690 F.Supp.3d 1064
N.D. Cal.2023Background
- Plaintiffs (five anonymous Facebook users) allege hospitals’ websites installed Meta’s Pixel on patient portals, which contemporaneously transmitted patients’ healthcare-related data and URLs to Meta, and Meta monetized that data for targeted advertising.
- Plaintiffs filed a Consolidated Class Action Complaint asserting 13 claims (including ECPA, CIPA, breach of contract, CDAFA, UCL, CLRA, trespass, larceny, unjust enrichment, negligence, and privacy torts); Meta moved to dismiss all claims.
- The court previously denied a preliminary injunction but found plaintiffs showed a weighty injury; that ruling informed but did not resolve the pleadings motion.
- The central factual disputes: (1) whether Pixel intentionally intercepted the contents of electronic communications (including sensitive health information); (2) the effectiveness and implementation of Meta’s contractual safeguards and backend filters; and (3) whether healthcare providers actually consented to sending sensitive data to Meta.
- The court denied dismissal of the ECPA and CIPA claims, breach of contract, and unjust enrichment; it granted dismissal with leave to amend on several other claims (privacy torts, CDAFA, negligence per se, trespass to chattels, larceny, UCL, CLRA).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| ECPA (Wiretap Act) — interception/intent/content/consent | Pixel was designed to contemporaneously redirect patient communications/URLs (contents) to Meta; Meta intended to receive and monetize health data | Meta says it did not intend to intercept sensitive health data, relies on partners’ choices to install Pixel, and claims contractual prohibitions and backend filters; also asserts one-party consent from site operators | Denied dismissal: intent and content plausibly alleged; consent is a factual issue for discovery (survives pleading stage) |
| CIPA (Cal. Penal Code §§631,632) — scope, intent, device | Same facts as ECPA; software and transmitted URLs are covered content; Pixel is a device | Meta argues CIPA is extraterritorial, intent lacking, Pixel is not a “device,” and transmissions may not be sent/received in California | Denied dismissal: extraterritoriality and intent factual; Pixel can qualify as a device under §632(a); pleadings suffice at this stage |
| Breach of Contract & Implied Covenant | Meta’s TOS/Privacy Policy promise partners must have rights to share and that Meta uses systems/teams to prevent misuse; Meta breached by receiving/selling health data and not enforcing safeguards | Meta points to limitation-of-liability clause and contends promises are too indefinite | Denied dismissal: specific policy provisions pleaded; limitation clause not dispositive at pleading stage; damages scope may be addressed later |
| Constitutional privacy & Intrusion on Seclusion | Plaintiffs had reasonable expectation of privacy in medical communications; Pixel’s capture is highly offensive | Meta argues plaintiffs fail to specify what sensitive data Meta received; public disclosures and filters mitigate offensiveness | Dismissed with leave to amend: plaintiffs must identify categories of sensitive health information allegedly captured |
| CDAFA (§502) — loss/damage and contaminant theory | Pixel unlawfully accessed/transmitted data causing damage/loss and acts as a contaminant | Meta argues plaintiffs allege only privacy harms (not statutory loss/damage), Pixel is not a contaminant, and lack of device impairment | Dismissed with leave to amend: plaintiffs may replead loss/damage and must limit claims to §502(c)(1) and (8) if repled |
| UCL & CLRA — economic injury and fraud elements | Plaintiffs allege loss of property value in their data and misrepresentations about partners’ obligations | Meta contends no lost money/property (no purchase/transaction), diminished data-value theory insufficient, and plaintiffs fail to plead individual reliance for CLRA | UCL & CLRA dismissed with leave to amend: economic-injury and reliance defects must be cured |
| Trespass to Chattels & Larceny | Pixel places cookies/fbp cookie—interfering with devices and Meta obtained data by false pretenses | Meta contends no impairment to device function and plaintiffs fail to plead specific false statements and reliance | Both dismissed with leave to amend: trespass requires impairment of device operation; larceny claim lacks particularized misrepresentations/reliance |
| Negligence per se | Plaintiffs rely on HIPAA (and other statutes) to establish duty and per se breach | Meta argues HIPAA does not create a private negligence-per-se cause of action and duty must spring from state law | Dismissed with leave to amend: plaintiffs must identify a state-law source of duty |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility pleading standard)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading standards and inference of liability)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (URL/full-string referrer data can be "contents" under wiretap law)
- In re Zynga Priv. Litig., 750 F.3d 1098 (9th Cir. 2014) (distinguishing content from non-content metadata)
- In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125 (3d Cir. 2015) (substantive URL data can be "content")
- In re Carrier IQ, Inc., 78 F. Supp. 3d 1051 (N.D. Cal. 2015) (software can be a "device" under Wiretap Act/CIPA)
- Cottle v. Plaid Inc., 536 F. Supp. 3d 461 (N.D. Cal. 2021) (CDAFA loss/damage analysis; diminished data-value theory scrutinized)
- Intel Corp. v. Hamidi, 30 Cal.4th 1342 (Cal. 2003) (trespass to chattels requires impairment of property use)
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (Cal. 2011) (UCL standing and economic injury framework)