The United States District Court for the Southern District of Iowa has dismissed on sovereign immunity grounds a putative class action against the University of Iowa Hospitals and Clinics (“UIHC”) for unjust enrichment and violations of the Electronic Communications Privacy Act and Computer Fraud and Abuse Act.  See Yeisley v. Univ. of Iowa Hosps. & Clinics, No. 3:23-cv-00025 (S.D. Iowa Feb. 16, 2024) (unpublished). 

The plaintiff, a patient of UIHC, had alleged that UIHC used a pixel on its website to share her personally identifiable information with third parties for marketing purposes and without her consent.  The Court did not reach the merits of the case and instead granted UIHC’s motion to dismiss on the basis that sovereign immunity barred each of the plaintiff’s claims.

The Court began its analysis by determining that UIHC was an “arm of the State” for purposes of sovereign immunity because (1) state law prescribed its “powers and characteristics”; (2) state law also governed its various affairs at length and in detail; (3) UIHC “must spend its money consistent with the directives of the Iowa Legislature, as implemented and controlled by state-appointed members of the Board of Regents”; and (4) “the State general fund would be the source of funds for any judgment or settlement” in this case.  The Court then rejected the plaintiffs’ argument that UIHC had waived sovereign immunity by adopting privacy policies concerning its handling of website visitor information, noting that those policies did not “expressly or implicitly” refer to either statute or “suggest an intention to waive sovereign immunity as to those laws.”  The Court further concluded that Congress did not abrogate sovereign immunity in enacting the ECPA and CFAA because neither law “unequivocally” expressed the requisite intent “to alter the usual constitutional balance between the States and the Federal Government.”  Finally, the Court held that sovereign immunity likewise barred the plaintiffs’ unjust enrichment claim under either federal or state law.

This case highlights a potential defense strategy for government entities facing litigation under the ECPA, CFAA, and related state laws, as it discusses in detail several aspects of the new and evolving case law applying sovereign immunity principles to these claims.

You can find more information about the latest developments and trends affecting class actions in our Inside Class Actions blog, including disclosure of collection in privacy policies, pixels embedded in videos, and wiretapping and other related privacy-related claims.

Photo of Kanu Song Kanu Song

Kanu Song is a litigator who represents clients in the technology and life sciences industries in complex commercial disputes, including class actions, trade secret litigation, contract disputes, and actions brought under unfair competition and consumer protection laws. She has substantive experience in all…

Kanu Song is a litigator who represents clients in the technology and life sciences industries in complex commercial disputes, including class actions, trade secret litigation, contract disputes, and actions brought under unfair competition and consumer protection laws. She has substantive experience in all stages of litigation, including arbitrations and appeals, with a strong track record of success on dispositive motions.

Kanu also maintains an active pro bono practice focused on serving women and children, and assisting individuals and small businesses with intellectual property disputes.

Photo of Jess Gonzalez Valenzuela Jess Gonzalez Valenzuela

Jess Gonzalez Valenzuela (they/them & she/her) is an associate in the firm’s Palo Alto office and is a member of the Privacy and Cybersecurity and Corporate practice groups.

Jess helps clients address complex, cutting-edge challenges to manage data privacy and cybersecurity risk, including by…

Jess Gonzalez Valenzuela (they/them & she/her) is an associate in the firm’s Palo Alto office and is a member of the Privacy and Cybersecurity and Corporate practice groups.

Jess helps clients address complex, cutting-edge challenges to manage data privacy and cybersecurity risk, including by providing regulatory compliance advice in connection with specific business practices and assisting in responding to cybersecurity incidents. Jess also maintains an active pro bono practice.

Jess is committed to DEI efforts in the legal profession, is a member of Covington’s LGBTQ+ and Latino Firm Resource Groups, and is working to develop a first generation professionals network and a disability advocacy network at Covington.