681 F.Supp.3d 1117
S.D. Cal.2023Background
- Plaintiffs (Sharp patients) allege Sharp Healthcare installed Meta Pixel on its public website and appointment-scheduling page, sending patients’ browsing and appointment data to Meta without consent.
- The Markup reported that Meta Pixel collected sensitive health-related data from Sharp’s scheduling page and transmitted it to Meta, potentially linkable to individuals via IPs and Facebook matching.
- Plaintiffs brought a consolidated class complaint asserting five causes of action: breach of fiduciary duty; common-law intrusion upon seclusion; invasion of privacy under Cal. Const. Art. I § 1; violation of the Confidentiality of Medical Information Act (CMIA); and violation of the California Invasion of Privacy Act (CIPA).
- Sharp moved to dismiss under Fed. R. Civ. P. 12(b)(6), arguing Plaintiffs failed to plead facts showing (among other things) that plaintiffs’ medical information was actually disclosed, viewed, or intercepted in transit and that a fiduciary relationship existed.
- The court found Plaintiffs’ allegations generally conclusory and lacking plaintiff-specific facts about what each plaintiff submitted and what Meta actually received or viewed; some privacy theories based on ordinary public browsing were deemed implausible.
- The court granted Sharp’s motion and dismissed all five claims with leave to amend, but it (a) declined to dismiss intrusion claims based on alleged disclosures from the appointment-scheduling page and (b) allowed CIPA aiding/interception theories to proceed past the pleading stage.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Breach of fiduciary duty | Sharp, as a healthcare provider, owed and breached fiduciary duties by sending sensitive patient data to Meta without consent. | No fiduciary relationship exists as a matter of law between hospital and patient; allegations are conclusory. | Dismissed — no fiduciary duty plausibly pled; claim dismissed with leave to amend. |
| Intrusion upon seclusion / Cal. Const. privacy (highly offensive & damages) | Disclosure of sensitive health info (esp. from appointment page) was highly offensive; plaintiffs seek damages. | Data-collection of browsing history is routine commercial behavior and not highly offensive; constitutional damages against private defendants are unavailable. | Mixed: privacy claims based on mere public browsing dismissed; allegations about appointment-scheduling page could be highly offensive and survive pleading; monetary damages under Cal. Const. claim dismissed. |
| CMIA (unauthorized disclosure / viewing) | Meta Pixel disclosed patients’ individually identifiable medical information to Meta in violation of CMIA. | Plaintiffs fail to plead that any medical information was actually disclosed or that Meta viewed/accessed it. | Dismissed — plaintiffs did not plausibly allege actual disclosure or that unauthorized parties viewed the data. |
| CIPA (interception; aiding/agreement; contents; in-transit) | Sharp installed Meta Pixel and thereby aided/agreed with Meta to intercept users’ electronic communications (including content) in transit. | Plaintiffs fail to plead aiding/agreement sufficiently; no contents were intercepted; Meta’s separate connection means no interception in transit. | Partially survived pleading: court found allegations that Sharp procured/installed Pixel sufficient to plead aiding/agreement and that interception in transit was plausibly alleged; however, plaintiffs failed to plausibly allege interception of communication "contents." Claim dismissed as pled but with leave to amend. |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for pleadings)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (conclusory allegations insufficient to survive Rule 12(b)(6))
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (privacy intrusion analysis and limits on permitting unauthorized duplication/forwarding of user data)
- Smith v. Facebook, Inc., 262 F. Supp. 3d 943 (N.D. Cal. 2017) (collection of user browsing on public website not necessarily PHI)
- In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014) (definition of "contents" under Wiretap Act and distinctions from metadata)
- Moore v. Regents of Univ. of Cal., 51 Cal.3d 120 (Cal. 1990) (no per se fiduciary relationship between medical provider and patient)