CONSENT IS (STILL) KING: Court Dismisses ECPA, WESCA, and Invasion of Privacy Claims Against Cigna, Finding Consent in Privacy Notice Dispositive

Add a comment

In a significant win for defendants relying on online consent through privacy notices, Chief Judge Wendy Beetlestone of the Eastern District of Pennsylvania dismissed key privacy claims brought against Cigna, including under the Electronic Communications Privacy Act (ECPA), the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA), and invasion of privacy claims.

In Adair v. Cigna Corporate Services LLC, CIVIL ACTION NO. 25-2384 U.S. District Court for the Eastern District of Pennsylvania, the federal judge significantly narrowed a proposed class action against Cigna in a privacy case where plaintiffs accused Cigna of unlawfully sharing customers’ private health information with third parties through its website and patient portals, and violated ECPA, the WEASCA, as well as common law claims for invasion of privacy, breach of fiduciary duty, and unjust enrichment.

The plaintiffs, five individuals insured through Cigna’s health, dental, or vision plans, brought a class action against Cigna and its subsidiary CCS, alleging that the defendants unlawfully intercepted sensitive personal health information through embedded tracking technologies on their websites and member portals. Specifically, they claimed that third-party tools such as pixels and session replay code captured users’ interactions with both public-facing and authenticated portals, collecting data on mouse movements, clicks, and even keystrokes—enabling Cigna to add new customers and avoid advertising costs.

Chief Judge Wendy Beetlestone delivered a mixed ruling on the defendants’ motion to dismiss. As I will get to in a bit–importantly Judge Beetlestone ultimately dismissed Plaintiff’s ECPA, WESCA, and invasion of pribvacy claims because the plaintiffs had consented to Cigna’s Privacy Notice and Terms of Use, which expressly permitted the use of third-party tracking technologies. The court concluded that consent was dispositive of these claims:

“The unassailable conclusion is that Plaintiffs agreed to Defendants’ Privacy Notice in addition to their Terms of Use, thereby giving Defendants permission to use the third-party tracking technologies. At least as currently alleged and argued, consent is dispositive of Plaintiffs’ ECPA, WESCA, and invasion of privacy claims.”

But first, the court addressed the question of standing and held that the plaintiffs had adequately pled a concrete and particularized injury to sustain their ECPA, WESCA, and intrusion upon seclusion claims. In evaluating the plaintiffs’ claims, the court looked to a TCPA case—Susinno v. Work Out World, where the Third Circuit ruled that even a single unsolicited prerecorded voicemail could constitute a privacy violation. While the court acknowledged that such a call might not meet the standard for a full intrusion upon seclusion claim, it emphasized that the nuisance and disruption of privacy still bore the “same character” as that tort. Drawing on the precedent in Susinno, the court found that this alleged unauthorized tracking of healthcare-related activity is closely analogous to an intrusion upon seclusion, amounting to a concrete, actionable harm under Article III.

The Cigna court also distinguished this case from recent wiretapping lawsuits involving retail sites, noting that the information intercepted here- medical procedures, diagnoses, provider searches was far more sensitive than mere consumer preferences. The court distinguished Cigna from the Third Circuit’s decision in Cook v. GameStop, where the plaintiff’s claims were dismissed because the data collected such as product preferences was not considered private or sensitive. In Cook, the court emphasized that simply browsing a retail website doesn’t create an expectation of privacy, especially where no personal or health-related information is involved. By contrast, the plaintiffs in the Cigna case alleged that tracking technologies captured sensitive medical data from both public and secure, password-protected portals. This included information about health conditions, prescriptions, and provider searches– categories that courts consistently recognize as highly personal. Because health data is entitled to special privacy protections, the court found that this case presented a much more serious intrusion. Unlike Cook, where no meaningful injury was shown, the tracking of medical information here closely mirrors the kind of harm associated with intrusion upon seclusion.

Cigna also argued that the plaintiffs couldn’t claim injury because they had consented to the company’s data collection and sharing practices by agreeing to its policies. In other words, since the tracking was disclosed, no harm was done. But the court rejected this line of reasoning at the motion to dismiss stage, explaining that the issue of consent goes to the merits of the case; not to whether the plaintiffs have standing to sue. Whether the data sharing was legally justified is a separate question from whether a concrete harm occurred. The court emphasized that standing requires only a showing of personal injury, not a resolution of Cigna’s legal defenses. Because the plaintiffs alleged a loss of privacy tied to the interception of sensitive health information, they met the standard for standing under Article III, regardless of whether they ultimately consented to the tracking.

Next, the plaintiffs’ unjust enrichment claim was dismissed without prejudice. The court ruled that while plaintiffs plausibly alleged that their data held commercial value, they did not demonstrate any actual economic loss, either through diminished value of their data or a loss tied to their insurance premiums. Nor did they allege that they intended to sell their information or suffered a measurable “benefit-of-the-bargain” shortfall.

The court also addressed Cigna’s challenge to the plaintiffs’ breach of fiduciary duty claim, which alleged that the company failed to protect the confidentiality of its insureds’ personal health information. Cigna argued that it merely operated a website and member portal, standard commercial activities, that did not create a fiduciary relationship. However, the court made clear that this argument goes to the merits of the case, not the issue of standing.

The court also found that plaintiffs had standing to seek injunctive relief, as some of them continued to use Cigna’s services and would likely be subjected to further data interception.

Next, Cigna invoked consent as a defense to Plaintiffs’ ECPA, WESCA, and intrusion upon seclusion claims, arguing that the plaintiffs had permitted the data collection they now challenge. Plaintiffs countered that consent is a fact-based issue and not appropriate for resolution at the motion to dismiss stage. But the court clarified that, procedurally, it is proper to consider consent in a Rule 12(b)(6) motion when it directly relates to the legal elements or statutory exceptions at issue.

