Dark Arrow Left
All Articles
US Privacy Laws

Why Headway was sued for sharing personal data with Google Analytics

privacymatters
PrivadoHQ
Headway CCPA lawsuit
Prashant Mahajan
October 25, 2024
IN THIS ARTICLE
SHARE ARTICLE

https://www.privado.ai/post/why-headway-was-sued-for-sharing-personal-data-with-google-analytics

🎉 Link Copied
Share Article on Linkedin
Share Article on Twitter
Share Article on Facebook

In September of 2024, a court let a CCPA lawsuit proceed against Headway for sharing personal data with Google Analytics. Why is this so significant? 

CCPA lawsuits to date regarding personal data sharing have been limited to sharing for advertising purposes, and this case is about website analytics, not advertising. 

Nearly every website uses an analytics tool like Google Analytics to measure and optimize website performance. In the US, personal data is typically shared with web analytics tools by default to improve measurement because the CCPA “Do Not Sell or Share” rule primarily applies to sharing for advertising purposes. 

In the class-action lawsuit against Headway, the courts are evaluating another CCPA restriction: properly encrypting or redacting personal data shared with a third party. 

The lawsuit alleges that because Headway, a web-based service for finding mental health therapists, did not utilize Google Analytics’s IP address anonymization feature, they exposed sensitive medical information to Google that can be directly linked to an individual. Additionally, they found this data sharing conflicts with Headway's privacy policy that states personal data will only be shared with partners related to delivering its mental health services. 

The Key Takeaway

To avoid CCPA lawsuits, privacy teams need to monitor personal data shared with any third party, not just advertising partners. 

Today, most privacy teams lack the visibility to sufficiently govern how personal data is processed. To mitigate risk at scale, privacy teams need a solution like Privado that tracks the flow of personal data across their tech stack and automatically alerts stakeholders of potential risks before privacy violations occur.  

Timeline of the Lawsuit

  1. July 6, 2023: An individual known as M.G. filed a class-action lawsuit against TherapyMatch, Inc. (operating as Headway) in the Superior Court of California. The lawsuit alleged that TherapyMatch shared users' sensitive mental health data with Google without obtaining proper consent or maintaining reasonable security measures. 
  2. August 25, 2023: TherapyMatch moved the case to federal court under the Class Action Fairness Act.
  3. October 3, 2023: M.G. filed an amended complaint with six causes of action, including violations of California privacy laws such as the Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).
  4. November 2, 2023: TherapyMatch filed a motion to dismiss the lawsuit.
  5. September 16, 2024: The court granted in part and denied in part the motion to dismiss, allowing the CCPA claims to proceed while dismissing others.

Step-by-Step Breakdown of What Happened

  1. Use of Tracking Tools: TherapyMatch embedded Google Analytics code into their website to monitor user activity.
  2. Collection of Sensitive Data: Users searching for mental health services provided personal information, including names, contact details, insurance information, and specific mental health conditions they wanted to address.
  3. Data Sharing with Google: The embedded Google Analytics code transmitted this sensitive information to Google, potentially without users' knowledge or consent.
  4. Lack of User Consent: TherapyMatch did not adequately inform users that their personal and medical information might be shared with third parties like Google.
  5. No Anonymization Measures: TherapyMatch did not enable features like IP anonymization, which could have protected users' identities.
  6. Inadequate Privacy Policy: The company's privacy policy did not fully disclose the extent of data sharing, possibly misleading users about how their information was handled.
  7. Legal Action Initiated: As a result of these actions, TherapyMatch faced allegations of violating several privacy laws, leading to the class-action lawsuit.

Court's Decisions on the Claims

Claims Allowed to Proceed

Violation of the California Consumer Privacy Act (CCPA):

The claim under Section 1798.150, which allows consumers to sue businesses that fail to implement reasonable security measures when disclosing personal data, was permitted to proceed.

Violation of the California Invasion of Privacy Act (CIPA):

  • Unlawful Interception (§ 631): The court found sufficient allegations that TherapyMatch aided and abetted the interception of users' communications without consent.
  • Unlawful Recording and Eavesdropping (§ 632): The court agreed that users had a reasonable expectation of privacy when entering sensitive health information, allowing this claim to move forward.
  • Invasion of Privacy under the California Constitution: The court recognized that the alleged unauthorized disclosure of sensitive mental health information could constitute a serious invasion of privacy.

