647 F.Supp.3d 778
N.D. Cal.2022Background
- Plaintiffs (anonymous Facebook users) allege that the Meta Pixel embedded on hospital websites and patient-portal landing pages transmits patient-status information (URLs, button-click events, cookies/identifiers) to Meta, which is then used for targeted advertising.
- Plaintiffs claim the data transmitted constitutes protected health information (PHI) under HIPAA and that Meta monetizes it without proper authorization.
- Meta maintains public policies (Terms/Data/Cookies/Business Tools) that disclose off‑Facebook data collection, requires partners to have lawful rights to share data, provides user controls (Off‑Facebook Activity) and operates a filtering mechanism designed to detect and block sensitive health data from ad systems.
- Plaintiffs moved for a mandatory preliminary injunction to stop Meta from intercepting and using patient information; the court held an evidentiary record including technical declarations from both sides and expert declarations.
- The court found plaintiffs have plausible merits and irreparable harm but denied the mandatory injunction because plaintiffs failed to show that law and facts "clearly favor" their position given factual uncertainties about the scope of the problem and Meta’s filtration systems, and because the balance of equities and public interest did not support the requested relief at this early stage.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Consent to collection (do Meta's policies consent to PHI capture?) | Policies do not explicitly disclose collection of medical/patient‑portal data; a reasonable user would not have consented to sharing PHI. | Policies broadly disclose off‑Facebook data collection and Meta requires partners to have lawful rights to share data. | Court: reasonable user likely would not understand Meta would collect this specific health information; consent unlikely to bar claims. |
| Wiretap Act (is Pixel interception of "contents" unlawful; is one‑party consent defense available?) | Pixel intercepts contents (URLs, button labels, query strings, identifiers) and Meta intentionally acquires them; interception used for targeting ads. | Even if intercepted, health providers (website developers) consented; one‑party consent exempts Meta unless interception was done for criminal/tortious purpose. | Court: plaintiffs likely satisfy elements including "contents," but cannot show the law/facts clearly favor application of the crime‑tort exception to defeat the one‑party‑consent defense at PI stage. |
| CIPA / Confidentiality (are communications confidential and unlawfully recorded?) | Patient–provider portal communications are confidential and internet presumption against confidentiality is rebutted by the medical context and HIPAA protections. | Internet communications generally lack a reasonable expectation of privacy. | Court: plaintiffs will likely show confidentiality and that CIPA claims are viable. |
| Equities & public interest (should mandatory injunction issue and is it feasible?) | Injunction necessary to prevent ongoing irreparable privacy injury; plaintiffs propose technical mitigations. | Mandatory injunction is burdensome/technologically infeasible given Meta’s systems; Meta already deploys filters and other measures; injunction would have broad public consequences. | Court: balance of equities and public interest do not favor granting a mandatory injunction now given factual gaps and Meta's asserted filtering mechanisms. |
Key Cases Cited
- Garcia v. Google, Inc., 786 F.3d 733 (9th Cir. 2015) (mandatory injunctions particularly disfavored; plaintiff must show law and facts clearly favor relief)
- Winter v. Natural Resources Defense Council, 555 U.S. 7 (2008) (standard for preliminary injunction: likelihood of success, irreparable harm, balance of equities, public interest)
- In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir.) (analysis of tracking technologies and reasonable expectation of privacy)
- In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003) (elements of Wiretap Act claim)
- In re Zynga Privacy Litigation, 750 F.3d 1098 (9th Cir.) (distinguishing content from non‑content and treating substantive form data as contents)
- Smith v. Facebook, 262 F. Supp. 3d 943 (N.D. Cal. 2017) (URLs containing general public health content did not constitute PHI; court distinguishes that context from patient‑portal access)
- Noel v. Hall, 568 F.3d 743 (9th Cir. 2009) (definition of "interception" and acquisition for Wiretap Act)
- Sussman v. American Broadcasting Cos., Inc., 186 F.3d 1200 (9th Cir. 1999) (crime‑tort exception focuses on the interceptor's purpose)
- Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1 (1994) (factors for assessing offensiveness of privacy intrusion)
- In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir.) (addresses when URLs and transmitted data can be "content")