IAB filed an amicus brief on April 10, 2026, at Washington's Supreme Court arguing that applying the state's 1967 wiretapping law to routine browser-to-server interactions would threaten digital advertising measurement and basic website operations.
The Interactive Advertising Bureau filed an amicus brief today with the Washington Supreme Court in Baker v. Seattle Children's Hospital, a case that could determine whether routine browser-to-server interactions on public websites fall within the reach of a state wiretapping statute enacted in 1967. The brief, submitted on April 10, 2026, at 2:47 PM by Orrick, Herrington & Sutcliffe LLP on behalf of IAB, positions the trade organization squarely alongside the hospital and against a reading of the Washington Privacy Act that the IAB says would expose ordinary website analytics and ad measurement to potential civil and criminal liability.
The case began in October 2023, when three plaintiffs - Carly Baker, Janssen Ramos Savoie, and Amber Shavies - filed a putative class action against Seattle Children's Hospital (SCH). According to the court record, SCH deployed Meta Platforms' "Pixel" software code on its public website at www.seattlechildrens.org, a site that allows visitors to search for information about medical conditions, health care providers, and services. The plaintiffs alleged that Pixel intercepted their website activity in violation of RCW 9.73.030(1)(a), Washington's privacy act, without their consent.
According to the Washington Court of Appeals opinion filed August 18, 2025, Pixel is designed to track website user activity by capturing how visitors interact with the website, "including clicks, text searches, page views, and the webpage addresses that the user visits." SCH used the collected information to support its advertising efforts. The technology also shares tracked data with Meta. When a user is logged into Facebook while visiting SCH's website, according to the opinion, "Pixel sends third-party cookies to Meta," allowing Meta to link activity data to the user's unique Facebook account. Even without a Facebook account, Pixel transmits activity to Meta with a unique identifier that can be linked to a current or later-created account, the complaint alleged, after which Meta can use that information for its own targeted advertising.
Each of the three named plaintiffs had a Facebook or Instagram account when they used SCH's public website. Baker used the site to search for medical conditions and symptoms for her minor daughter, including using the website's search bar and conditions webpage. Savoie searched for medical conditions, symptoms, and health care providers for her minor son using the search bar and the "Find A Doctor" page. Shavies searched for operating hours for urgent care facilities. Some plaintiffs recalled receiving health-related advertisements on Facebook after using SCH's website, the complaint stated.
SCH was not silent about the use of cookies. According to the Court of Appeals opinion, a pop-up appearing upon navigating to the site stated: "By clicking 'Accept All Cookies,' you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in marketing efforts." The plaintiffs' position was that this disclosure was insufficient, and that SCH had secretly intercepted and recorded sensitive health information in violation of the privacy act.
Washington's privacy act, chapter 9.73 RCW, is described in the Court of Appeals opinion as "one of the most restrictive electronic surveillance laws in the nation." The statute makes it unlawful to intercept or record any private communication transmitted by telephone, telegraph, radio, or other device between two or more individuals without first obtaining the consent of all participants. Violation can result in both civil and criminal liability under RCW 9.73.060 and .080.
The core legal question is whether click-and-search activity on a public website constitutes "private communication" under that statute. In January 2024, SCH moved to dismiss under CR 12(b)(6) for failure to state a claim. After a February 2024 hearing, the trial court granted the motion and dismissed the complaint with prejudice. The plaintiffs then appealed. On August 18, 2025, the Washington Court of Appeals, Division One, affirmed the dismissal in an unpublished opinion authored by Judge Coburn.
The Court of Appeals relied on the Washington Supreme Court's definition of "communication" established in State v. Riley, 121 Wn.2d 22 (1993): the act of imparting or transmitting facts or information. Applying that definition, the court concluded that the plaintiffs did not allege they navigated SCH's website to transmit a message to or exchange information with another party. Rather, according to the opinion, "they merely allege to have clicked and entered search terms to retrieve publicly displayed information and webpages." The court distinguished this from the "back-and-forth" text messaging the Supreme Court found plainly protected in State v. Roden, 179 Wn.2d 893 (2014). Because the alleged interception "did not affect other parties or involve multiple invasions of privacy," the Court of Appeals concluded the claim must fail.
