Skip to Content
Client Payment

Events In the News

United Healthcare Defeats Website Tracking Suit

on Tuesday, 28 April 2026 in Health Law Alert: Kristin N. Lindgren, Editor

On March 31, 2026, United Healthcare (“UHC”) successfully moved to dismiss a class action arising from its purported use of third-party tracking technologies on its website. We’ve previously discussed automated tracking on websites, such as by using cookies, pixels, etc., in connection with “trap-and-trace” laws, including at our Health Law Forum. Generally speaking, there have been a notable number of cases filed, and demands made relating to the use of automated tracking technologies on websites without consent (i.e., a cookie banner).

In Magliocca v. United Healthcare Services, Inc., Joanne Magliocca and other putative class members (“Plaintiff”) claimed that UHC website’s use of third-party trackers violated the California Invasion of Privacy Act (“CIPA”), the federal Electronic Communications Privacy Act (“ECPA”), the California Computer Data Access and Fraud Act (“CDAFA”), and the California Constitution.[1] The underlying allegation being that UHC’s use of third-party tracking technologies was an “invasion of privacy.”[2] Ultimately, however, the court found the Plaintiff lacked standing to bring a claim under the cited statutes as Plaintiff failed to allege a concrete injury.

In its analysis of what the Plaintiff would have been required to claim to allege a concrete injury under the cited statutes, the court parsed through recent case law, including Popa v. Microsoft Corporation, 153 F.4th 784 (9th Cir. 2025). In Popa, the Ninth Circuit determined that the information collected was made up of standard website interaction data, such as “mouse movements, clicks, keystrokes, URLs of pages visited, and/or other electronic communications,” and the monitoring was “most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales,” rather than information that was embarrassing, invasive or otherwise private.[3] Conversely, had the collected information included embarrassing, invasive, or otherwise private information the Ninth Circuit may have been persuaded that that the interferences or disclosures were ‘highly offensive’ and actionable under the common law.

In Magliocca, the court identified case law in which this heightened category of information has been identified, including the following examples:

  • Sensitive, personally revealing information gathered across the internet and over a significant period of time;
  • Sensitive information like health status and treatment, travel plans, political affiliation, sexual orientation; and
  • The tracking of individuals’ activity across thousands of websites, combined with extensive offline records gathered over decades, to generate uniquely identifying profiles.[4]

The above list is not exhaustive of all potential examples of information that rise to the level of concrete injury, but it does provide general guidance that entities should be on alert for in connection with its use of third-party tracking technologies.

Regardless of the outcome, it is a good reminder to monitor the type of information that is being collected on your website and to have a cookie banner in place if cookies, pixels, or other tracking technologies are being used to collect such information. Plaintiff has the opportunity to amend the complaint, so we will continue to monitor and provide information regarding any significant updates.

Halle A. Hayhurst

[1] Magliocca v. United Healthcare Services, Inc., No. 2:25-cv-3388 WBS SCR, (E.D. Cal. 3/31/2026).

[2] Id. at 3.

[3] Popa, 153 F.4th at 795.

[4] Magliocca, No. 2:25-cv-3388 WBS SCR at 8-9.

back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design