Massachusetts Federal Court Dismisses Adtech ECPA Class Action For Failure To Allege Defendants Purposefully Committed A Criminal Act, Furthering Split Of Authority

Duane Morris Takeaways: On March 6, 2026, in Progin v. UMass Memorial Health Care, Inc., No. 25-CV-40003, 2026 U.S. Dist. LEXIS 46522 (D. Mass. Mar. 6, 2026), Judge Allison D. Burroughs of the U.S. District Court for the District of Massachusetts granted a motion to dismiss a class action complaint brought by website users against Massachusetts health care and hospital entities. Plaintiffs alleged that the defendants' use of website advertising technology ("adtech") violated the federal Wiretap Act, also known as the Electronic Communications Privacy Act ("ECPA"). Following another similar ruling in the same court, see Goulart v. Cape Cod Healthcare, Inc., 2025 U.S. Dist. LEXIS 119435 (D. Mass. June 24, 2025), the decision is significant because it reflects the Massachusetts Federal court's alignment with other federal courts (including the U.S. District Court for the Southern District of Texas, as we blogged about here) that have interpreted the ECPA in a defense-friendly manner. In contrast, courts in other jurisdictions (including Illinois Federal courts, as we blogged about here) have adopted more plaintiff-friendly interpretations, further deepening the emerging split of authority in adtech privacy litigation.

Background

Progin is one of a legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in websites secretly captured plaintiffs' web-browsing data and transmitted that data to Meta, Google, and other online advertising agencies and data analytics companies.

In these adtech and similar internet-based technology class actions, plaintiffs frequently rely on the ECPA's statutory damages provision. Their theory is simple: multiply the number of website visitors – potentially hundreds of thousands – by $10,000 in statutory damages per claimant to produce enormous potential exposure. Although plaintiffs have filed a majority of these lawsuits to date against healthcare providers, they have filed suits against companies that span nearly every industry including education, retailers, and consumer products. Some of these cases have resulted in multimillion-dollar settlements, while others have been dismissed at the pleading stage (as we blogged about here) or the summary judgment stage (as we blogged about here), and the vast majority remain undecided.

In Progin, the plaintiffs sued a group of health care and hospital entities, seeking to represent a class of patients whose personal health information was allegedly disclosed by the Meta Pixel installed on defendants' websites. The plaintiffs claimed that these alleged transmissions constituted an "interception" by defendants in violation of the ECPA.

Under the ECPA, a "party to the communication" generally cannot be sued unless it intercepted the communication "for the purpose of committing any criminal or tortious act." 18 U.S.C. § 2511(2)(d). This provision is commonly referred to as the "crime-tort exception."

Plaintiffs argued that alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) served as the predicate crime to trigger this exception. Specifically, plaintiffs argued that defendants were liable under the crime-tort exception because they intercepted and disclosed plaintiffs' communications and personal information to third parties without consent in violation of HIPAA. 2026 U.S. Dist. LEXIS 46522, at *11.

The defendants moved to dismiss, arguing that the crime-tort exception did not apply because they did not install the Meta Pixel "for the distinct purpose of violating HIPAA or perpetrating a tort." Id. at *11-12.

The Court's Decision

The Court agreed with defendants and granted their motion to dismiss, holding that the amended complaint's allegations "do not support the inference that Defendants purposefully committed the 'criminal and tortious acts' specified by Plaintiffs." Id. at *13-14.

As the Court explained, based on the alleged predicate acts, plaintiffs were required to plausibly allege that defendants "purposefully used or caused to be used" plaintiffs' unique health identifiers without authorization; "purposefully disclosed" plaintiffs' individually identifiable health information to Facebook or Google without authorization; or "purposefully invaded" plaintiffs' privacy. Id. at *12-13.

Importantly, the Court emphasized that merely alleging that defendants knowingly committed such acts is insufficient because "'purpose' is an essential element of ECPA, distinct from the minimal intent [of knowingness] required under HIPAA." Id. at *13 (quoting Doe v. Lawrence Gen. Hosp., 2025 U.S. Dist. LEXIS 195964, at *32 (D. Mass. Aug. 29, 2025)). The Court further explained that "[i]t is not enough that a crime or tort [may have been] a . . . side effect of the interception." Id. at *14 (quoting Doe, 2025 U.S. Dist. LEXIS 195964, at *30).

Implications For Companies

The decision in Progin is a big win for healthcare providers and other defendants facing adtech class actions. This ruling reinforces a critical principle in ECPA and other privacy-based litigation: the defendants' state of mind matters.

Under the ECPA's HIPAA-based crime-tort exception, as well as under similar privacy statutes such as the Video Privacy Protection Act ("VPPA"), liability depends on the defendant's knowledge and purpose. Where a defendant lacks knowledge that transmitted data is tied to specific individuals, or lacks the purpose to disclose identifiable information, the statutory requirements for liability may not be satisfied.

Accordingly, Progin provides strong authority for defendants to argue that routine adtech data transmissions cannot satisfy the purposeful intent requirements of the ECPA's HIPAA-based crime-tort exception or similarly worded privacy statutes – a position that may prove critical as courts continue to confront the growing wave of adtech privacy class actions.