For the intrusion-upon-seclusion claim, consent is relevant to whether there was an “intentional intrusion.” Under Pennsylvania law and Third Circuit precedent, a person cannot intrude where they have permission, so Plaintiffs’ intrusion claim would fail if they gave Cigna permission to track, collect, and, share their data.

For the ECPA and WESCA claims, consent operates not as an element of the claim but as a statutory exception to liability. Both statutes allow interceptions of communications if at least one party to the communication gave prior consent. Courts have consistently found it proper to dismiss wiretapping claims at the pleading stage when the facts alleged clearly trigger these exceptions.

The court held that it was procedurally appropriate for Cigna to raise consent at this stage of the litigation, and then considered whether the plaintiffs’ claims were precluded by their own acknowledgment of the company’s data practices.

Cigna argued that their data collection and sharing practices were fully disclosed in Cigna’s Privacy Notice, which outlines in detail the use of tracking technologies such as cookies, pixels, and session replay tools. The Notice explains that Cigna collects a wide range of personal data including health information, browsing activity, device identifiers, and location data, and may share this information with third-party ad networks, analytics providers, and marketing partners to personalize content, measure advertising performance, and enhance user experience.

Plaintiffs did not deny that these disclosures covered the conduct they are challenging. Instead, they argued that they could not have consented to the tracking because it began immediately upon loading the website, before they had a chance to read or understand the Privacy Notice. The Cigna court found this argument was contradicted by their own allegations. The Amended Complaint clearly stated that Plaintiffs “agreed” to Cigna’s Terms of Use, thereby “enter[ing] into a direct agreement” with the company. They explicitly acknowledged that this agreement was formed by “us[ing] the [w]ebsite,” which is a standard method of assent in digital contracts. The Cigna court noted when a website “offers terms that are disclosed only through a hyperlink and the user manifests assent to those terms simply by continuing to use the website,” that conduct is sufficient to demonstrate agreement. Checchia v. SoLo Funds, Inc., 771 F. Supp.3d 594, 607 (E.D. Pa. 2025) (quoting Berman v. Freedom Fin. Network, 30 F.4th 849, 856 (9th Cir. 2022)).

The court found that the plaintiffs conceded the assent to the Terms of Use, which expressly incorporate the Privacy Notice. Therefore, the unavoidable conclusion was that they agreed not only to the Terms but also to the data collection and sharing practices described in the Privacy Notice—the consent was dispositive of their claims under the ECPA, WESCA, and for intrusion upon seclusion.

Lastly, the court found that Plaintiffs had sufficiently alleged a breach of fiduciary duty to survive dismissal at the pleading stage. The claim was grounded in the assertion that Cigna failed to protect the confidentiality of its insureds’ personal health information, a duty Plaintiffs argue arose from a fact-specific confidential relationship, not merely the insurer-insured dynamic. While Pennsylvania law generally does not recognize fiduciary duties in ordinary insurance relationships, such a duty can arise where one party places justified trust in another who exercises control over sensitive matters. Plaintiffs alleged that by submitting personal medical information through Cigna’s platforms, they ceded control over how that data would be handled, creating such a relationship. The court rejected Cigna’s argument that no fiduciary duty could exist as a matter of law, clarifying that this question is inherently fact-bound. And Cigna’s reliance on prior cases was unpersuasive, as those decisions either involved different factual circumstances or affirmed that a fiduciary relationship could exist with more detailed pleadings. Because Plaintiffs allege more than a routine commercial transaction, claiming that they entrusted Cigna with highly sensitive health data under circumstances creating a power imbalance, the court allowed the breach-of-fiduciary-duty claim to proceed.

Adair v. Cigna underscores the importance of Privacy Notices and consent in digital privacy claims, especially when sensitive health data is involved. As the opinion emphasized, “one cannot intrude when one has permission,” and “consent is dispositive” of the plaintiffs’ claims under the ECPA, WESCA, and for intrusion upon seclusion. Clear disclosures and user assent remain powerful shields against privacy claims. While the plaintiffs raised serious concerns about the unauthorized collection of sensitive health data, the court ultimately found that consent through use of the website and agreement to the Terms of Use was a critical factor that undercut many of plainitffs’ claims. Because Cigna’s Privacy Notice clearly disclosed the use of tracking technologies and third-party data sharing, and plaintiffs acknowledged agreeing to those terms, the court concluded that the conduct was permitted. Still, it also raises questions about what meaningful consent looks like in practice, especially when sensitive information is involved. As courts continue to evaluate these issues, companies should ensure that their data practices and the way they communicate them  are clearly presented enough to count as valid user consent.

At this year’s Law Conference of Champions, we’ll be taking a deeper dive into how to structure and obtain valid user consent through privacy notices, terms of use, and cookie banners. We’ll also be breaking down the year’s most significant privacy and CIPA cases—examining what worked, what failed, and what’s coming next in privacy litigation.  

You won’t want to miss out!

Unknown's avatar

Published by Puja "Queenie" Amin

Puja J. Amin is the Queenie and co-founder of TCPAWorld. Other than the Czar, Queenie is probably the best known TCPA lawyer on the planet. Queenie cannot be stopped. One of the best known names in the marketing legal world, she has vast experience defending and counseling businesses on consumer protection laws including the TCPA, CIPA, FCRA and a host of privacy-related statutes. She has provided legal oversight on an enterprise basis to major direct-to-consumer brands and defended some of the largest companies in the nation in major federal court litigation--earning her the title of "Queenie" of the TCPA. She's also a 10+ times Trifecta finisher and international Spartan Race qualifier, who commonly competes in "Ultra" endurance challenges.

Leave a comment