The court explicitly limited its holding: "We confine our holding to the facts of this case and decide that the plaintiffs' alleged click-and-search navigation of SCH's public website does not fall within the statutory prohibition of RCW 9.73.030(1)(a)."
With the case now before the Washington Supreme Court under case number 1045905, the IAB entered the proceedings on April 10, 2026, filing a 2,726-word amicus brief through Orrick. The counsel team included Marc R. Shapiro, Christopher J. Cariello, and Ned Hirschfeld from Orrick's New York office at 51 West 52nd Street, alongside Robert M. McKenna and Aravind Swaminathan from the Seattle office at 401 Union Street, and Ian Hawkes from the Washington, DC office at 2100 Pennsylvania Avenue NW.
Michael Hahn, EVP and General Counsel at IAB, announced the filing on LinkedIn, writing that the brief explains "why an overbroad interpretation of the Washington Privacy Act - one that treats routine browser-to-server interactions as 'private communications' - would have sweeping and unintended consequences."
The technical substance of IAB's brief centers on the HTTP request-response cycle that underlies every website visit. According to the brief, the interaction at issue - "a browser's GET request followed by a server's HTTP response, formatted as packets for transmission - is how any computer accesses any information on any website." The brief describes this as "the foundation of the World Wide Web." A GET request, the brief explains, is the type of HTTP request that retrieves data from the server, such as loading a webpage. The server then responds with an HTTP response containing specific bits of code.
IAB argues that the plaintiffs' reading of the statute would mean that "every time anyone visits any website for any reason, they engage in a private communication with another individual (the website's server) under the WPA," potentially exposing websites to liability for collecting data necessary to form an internet connection.
The brief draws a sharp distinction between the plaintiffs' activity and the kind of person-to-person exchange the statute was designed to protect. According to the IAB brief, a Voice Over Internet Protocol call, messaging application exchange, or live website chat - all of these "involve two people communicating, and the WPA protects their privacy." But a browser accessing publicly posted content "is an automated interaction between devices, not an exchange between individuals."
The brief outlines several categories of routine website operations that would be affected by the plaintiffs' reading of the statute. Website operators, it argues, analyze records of user connections to fix technological problems, troubleshoot complaints, assess and address security concerns, and analyze content popularity. These functions require recording basic data about user connections. Under the plaintiffs' reading, all of that would constitute the interception of private communications.
Critically for the marketing community, the brief identifies ad measurement as a specific casualty of an expansive ruling. According to the IAB brief, "websites must record and transmit to measurement vendors basic technical information about whether users view or click on an advertisement in order to quantify its reach." Advertisers, the brief states, "demand that sort of measurement and would not pay for advertisements without it." The brief contends that even the simplest such data collection could be disrupted by the plaintiffs' reading of the WPA.
The IAB also raises concerns about the consent workaround. Even if user consent remained a statutory defense, the brief argues it would be "plainly unworkable for website operators to secure consumer consent for every single packet transmission that facilitates internet connectivity." The analogy it draws is to telephone operators, who could not feasibly seek consumer consent for every electromechanical signal that facilitates a phone call. Recording GET requests, the brief states, "is the technological architecture of the internet."
The IAB brief also presents a statutory history argument. According to the brief, the Washington Privacy Act was enacted in 1967 to regulate wiretapping of telephone communications between callers. The Legislature subsequently made four rounds of narrow amendments: in 1977, adding one-party consent exceptions for emergencies, extortion threats, and anonymous calls; in 1985, adding an exception for hostage and barricade situations; in 1986, expanding the emergency exception to include medical emergencies and adding emergency service personnel; and in 2001, addressing electronic recording of custodial interrogations. None of these amendments entailed any discussion of regulating the internet, the brief states.
