Case Information
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA JANE DOE, et al., Case No. 23-cv-00501-AMO Plaintiffs, ORDER RE MOTION TO DISMISS v. Re: Dkt. No. 213 GOODRX HOLDINGS, INC., et al., Defendants.
This is a putative internet privacy class action by Plaintiffs Jane Doe, Jane Doe II, John Doe, E.C., Jose Marquez, and Hollis Wilson against Defendants GoodRx Holdings, Inc., Criteo Corp., Meta Platforms, Inc., and Google, LLC. Now pending before the Court is a motion to dismiss by Criteo, Meta, and Google (together, the “Moving Defendants”). ECF 213 (“Mot.”). Plaintiffs oppose the motion. ECF 217 (“Opp.”). Having considered the parties’ papers, the relevant legal authority, and the arguments advanced by counsel during the June 12, 2025 hearing on the matter, the Court GRANTS the motion IN PART and DENIES the motion IN PART for the reasons set forth below.
BACKGROUND [1] I. A. GoodRx’s Offerings GoodRx started operating in 2011 as a prescription coupon company. Compl. ¶ 96. Users
can search for discounts on the GoodRx website <www.goodrx.com> or the GoodRx mobile app (together, the “GoodRx Platform”). Id. ¶ 2. By entering the name of a medication and selecting a local pharmacy, a user receives a GoodRx coupon they can apply to a prescription purchase. Id. ¶ 98. GoodRx keeps a record of the purchase, the user’s name, date of birth, and prescription information. Id. Users can also obtain a GoodRx prescription savings card to use at over 70,000 pharmacies by providing their first and last name, address, and email. Id. ¶ 97. To create a GoodRx account, users must additionally provide their date of birth. Id.
GoodRx also offers other telehealth and prescription services. Through GoodRx’s “HeyDoctor” and “GoodRx Care” offerings, users enter their first and last name, email, phone number, biological sex, current address, and the type of treatment they are seeking. Id. ¶ 99. Once a user selects a type of treatment, they are “required to either complete an online consultation and enter information about their symptoms and medication history, or schedule a visit with a provider. They must also provide payment information.” Id. ¶ 100. Through its “GoodRx Gold” membership, the company offers users the option to pay a monthly fee for access to prescription coupons and medication tracking services. Id. ¶ 101.
B. GoodRx’s Privacy Policies The GoodRx privacy policy in effect between October 2017 and March 2019 promised
users that GoodRx would “never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” [2] Id. ¶ 105. From October 2017 to December 2019, GoodRx promised that “it would only use ‘personal medical data’ such as prescription drug information in ‘limited cases’ as necessary to fulfill the user’s request[,]” such as texting or emailing a GoodRx coupon. Id. ¶ 106. And from October 2017 to October 2019, GoodRx promised that when sharing information in these limited cases, it would “ensure[] that . . . third parties [we]re bound to comply with federal standards as to how to treat ‘medical data’ that is linked with [a user’s] name, contact information and other personal identifiers.” Id. ¶ 107. The HeyDoctor privacy policy made similar promises: between October 2018 and July 2020, the policy specifically stated that users’ “information would only be shared to provide access to telehealth services and that GoodRx would obtain users’ consent prior to disclosing it for any other reason.” Id. ¶ 109. The policy “also displayed a HIPAA seal, representing that its website complied with HIPAA regulations, including the prohibition against sharing health information without written authorization from the user.” Id.
C. Tweets by GoodRx’s Co-CEO Tweets by GoodRx’s Co-CEO – Doug Hirsch – reinforced the promises in GoodRx’s
privacy policies. On December 14, 2019, he tweeted: Id. ¶ 110, fig. 4. Later that day, he added: Id. ¶ 111, fig. 5.
D. GoodRx’s Use of Tracking Technologies Despite the promises in GoodRx’s privacy policies, and those made by its Co-CEO,
GoodRx “incorporated a host of other third parties’ tracking technologies on the GoodRx Platform, each of which permitted GoodRx to disclose, and third parties to intercept[,]” users’ personally identifiable, health, and other highly sensitive information. Id. ¶ 163. These tracking technologies include the Meta Pixel, Google Analytics, and the Criteo One Tag, and the software development kits these companies make available to app developers. Id. ¶¶ 139, 154, 160.
