Doe v. GoodRx Holdings, Inc.
3:23-cv-00501
| N.D. Cal. | Jul 22, 2025Background
- Plaintiffs (Jane Doe et al.) brought a putative class action alleging that GoodRx and third-party trackers (Criteo, Meta, Google) shared users' sensitive health and personal information despite promises not to do so.
- GoodRx’s business includes offering prescription coupons and telehealth services, requiring users to provide health and personal details.
- Plaintiffs allege GoodRx’s privacy policies and statements assured users their personal health data would not be shared with third parties, but tracking technologies (Meta Pixel, Google Analytics, Criteo One Tag) secretly surveilled and shared such data.
- GoodRx settled with the FTC over similar allegations and acknowledged in a public notice the sharing of identifiable, health-related data with third parties.
- Defendants moved to dismiss claims for lack of specificity, lack of intent, asserted user consent, statutes of limitation, and other arguments; Plaintiffs opposed.
- The court considers the motion to dismiss and requests for judicial notice of various documents.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Sufficiency of technical details in claim | Specific features are not required at this stage; only defendants know such details. | Claims must specify web pages and how tools transmitted data. | Not required at pleading stage; motion denied. |
| Allegations against Criteo | Criteo intentionally intercepted sensitive health data. | Allegations are conclusory. | Allegations are sufficient at pleading stage; denied. |
| Intent | Tracking was deliberate and defendants profited. | Instructions against sharing health data negate intent. | Facts sufficient to plead intent; motion denied. |
| Consent | Policies expressly promised not to share health data. | Privacy policies disclosed possible sharing; users consented. | Disclosures did not amount to consent; motion denied. |
| Statute of limitations | Discovery rule applies; users couldn’t have known earlier. | Plaintiffs offer insufficient detail on timing of discovery. | Facts sufficient; motion denied. |
| CMIA aiding and abetting (Claim 7) | Aid/abet liability is viable; CMIA supports tort theory. | No aiding/abetting absent statutory authority; no case law cited. | No viable aiding/abetting theory under CMIA; dismissed. |
| UCL standing, remedies, and basis | Economic injury from lost data value; ongoing conduct. | No injury, no restitution, no unlawful/unfair/fraud. | Standing, remedies, and basis alleged; motion denied. |
| NY GBL claim | Injury from privacy violation; misleading conduct. | No deceptive conduct; no actual loss; not pled with specificity. | Privacy injury suffices; claim survives. |
| CIPA (CA wiretap) claim | PII/health info sharing is confidential communication. | Not confidential; out-of-state claims improper; party exception applies. | Confidentiality alleged; CA connection plausible; survives. |
| Intrusion upon seclusion | Medical privacy highly sensitive; conduct offensive. | Plaintiffs had no privacy expectation; not highly offensive. | Reasonable expectation and offensiveness plausible; denied. |
| Unjust enrichment | Data misappropriated and monetized by defendants. | No actionable wrong; Meta TOS bars claim. | Sufficient facts; TOS not conclusive; denied. |
Key Cases Cited
- Calhoun v. Google, LLC, 113 F.4th 1141 (9th Cir. 2024) (privacy policy disclosures must explicitly notify users to prove consent for data sharing)
- In re Meta Pixel Tax Filing Cases, 724 F. Supp. 3d 987 (N.D. Cal. 2024) (pleading standards for data privacy claims; intent and consent issues)
- Doe v. FullStory, Inc., 712 F. Supp. 3d 1244 (N.D. Cal. 2024) (technical details not required at pleading, sufficiency of discovery rule allegations)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (privacy expectancy and the party exception for CIPA claims)