Summary: Medical spas face heightened legal risks when implementing appointment scheduling features on their websites, particularly when combined with tracking technologies, such as pixels and cookies.
2023 Intensified Legal Action
In 2023, there was a significant increase in the number of class action lawsuits filed against companies for privacy law violations. These legal actions primarily focused on the misuse of online tracking technologies, including pixels and cookies, which shared user information with third parties without the user’s knowledge or consent. In addition to these large lawsuits, numerous government enforcement actions and private arbitration proceedings were launched to combat these violations. Businesses across various sectors faced significant penalties, reputational damages, and litigation costs.
2024 Developments
The trend of increased litigation for privacy violations continued throughout 2024 under the federal and state privacy laws already in effect. Throughout the year, additional states enacted comprehensive online privacy laws, imposing stricter requirements on businesses for the collection, storage, and sharing of personal data. While these laws share similar goals, each has distinct features and compliance rules.
2025 Eye-Opener for Medical Spas
A newly filed lawsuit addressing privacy violations within the medspa industry, Rusow v. SkinSpirit Essential LLC, highlights the unique risks faced by medspas incorporating appointment booking functions into their websites alongside tracking technologies. The lawsuit seeks more than $5 million in damages, alleging that:
- LinkedIn users entering the SkinSpirit website were tracked by the LinkedIn Insight Tag (aka LinkedIn Pixel) without their knowledge or consent, even if their browsers were set to block third-party cookies.
- When those users scheduled SkinSpirit consultations, they were making medical appointments at a medical clinic for medical procedures with medical professionals.
- Without the knowledge or consent of those users, their personally identifiable information, protected health information, and other confidential information were shared with LinkedIn.
- LinkedIn used the data improperly shared by SkinSpirit to serve targeted advertisements to LinkedIn account holders and users by matching their identities.
- The improperly shared data can be further analyzed to make conclusions about LinkedIn account holders and users such as their physical appearance and their health history.
Specifically, the complaint alleges that the following user data was improperly handled:
- The state where the appointment would take place
- The type of procedure the users were interested in
- The specific procedure the users wanted to have done
- The reason for the procedure
- The provider preferred by the users
- The day and time of the appointment
- Which pages the user viewed on the SkinSpirit website
- Which selections the user made on the SkinSpirit website
As a result, the complaint alleges that SkinSpirit violated the Electronic Communications Privacy Act (18 U.S.C. § 2511), the California Invasion of Privacy Act (Cal. Penal Code § 631), the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56.10), California’s Constitution, and Health Insurance Portability and Accountability Act (HIPAA 42 U.S.C. § 1320d). The complaint also seeks Class Action status.
The Path Forward
To avoid legal pitfalls seek legal counsel to review your privacy policies and practices. A thorough legal assessment can help identify potential risks and provide guidance on compliance. At Lengea Law, we are dedicated to helping you navigate the complex legal landscape specific to medical spas and other healthcare practices.