“The Meta Pixel is a snippet of code embedded on a third-party website that tracks users’ activity as the users navigate through a website.” Id. ¶ 124. Whenever a user interacts with a website, the Meta Pixel sends the users’ activity on the website to Meta in real-time. Through the Pixel, Meta records each page a user visits, the buttons they click, what information they provide, and what they search, as well as the user’s IP address. Id. ¶ 125. Meta can identify this information to a specific user through the “Facebook Cookie,” Meta’s workaround for cookie- blocking techniques, “Automatic Advanced Matching,” which correlates data received from websites to Facebook user account data, and “shadow profiles” that Meta keeps on non-Facebook users. Id. ¶ 126.
“Google Analytics is incorporated into third-party websites and apps by adding a small piece of JavaScript measurement code to each page on the site.” Id. ¶ 150. The code “immediately intercepts a user’s interaction with the webpage every time the user visits it, including what pages they visit and what they click on” and “collects identifiable information, such as the IP address and Client ID.” Id. ¶ 151. It then “packages the information and sends it to Google Analytics for processing.” Id. Once processed, the data is stored in a Google Analytics database, and Google uses “th[e] data to generate reports” that provide companies insight into customer acquisition, user engagement, and demographics. Id. ¶ 152.
The Criteo One Tag “is a snippet of code similar to the Meta Pixel.” Id. ¶ 158. It allows companies employing the technology to “utilize Criteo’s advertising platform to target specific users.” Id. ¶ 159.
E. The Federal Trade Commission Action On February 1, 2023, the Federal Trade Commission (“FTC”) filed an action against
GoodRx – United States of America v. GoodRx Holdings, Inc. , No. 23-cv-460 (N.D. Cal.) – for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule. Compl. ¶ 192. The FTC alleged that “GoodRx disclosed its users’ [personally identifiable information (“PII”)], as well as details about their medications and sensitive health conditions, to Defendants Facebook, Google, Criteo, as well as other third parties like Branch Metrics and Twilio.” Id. ¶ 193. “[S]ince 2017, GoodRx has ‘repeatedly violated’ its promises not to disclose its users’ personal information – except for in limited circumstances – by ‘sharing sensitive user information with third-party advertising companies and platforms . . . .’ ” Id. ¶ 192 (citing FTC Compl. ¶ 3-4). “GoodRx shared the following type of information without providing notice to or seeking consent from its users: prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers.” Id. ¶ 194 (citing FTC Compl. ¶ 4). GoodRx “ ‘permitted third parties that received users’ personal health information to use and profit from the information for their own business purposes.’ ” Id. ¶ 195 (citing FTC Compl. ¶ 5). The company “targeted users on Facebook and Instagram with advertisements that were premised upon their personal health information.” Id. (citing FTC Compl. ¶ 5).
GoodRx reached a settlement with the FTC on February 22, 2023. Id. ¶ 196. GoodRx was required “to pay civil penalties, as well as take certain corrective actions to prevent the disclosure of additional users’ PII and health information, including ceasing the use of health information for advertising purposes and further misrepresenting its disclosure of health information.” Id. “GoodRx notified users via email and through a ‘2023 Notice’ posted on its website of its settlement with the FTC.” Id. ¶ 197. In the notice, “GoodRx admitted it shared identifiable information about its users, including ‘details about drug and health conditions people searched and their prescription medications’ and that “ ‘shared this information with third parties, including Facebook’ ” and “ ‘[i]n some cases . . . used the information to target people with health-related ads.’ ” Id.
F. Plaintiffs’ Use of GoodRx Services The day after the FTC filed its complaint, Plaintiffs commenced this action, on February 2,
2023. They allege that by employing these tracking technologies on its Platform, GoodRx disclosed, and the Moving Defendants intercepted, Plaintiffs’ personally identifiable, health, and other sensitive information. Id. ¶¶ 140, 154, 160.
Plaintiff Jane Doe used the GoodRx Platform multiple times in August 2022. Id. ¶ 24. Using her mobile phone [3] to “access[] GoodRx’s platform through the website,” she entered her name, email address, phone number, biological sex, address, and payment information” to receive medical treatment and a prescription for a urinary tract infection. Id. ¶¶ 23, 25. She also completed an online consultation, providing GoodRx with information about her symptoms and medication history. Id. ¶ 25. She paid for these services and received a prescription for an antibiotic through GoodRx. Id.
