Can you remember the last time you were able to get your prescription medication from the drug store without giving your name, home address and/or date of birth? What about having the drug store expense the cost of the medication to your insurance provider without asking for your personally identifiable information (“PII”)? Are all drug stores in breach of consumer privacy rights because their employees have access to their customer’s PII?! Plaintiffs argued exactly that in a recently dismissed case from the District of South Carolina, Charleston Division.
In J.R. v. Walgreens Boots All., Inc., No. 2:19-cv-00446-DCN, 2020 U.S. Dist. LEXIS 116596 (D.S.C. July 2, 2020), plaintiffs argued that Walgreens allegedly violated their privacy rights by unlawfully using, disclosing, and disseminating plaintiffs’ PII through Walgreens’s 340B Complete® services (“340B Complete”). According to the complaint, the employees in Walgreens’s 340B Complete department, had unauthorized and unconsented access to pharmacy customers’ PII.
The Court denied plaintiffs’ preliminary injunction. After appealing the denial order, plaintiffs filed a 56-page, 280-paragraph amended complaint alleging: (1) invasion of privacy: wrongful appropriation; (2) invasion of privacy: wrongful publicizing of private affairs; (3) violation of the Fair Credit Reporting Act (“FCRA”); (4) negligence per se based on violations of FCRA, the Health Insurance Portability and Accountability Act (“HIPAA”), and the Federal Trade Commission Act (“FTCA”); (5) negligence per se based on violations of PIPA; (6) breach of contract; (7) declaratory relief pursuant to 28 U.S.C. § 2201; (8) negligence based on professional standards; (9) negligence based on PPA; (10) respondeat superior; (11) negligent training and supervision; and (12) unjust enrichment. Walgreens filed a motion to dismiss the amended complaint on grounds that each cause of action failed to state a claim upon which relief could be granted, and also moved to dismiss co-defendant Walgreens Boots Alliance, Inc. for lack of personal jurisdiction. The Court granted Walgreen’s motion in its ENTIRETY – a sweeping defense victory!
And although the Court’s ruling on each count deserves its separate recognition, the Court’s analysis on the alleged privacy violations was particularly interesting for those of us at ConsumerPrivacyWorld.
Let’s break it down.
(1) Invasion of Privacy: Wrongful Appropriation
Unlike a handful of states, South Carolina does not have a specific consumer data privacy statue yet (though it does have specific laws related to medical andhealth privacy that were not at issue in this case.) Under South Carolina’s common law tort, there are three separate and distinct causes of action which can be brought under invasion of privacy: 1) wrongful appropriation of personality; 2) wrongful publicizing of private affairs; and 3) wrongful intrusion into private affairs. South Carolina courts have also made it clear that while publicity is not explicitly stated as an element per se, it is still a fundamental requirement of the cause of action of wrongful appropriation of personality. In other words, publicity is required in a wrongful appropriation of personality claim. In their opposition, plaintiffs cited a law review article arguing that appropriation does not depend upon publicity, but plaintiffs were not able to cite to any case law to suggest that this view was adopted by any South Carolina court, and the Court was not impressed or interested in the argument.
Plaintiffs also tried arguing that Walgreen’s publicized their information by transferring it from the pharmacy to their internal database, which is “used as an information highway for other corporate-wide, non-pharmacy business units (including 340B Complete) to access.” This argument did not fly either. The court pointed the the Supreme Court of South Carolina’s definition of publicity “as making the matter public ‘by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.’” Thus, the fact that other Walgreen employees had access to plaintiffs’ PII did not mean that plaintiffs’ PII was being communicated to the public at large.
And since plaintiffs were unable to sufficiently plead that Walgreen’s was “publicizing” plaintiffs’ PII, their claim could not survive. Simple enough? We thought so to.
(2) Invasion of Privacy: Wrongful Publicizing of Private Affairs
Plaintiff’s second cause of action alleged that Walgreen’s unlawfully disseminated plaintiffs information through an unsecure platform where unauthorized persons and other Walgreens’ departments, divisions, and/or units had access to their PII. Citing to the Supreme Court of South Carolina, the Court stated, “the relevant distinction between publication and publicity has to do with private versus public communication, not the size of the audience… just because plaintiffs’ PII may be accessed within Walgreen by Walgreen employees does not mean it is distributed or made available to the public, which is a requirement of wrongful publicizing of private affairs claim.” (Emphasis added.)
With the recent surge in breach of privacy lawsuits and the growing body of new privacy statutes, this case was a refreshing reminder that not all companies in possession of PII are breaching privacy laws. PII is essential to many businesses, and proper use of consumer PII is not as rare as some headlines make it seem.