, and analytics efforts,” alleged the complaint. Twilio pitches its Engage personalization platform as a way for its clients to create “unified customer profiles” by taking event data from devices and channels and intelligently merging it into “complete ‘user- or account-level’ profiles," the complaint said. Through segment identity resolution, Engage “merges the complete history of each customer into a single profile, no matter where they interact with your business,” the complaint said.
With identity resolution, Twilio associates a user's Google Advertising ID (AAID) with a corresponding persona profile on its platform, the complaint said. Because Twilio assembles information from other sources into a persona profile, the "AAID alone allows Twilio to identify a particular person,” the complaint said. Twilio leverages the profiles to help customers like Keeps.com “enhance their marketing, advertising, and analytics efforts,” it said.
Twilio's Segment API captures patients’ intake questionnaire answers on the website, which includes information about their medical symptoms, and it is able to “identify each patient because the patient’s name is disclosed” by the website during checkout, it said. Since at least May, Keeps.com used Segment on each questionnaire page and checkout process to track users’ responses and send them to Twilio to be analyzed, it alleged. That enables Keeps “to target users with ads based on those answers."
In addition to CIPA violations, the plaintiff asserts an invasion of privacy/intrusion upon seclusion claim. Perry-Hudson seeks for himself and the class an order enjoining Twilio from engaging in the wrongful conduct alleged; an award of actual, actual, consequential, statutory, punitive, and nominal damages; attorneys’ fees and costs; and prejudgment interest.