Using the GoodRx mobile app on her phone, [4] Plaintiff Jane Doe II used the GoodRx Platform between 2016 and 2023 to obtain prescription coupons. Id. ¶ 29. During the last five years, Doe II paid a fee for GoodRx’s Gold membership to access additional savings on prescriptions. Id. To sign-up for the membership, Doe II provided her name, email, birthdate, and payment information. Id. ¶ 32.
John Doe used the GoodRx Platform between 2016 and 2023 to obtain discounts and prescription coupons for a number of prescription medications. Id. ¶ 36. He accessed coupons online at GoodRx’s website using his mobile phone and public computers. Id. “To obtain discounts and prescription coupons, Plaintiff John Doe was required to enter, at least, his private prescription information.” Id. ¶ 37.
Using the web browser on his mobile phone, E.C. used the GoodRx Platform since at least 2018 to locate pharmacies for “prescriptions of a highly sensitive nature.” [5] Id. ¶ 41. To find “prescribing pharmacies, Plaintiff E.C. was required to enter, at least, his private prescription information.” Id. ¶ 43.
Between June 2021 and August 2021, [6] Marquez used the GoodRx Platform and paid for a Gold membership to obtain discounts and prescription coupons. Id. ¶¶ 47-48. To sign-up for the membership, Marquez provided his name, email, and payment information. Id. ¶ 51. He accessed the GoodRx Platform “through a mobile application on his Android Samsung Galaxy smartphone.” Id. ¶ 49.
Between 2015 and 2019, [7] Wilson used her mobile phone to access the GoodRx website to obtain prescription coupons. Id. ¶ 55. To receive these coupons, Wilson provided her name, email, and phone number. Id. ¶ 57.
Plaintiffs allege they did not consent to the sharing and interception of their data or its use by Defendants. Id. ¶¶ 27, 34, 39, 45, 53, 59. According to Plaintiffs, had they known GoodRx would share their data, they would have never used the website or shared their information with GoodRx. Id. ¶¶ 27, 34, 39, 45, 53, 59.
Based on the sharing and interception of their health data, Plaintiffs, on behalf of themselves, a putative nationwide class, and various state subclasses proposed in the alternative, assert claims for intrusion upon seclusion (claims 1 and 2), unjust enrichment (claim 3), violation of the California Confidentiality of Medical Information Act (“CMIA”), Civil Code § 56.06 (claim 4), violation of the CMIA, Civil Code § 56.101 (claim 5), violation of the CMIA, Civil Code § 56.10 (claim 6), aiding and abetting violations of the CMIA, Civil Code §§ 56.06, 56.101, and 56.10 (claim 7), violation of the CMIA, Civil Code § 56.36 (claim 8), violation of the California Invasion of Privacy Act (“CIPA”), Penal Code § 631 (claim 9), violation of CIPA, Penal Code § 632 (claim 10), violation of the California Consumers Legal Remedies Act (“CLRA”), Civil Code §§ 1750, et seq. (claim 11), violation of California’s Unfair Competition Law (“UCL”), Business and Professions Code §§ 17200, et seq. (claim 12), violation of the New York General Business Law (“GBL”) § 349 (claim 13), violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 Ill. Comp. Stat. Ann. § 505/1 (claim 14), [8] negligence per se (claim 15), and negligence (claim 16). Compl. ¶¶ 230-396.
The Moving Defendants seek dismissal of Plaintiffs’ complaint in full [9] and ask that the Court take judicial notice of various materials. Mot. at 41; ECF 213-1 (“Defs.’ RJN”). Plaintiffs oppose and request judicial notice of additional documents. Opp.; ECF 218 (“Pls.’ RJN”). The Court held a hearing on the matter on June 12, 2025. ECF 231.
II.
DISCUSSION
The Court first takes up the parties’ requests for judicial notice before turning to the motion to dismiss. A. Requests for Judicial Notice 1. Standard A district court may take judicial notice of facts that are “not subject to reasonable dispute” because they are (1) “generally known within the trial court’s territorial jurisdiction,” or (2) “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b); see United States v. Bernal-Obeso , 989 F.2d 331, 333 (9th Cir. 1993). “Accordingly, ‘[a] court may take judicial notice of matters of public record.’ ” Khoja v. Orexigen Therapeutics, Inc. , 899 F.3d 988, 999 (9th Cir. 2018) (quoting Lee , 250 F.3d at 688). A court cannot, however, “take judicial notice of disputed facts contained in such public records.” Id.