Claims Dismissed (with Opportunity to Amend)

Violation of the Confidentiality of Medical Information Act (CMIA):

Dismissed due to insufficient details about the specific medical information disclosed. The plaintiff was given the opportunity to amend the complaint with more specifics.

Aiding and Abetting CMIA Violation:

Dismissed along with the primary CMIA claim, with the option to amend.

Claims Dismissed

Certain CCPA Claims

Claims under Sections 1798.100(e) and 1798.81.5(b) were dismissed because the CCPA limits private rights of action to specific provisions.

Essential Steps for Businesses to Protect User Privacy

In light of the Headway lawsuit, it's crucial for businesses to take proactive measures to safeguard user data. Here are key actions you should focus on:

  1. Ensure Your Consent Banner Functions Properly
    • Implement Clear Consent Mechanisms: Deploy a consent banner on your website and mobile apps that clearly informs users about data collection and usage practices.
    • Obtain Explicit Consent: The banner should require users to actively agree (e.g., clicking an "Accept" button) before any personal data is collected or shared.
    • Regularly Test Functionality: Periodically check that the consent banner is working as intended across all devices and browsers.
    • Respect User Preferences: Ensure that user choices are properly recorded and that no tracking occurs if a user declines consent.
  2. Configure Tag Managers Accurately
    • Review Tag Settings: Ensure that tag managers (like Google Tag Manager) are set up to fire tags only after obtaining user consent.
    • Control Third-Party Scripts: Monitor and manage all third-party scripts to prevent unauthorized data collection.
    • Implement Consent Management Platforms (CMPs): Integrate CMPs with your tag manager to automate the enforcement of user consent preferences.
    • Limit Data Access: Restrict who can add or modify tags to prevent unauthorized changes that could compromise user privacy.
  3. Set Up Analytical Tools with Privacy in Mind
    • Enable Privacy Features: Use features like IP anonymization in analytics tools to prevent the collection of identifiable user information.
    • Customize Data Collection: Adjust settings to collect only the data necessary for your purposes, minimizing exposure of sensitive information.
    • Regularly Update Configurations: Stay informed about updates to analytical tools and adjust your settings to maintain compliance with privacy laws.
    • Audit Data Retention Policies: Define how long data is stored and ensure it aligns with legal requirements and user expectations.
  4. Continuously Scan Websites and Mobile Apps
    • Automate Scanning Processes: Utilize automated tools to regularly scan your websites and apps for privacy and compliance issues.
    • Identify Unauthorized Data Sharing: Detect any unintended data transmissions to third parties, especially involving sensitive information.
    • Monitor Compliance with Regulations: Keep abreast of changes in privacy laws and ensure your platforms comply with all relevant regulations.
    • Conduct Security Audits: Perform regular security assessments to identify and mitigate vulnerabilities that could lead to data breaches.

How Privado Can Help

At Privado, we offer solutions designed to help businesses preserve user privacy and ensure compliance with data protection laws. Our platform can:

  • Scan Websites and Mobile Applications: Continuously monitor your digital assets to check for consent issues and unauthorized third-party data sharing.
  • Verify Consent Mechanisms: Assess your consent banners and mechanisms to ensure they function properly and comply with legal requirements.
  • Analyze Tag Managers and Analytics Configurations: Audit configuration of tag managers and analytical tools to prevent unauthorized data sharing
  • Provide Actionable Insights: Receive detailed reports highlighting areas of risk and recommendations for improving your privacy practices.

Request a Free Website Audit

Take the first step toward enhanced data privacy by requesting a free audit of your website. Click here to sign up for a comprehensive evaluation of your current privacy practices.

Headway CCPA lawsuit
Posted by
Prashant Mahajan
in
US Privacy Laws
on
October 25, 2024

Prashant is the CTO & Founder of Privado

Continue Reading

Company News

The State of Website Privacy Report 2024
Ben Werner
Product Marketing Manager, Privado

Privacy Engineering

Learning from big tech: Why Meta invested heavily in privacy code scanning
Ben Werner
Product Marketing Manager, Privado

Company News

Calling All Privacy Experts: Speak at Bridge Summit 2025
Ben Werner
Product Marketing Manager, Privado
View All Resources

Subscribe to our email list

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.