The IAB contrasts this history with the Washington Legislature's more recent, targeted approach to internet privacy through statutes like the My Health My Data Act, chapter 19.373 RCW. That law, according to the brief, recognizes that apps and websites may collect health information over the internet and requires "additional disclosures and consumer consent regarding the collection, sharing, and use of such information." Critically, it requires consent for sharing in many circumstances, but not where companies use data as "necessary to provide a product or service that the consumer to whom such consumer health data relates has requested" under RCW 19.373.030(1)(b). The IAB brief argues this kind of targeted, manageable consent requirement is workable precisely because it applies to select transmissions, not every GET request.
The IAB Diligence Platform, launched in August 2024 by IAB to help the industry navigate the growing complexity of state privacy laws, reflects the context in which this case arrives. As of the start of 2025, fourteen US state privacy laws were enforceable, with more anticipated throughout the year. The IAB Tech Lab's Accountability Platform, finalized in November 2024, established a framework specifically for validating user preference signals across the digital advertising ecosystem.
The Baker case sits in a different legal category than those consent frameworks - it concerns whether a decades-old wiretapping law, rather than a modern privacy statute, applies to the basic mechanics of how websites serve content. But a ruling in the plaintiffs' favor at the Washington Supreme Court level would extend far beyond healthcare websites. Any site using analytics tools, pixel tracking, A/B testing, performance monitoring, or ad measurement - all of which rely on recording browser-server interactions - would potentially face exposure.
Germany's wave of litigation against Meta's tracking practices has proceeded under GDPR's framework, where data protection law explicitly governs these interactions. The Washington case is different: it asks whether a pre-internet wiretapping statute can be stretched to reach the same conduct. The Thuringia Higher Regional Court awarded €3,000 in damages against Meta on March 2, 2026, finding that Meta's Business Tools - including Pixel - collected data without valid consent. That ruling, however, rested on Article 9 GDPR and the specific protections for sensitive health data under European law, not on an analogy to wiretapping statutes.
Washington has also been active on digital advertising regulation in other respects. Washington State enacted a sales tax on advertising services in 2025, positioning itself as the first state to comprehensively tax digital advertising services. And Washington's Supreme Court is simultaneously considering a separate case in which the Digital Advertising Alliance filed an amicus brief in September 2025 defending a digital advertising company facing a $35 million fine for alleged violations of the state's Fair Campaign Practices Act.
For the ad tech industry, the Baker case represents a specific and pointed risk: that ad measurement infrastructure - the basic mechanism of recording whether a user saw or clicked an advertisement - could be characterized as wiretapping under state law. The IAB brief is direct about this, arguing that the plaintiffs' construction "could unduly chill those economic frameworks for freely available, diverse internet content." Advertising revenue, the brief notes, "is the lifeblood of countless small-scale publishers across the internet, enabling them to make content freely available to consumers."
The Washington Supreme Court accepted the case for review on January 8, 2026. No oral argument date has been publicly announced.
Who: The Interactive Advertising Bureau (IAB), as amicus curiae, in the case of Carly Baker, Janssen Ramos Savoie, and Amber Shavies v. Seattle Children's Hospital, with Orrick, Herrington & Sutcliffe LLP serving as counsel.
What: IAB filed a 24-page amicus brief with the Washington Supreme Court arguing that the state's 1967 Privacy Act, which prohibits intercepting private communications between individuals, should not be extended to cover routine browser-to-server HTTP request and response interactions that underlie all website access - including the pixel trackingand ad measurement functions central to the digital advertising industry.
When: The amicus brief was filed on April 10, 2026, at 2:47 PM. The original class action was filed in October 2023. The Court of Appeals issued its unpublished affirmance on August 18, 2025.
Where: Washington Supreme Court, case number 1045905. The underlying events involved the public website www.seattlechildrens.org, owned and operated by Seattle Children's Hospital, a Washington nonprofit corporation.
Why: IAB intervened because a ruling adopting the plaintiffs' reading of the Washington Privacy Act would expose websites across the state to potential civil and criminal liability for recording the basic HTTP packet transmissions that enable any internet connection - a result the brief argues would threaten analytics, security functions, performance monitoring, and the ad measurement infrastructure on which digital advertising depends.