“Unlike rule-established judicial notice, incorporation-by-reference is a judicially created doctrine that treats certain documents as though they are part of the complaint itself. The doctrine prevents plaintiffs from selecting only portions of documents that support their claims, while omitting portions of those very documents that weaken – or doom – their claims.” Id. at 1002. “Although the incorporation-by-reference doctrine is designed to prevent artful pleading by plaintiffs, the doctrine is not a tool for defendants to short-circuit the resolution of a well-pleaded claim.” Id. at 1003.
In applying this standard, the Ninth Circuit instructs: When a general conclusion in a complaint contradicts specific facts retold in a document attached to the complaint, incorporated by reference in the complaint, or subject to judicial notice, those specific facts are controlling. Similarly, where a complaint incorrectly summarizes or characterizes a legally operative document attached to the complaint, incorporated by reference in the complaint, or subject to judicial notice, the document itself is controlling. . . . But if specific facts alleged in the complaint contradict specific facts related in a non-legally-operative document attached to the complaint, incorporated by reference in the complaint, or subject to judicial notice, the conflict is resolved in the plaintiff’s favor.
In re Finjan Holdings, Inc. , 58 F.4th 1048, 1052 n.1 (9th Cir. 2023) (citations omitted). 2. Analysis a. Plaintiffs’ request for judicial notice Plaintiffs ask that the Court “take judicial notice of, and/or deem as incorporated by reference” the complaint from the FTC action and a document titled “DVAA Display, Video Ads, Analytics and Apps,” filed in United States et al. v. Google LLC , 1:23-cv-00108 (E.D. Va.). Pls’. RJN at 2. Criteo opposes Plaintiffs’ request to the extent Plaintiffs seek to incorporate the allegations from the FTC complaint, which Criteo disputes, into the operative complaint in this matter. ECF 222 at 2. The Court GRANTS Plaintiffs’ request as follows. The Court takes judicial notice of the existence of these documents but not for the truth of any contents contained in them. Nor does the Court treat the allegations in the FTC complaint or content from the DVAA document as fully incorporated into Plaintiffs’ complaint.
b. The Moving Defendants’ request for judicial notice The Moving Defendants seek judicial notice of 36 documents, including Meta’s terms of service, privacy and data policies, and business tool terms (Exhibits 1-20), GoodRx’s privacy policies and terms of use (Exhibits 21-27), and certain Google terms of service and webpages (Exhibits A-I). Defs.’ RJN at 2-6. Defendants also ask that the Court deem Exhibits 1-24, A, and B incorporated by reference. Id. at 7. Plaintiffs object. ECF 217-1. Nonetheless, the Court takes judicial notice of the existence of these documents, but it does not consider them beyond that. See In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d 987, 1001 (N.D. Cal. 2024) (“This notice is limited to the existence and contents of this July 26, 2022 version of Meta’s terms of service. The Court cannot conclude from Meta’s submission that this was the version in effect during the period relevant to plaintiffs’ claims, or that plaintiffs ever assented to the terms therein.”). The Moving Defendants’ request to deem Exhibits 1-24, A, and B as incorporated by reference is DENIED because incorporation by reference “is designed to prevent artful pleading by plaintiffs” but should not be used as a “tool for defendants to short-circuit the resolution of a well-pleaded claim. See Khoja , 899 F.3d at 1002.
B. Motion to Dismiss 1. Standard Federal Rule of Civil Procedure 8 requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure Rule 12(b)(6). To overcome a Rule 12(b)(6) motion to dismiss, the factual allegations in the plaintiff’s complaint “ ‘must . . . suggest that the claim has at least a plausible chance of success.’ ” Levitt v. Yelp! Inc. , 765 F.3d 1123, 1135 (9th Cir. 2014) (quoting In re Century Aluminum Co. Sec. Litig. , 729 F.3d 1104, 1107 (9th Cir. 2013) (alterations in original)). In ruling on a Rule 12(b)(6) motion, courts “accept factual allegations in the complaint as true and construe the pleadings in the light most favorable to the nonmoving party.” Manzarek , 519 F.3d at 1031.
“[A]llegations in a complaint . . . may not simply recite the elements of a cause of action, but must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Levitt , 765 F.3d at 1135 (quoting Starr v. Baca , 652 F.3d 1202, 1216 (9th Cir. 2011)). The court may dismiss a claim “where there is either a lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal claim.” Hinds Invs., L.P. v. Angioli , 654 F.3d 846, 850 (9th Cir. 2011) (citing Johnson v. Riverside Healthcare Sys. , LP, 534 F.3d 1116, 1121 (9th Cir. 2008)). “[T]he non-conclusory ‘factual content’ and reasonable inferences from that content must be plausibly suggestive of a claim entitling the plaintiff to relief.” Moss v. U.S. Secret Service , 572 F.3d 962, 969 (9th Cir. 2009).
When deciding whether to grant a motion to dismiss, the court generally “may not consider any material beyond the pleadings.” Hal Roach Studios, Inc. v. Richard Feiner & Co. , 896 F.2d 1542, 1555 n.19 (9th Cir. 1990). However, the court may consider material submitted as part of the complaint or relied upon in the complaint and may also consider material subject to judicial notice. See Lee v. City of Los Angeles , 250 F.3d 668, 688-89 (9th Cir. 2001).
2. Analysis The Moving Defendants principally argue that dismissal is warranted because (1) Plaintiffs do not sufficiently allege that the specific web pages they visited were equipped with the Moving Defendants’ tracking technologies nor identify the components of those technologies that transmitted the health data that was allegedly shared and intercepted, (2) Plaintiffs’ allegations against Criteo are wholly conclusory, (3) Plaintiffs’ allegations that the Moving Defendants intended to intercept protected health information are lacking, (4) Plaintiffs consented to the data collection and interception that is the subject of their claims, and (5) Plaintiffs’ claims are largely barred by the applicable statutes of limitations. Mot at 9-30, 39-41. The Moving Defendants offer additional arguments specific to Plaintiffs’ causes of action under the CMIA, UCL, New York GBL, and CIPA as well as their claims for intrusion upon seclusion and unjust enrichment. Mot. at 30-39. The Court addresses the sufficiency of Plaintiffs’ allegations and the issues of intent and consent before turning to the Moving Defendants’ remaining arguments. [10]
a. Pleading of Technical Details The Moving Defendants argue that Plaintiffs’ claims must be dismissed because they have failed to “allege facts showing ‘where on the web property the source code exists’ and what ‘features of [the source code] are being enabled on those pages to send allegedly protected health information.’ ” Mot. at 20 (quoting Doe I v. Google, LLC , 741 F. Supp. 3d 828 (N.D. Cal. 2024)). This argument fails.
Requiring the level of specificity the Moving Defendants demand imposes a standard far beyond what Plaintiffs must satisfy at the pleading stage. [11] The Moving Defendants are free to challenge whether a specific web page incorporated the tracking technologies that Plaintiffs allege facilitated the unlawful interception of their data at summary judgment or trial, but they cannot demand that Plaintiffs allege the details about these tools, which only Defendants would possess, to survive a motion to dismiss. See In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1004 (rejecting the argument that the plaintiffs had to identify specific communications that were allegedly intercepted); Doe v. FullStory, Inc ., 712 F. Supp. 3d 1244, 1259 (N.D. Cal. 2024) (“[I]n the absence of discovery [about] how the TikTok Pixels actually work and what information was tracked, it would be premature to hold that TikTok’s alleged tracking of the various pages that plaintiff may have visited within Favor’s platform when seeking healthcare services cannot constitute an invasion of privacy.”) (footnote omitted); Doe v. Regents of Univ. of Cal. , 672 F. Supp. 3d 813, 819 (N.D. Cal. 2023) (“At the motion to dismiss stage, it is not necessary for plaintiff to provide more specific medical details. . . . To require more would place the burden on her to describe UC Regents’ technical systems without the benefit of discovery.”) (citing Reichman v. Poshmark, Inc. , 267 F. Supp. 3d 1278, 1286 (S.D. Cal. 2017)).
Accordingly, the motion to dismiss for lack of specific allegations about the inner workings of the Moving Defendants’ tracking technologies is DENIED . b. Allegations against Criteo Criteo argues that the Plaintiffs’ allegations about its conduct are particularly conclusory. Mot. at 22-23. The Court disagrees. Plaintiffs allege that Criteo “knowingly and intentionally intercepted” Plaintiffs’ health information, including information about their medical conditions, symptoms, and prescriptions. Compl. ¶ 18. Plaintiffs also allege that “[t]his information was not aggregated or deidentified[,]” and that “Criteo used this information for [its] own purposes, including to allow GoodRx to advertise on their platforms using GoodRx users’ health data.” Id. ¶ 19. Plaintiffs further allege that “Criteo, as the creator of its SDK and Pixel, knew that it intercepted each of a user’s interactions on the website or mobile application that incorporated this technology[,]” that it knew “the incorporation of its software into the GoodRx Platform would result in its interception of sensitive information, including health information relating to medical treatment and prescriptions[,]” and that “[a]s demonstrated by the continued incorporation of Criteo’s tracking technology on the GoodRx Platform, Criteo did not take any steps to prevent its interception and use of GoodRx users’ sensitive health data.” Id. ¶¶ 87-89. According to Plaintiffs, “Criteo’s conduct was intentional despite knowing the privacy violations it caused . . . .” Id. ¶ 90. These allegations are not conclusory, and to the extent Criteo requires further specificity to defend itself against these allegations, it “can . . . seek elaboration through contention interrogatories or other forms of discovery.” See In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1005.
Accordingly, the motion to dismiss on the basis that Plaintiffs’ allegations about Criteo are conclusory is DENIED . c. Intent The Moving Defendants next attack Plaintiffs’ allegations about intent on two grounds. Mot. at 23-24. First, the Moving Defendants argue that Plaintiffs’ intent allegations are conclusory. Id. at 23-26. Second, the Moving Defendants argue that Plaintiffs cannot plausibly plead intent because Meta’s and Google’s policies instruct developers not to send protected health information. Id. at 24-26. Both arguments fail.
Plaintiffs allege the Moving Defendants knew the incorporation of their tracking technologies on websites and mobile apps resulted in the interception of sensitive health information, that they did not take any steps to prevent the interception of this data, that this conduct was intentional despite knowing about the resulting privacy violations to Plaintiffs, and that the Moving Defendants proceeded to generate billions in advertising revenue based on the information intercepted by its tracking technologies. Compl. ¶¶ 66-77, ¶¶ 78-85, ¶¶ 86-90, ¶¶ 117-141, ¶¶ 142-156, ¶¶ 157-161. These facts are sufficient to plausibly plead intent. See In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1003 (finding allegations that Meta willfully read or attempted to read the contents of the plaintiffs’ electronic communications, knew confidential information like tax data was transmitted through its tracking tools and usually did not take enforcement action against companies known to share potentially sensitive information, and that such information was valuable to Meta sufficient to plead intent at the motion to dismiss stage).
Meta’s and Google’s instructions to developers do not alter this conclusion. Assuming those instructions were in effect during the relevant period, which Plaintiffs have yet to define in the operative complaint, “the Court cannot conclude from their mere existence that [Defendants] and developers intended to or did comply with the terms rather than deviating from them to their mutual benefit.” In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1003. Indeed, while Meta and Google may instruct developers not to send protected health information, if, once received, Meta and Google make no effort to prevent the uploading of that information into their data repositories, take no steps to filter it out once the data is uploaded to their servers, or simply proceed to monetize that information knowing developers were sending sensitive health information in violation of instructions against it, a jury may find such acts indicative of intent. See Doe v. Meta Platforms, Inc. , 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023), motion to certify appeal denied , No. 22-CV-03580-WHO, 2024 WL 4375776 (N.D. Cal. Oct. 2, 2024) (“What Meta’s true intent is, what steps it actually took to prevent receipt of health information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of health information, all turn on disputed questions of fact that need development on a full evidentiary record.”). For purposes of the instant motion, the mere existence of certain contractual restrictions Meta and Google may have placed on developers “do not establish as a matter of law that Meta did not intend to receive the information [P]laintiffs claim was transmitted.” In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1003; see also Meta Platforms, Inc. , 690 F. Supp. 3d at 1076 (rejecting the argument that the plaintiffs could not adequately plead intent because Meta contractually forbids developers from sending sensitive data).
Accordingly, the motion to dismiss for lack of sufficient allegations of intent is DENIED . d. Consent The Moving Defendants next argue that GoodRx’s and Meta’s terms establish consent such that dismissal is warranted. Mot. at 27-30. The Court disagrees. Consent “can be [express] or implied, but any consent must be actual.” Calhoun v. Google, LLC , 113 F.4th 1141, 1147 (9th Cir. 2024) (internal citations and quotations omitted; modification in original). To be actual, the disclosures on which the Moving Defendants rely must “explicitly notify” users of the conduct at issue. Id. “Consent is only effective if the person alleging harm consented ‘to the particular conduct, or to substantially the same conduct’ and if the alleged tortfeasor did not exceed the scope of that consent.” Id. In determining consent, courts consider “whether the circumstances, considered as a whole, demonstrate that a reasonable person understood that an action would be carried out so that their acquiescence demonstrates knowing authorization.” Id. (quoting Smith , 745 F. App’x at 8). If that user could have plausibly understood the disclosures “as not disclosing that [the defendant] would engage in particular conduct,” then the disclosures are insufficient to establish consent. Id. (quoting In re Facebook, Inc., Consumer Priv. User Profile Litig. , 402 F. Supp. 3d 767, 789 (N.D. Cal. 2019)).
The disclosures on which the Moving Defendants rely are not sufficient to establish consent at the pleading stage. They point to GoodRx’s privacy policy from January 1, 2023, which reads, in part:
We may use other companies’ analytics, tracking and provided tools that receive information when you use our Services, including technology from Google, Facebook and others, to help us track, segment, and analyze usage of the Services, and to help us or those companies serve more targeted advertising on the Services and across the Internet. These tools may use technology such as cookies, tags, pixels, SDKs, and similar technologies to track online activity.
Defs.’ RJN, Ex. 24. Meta describes its policies as “contain[ing] clear and broad disclosures stating that Meta may receive data reflecting users’ activity on third-party websites and apps that use the Meta Business Tools.” Mot. at 29.
A reasonable user reading these broad disclosures, if in effect during the relevant time, about the general use of the tracking technologies on the GoodRx Platform, when reading them together with the portions of GoodRx’s policies, in effect through 2019, [12] that specifically state that GoodRx will not share that data, and its Co-CEO’s express promises, made in December 2019, that GoodRx would not share its users’ health information, see Compl. ¶¶ 105-111, would reasonably think they were not consenting to the sharing and interception of sensitive medical information. See Calhoun , 113 F.4th at 1150 (holding that a reasonable user reading Google’s general privacy policy, which broadly stated that, Google collected data about users’ activity on third party-sites and apps that use Google’s services, together with a Chrome-specific privacy notice that stated Google would not receive certain information, “would not necessarily understand that they were consenting to the data collection at issue.”); In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1003-04 (“Drawing all inferences in plaintiffs’ favor, the Court cannot determine at the 12(b)(6) stage that plaintiffs consented to Facebook collecting sensitive financial data simply because the complaint mentions that Meta has certain agreements in place (without conceding assent) and because Meta believes that these agreements adequately disclose the collection practices at issue.”); cf. Smith v. Facebook , 745 F. App’x at 8-9 (9th Cir. 2018) (holding that plaintiffs, who searched for and viewed publicly available health information, consented to the data collection because, analyzing the terms of Facebook’s Terms and Policies, “a reasonable person viewing those disclosures would understand” that Facebook engaged in the contested practices). [13]
Accordingly, the motion to dismiss on the basis of consent is DENIED . e. Statute of Limitations The Moving Defendants also seek dismissal of Plaintiffs’ claims on statute of limitations grounds. Mot. at 39-41. Plaintiffs counter that their claims are timely on the basis of recurring violations, the discovery rule, and/or the fraudulent concealment doctrine. Opp. at 38-40.
Turning to the discovery rule first, which requires that Plaintiffs allege “facts to show (1) the time and manner of discovery and (2) the inability to have made earlier discovery despite reasonable diligence,” see FullStory, Inc. , 712 F. Supp. 3d at 1255 n.6, the Moving Defendants argue that Plaintiffs do not allege facts establishing each of these prongs with the requisite specificity. This argument fails. Plaintiffs allege “GoodRx secretly incorporated the [Moving Defendants’] software into the GoodRx Platform, providing no indication to users that they were interacting with sites that shared their data, including PII and health data, with third parties[,]” Compl. ¶ 202, that “Defendants had exclusive knowledge that the GoodRx Platform incorporated the [Moving Defendants’] software, yet failed to disclose that fact to users, or that by interacting with the GoodRx Platform Plaintiffs’ . . . sensitive data, including PII and health data, would be disclosed to and intercepted by third parties[,]” id. ¶ 203, that “Plaintiffs . . . could not with due diligence have discovered the full scope of Defendants’ conduct, including because it is highly technical and there were no disclosures or other indication that would inform a reasonable consumer that GoodRx was disclosing, and third parties were intercepting, data from the GoodRx Platform[,]” id. ¶ 204, and that “[t]he earliest Plaintiffs and Class members could have known about Defendants’ conduct was upon the filing of the FTC [c]omplaint.” Id. ¶ 205. “[G]iven the type of case this is – based on defendants’ use of highly technical proprietary software – and given plaintiff’s clear statement that ‘the earliest’ plaintiff[s] could have known of her injury was shortly unlike here, the plaintiffs did not argue that a defendant had “service-specific privacy policies that could reasonably be read to say the opposite of what its general privacy policies disclosed.” See Calhoun , 113 F.4th at 1149. The Court therefore finds Smith unpersuasive in light of Plaintiffs’ allegations that GoodRx made specific promises that would factor into how a reasonable consumer would read the Moving Defendants’ privacy policies. Lloyd is further off the mark. In that case, the self-represented plaintiff asserted a range of claims against Meta based on facts far less developed than those alleged here. See 2024 WL 3325389, at *2. before filing . . . [t]his is sufficient for now.” See FullStory, Inc. , 712 F. Supp. 3d at 1255 (rejecting the defendants’ argument “that plaintiff cannot invoke the discovery rule unless she alleges the specific ‘time and manner’ of her discovery”).
Defendants’ reliance on the public news articles Plaintiffs mention in their complaint or the privacy policies they have put before the Court as part of their request for judicial notice do not alter this conclusion. “California law is clear that ‘public awareness of a problem through media coverage alone’ does not create ‘constructive suspicion for purposes of discovery.’ ” Frasco v. Flo Health, Inc. , No. 3:21-CV-00757-JD, 2022 WL 21794391, at *1 (N.D. Cal. June 6, 2022) (rejecting argument that the plaintiffs knew or should have known about their claims by the time the Wall Street Journal published a relevant article and noting that statute of limitations issues are rarely resolved at the motion to dismiss stage). The various policies on which the Moving Defendants rely similarly do not move the needle, given GoodRx’s express promises that the data at issue in this case would not be shared. See FullStory, Inc. , 712 F. Supp. 3d at 1255-56.
Because Plaintiffs have sufficiently alleged facts to support the application of the discovery rule, the Court DENIES the motion to dismiss on statute of limitations grounds without reaching the parties’ arguments about recurring violations or fraudulent concealment. Having rejected the principal bases on which the Moving Defendants seek dismissal, the Court turns to their remaining challenges to Plaintiffs’ causes of action under the CMIA, UCL, New York GBL, CIPA, and their claims for intrusion upon seclusion and unjust enrichment.
f. The CMIA Plaintiffs raise two claims – claim 7 (for aiding and abetting) and claim 8 (for violation of California Civil Code Sections 56.36(B)(3)(A) and (B)(5)) – against the Moving Defendants. Compl. ¶¶ 293-298, ¶¶ 299-307. Because dismissal of claim 8 is warranted without a discussion on the merits, the Court briefly addresses that claim first before turning to claim 7.
Claim 8 is subject to dismissal because Plaintiffs’ effort to defend the claim (or any other CMIA claims) by reference to their prior briefing, see Opp at 33 (“Defendants’ argument that there is no violation of the CMIA fails for the reasons stated in Plaintiffs’ first opposition brief.”), fails. The Court does not consider arguments incorporated by reference. [14] See Standing Order for Civil Cases ¶ H.3 (“Parties may not incorporate by reference prior arguments submitted in the case. This practice creates substantial administrative burdens and may be construed as circumventing page limits. The Court may strike any filing that improperly incorporates material by reference.”). By improperly directing the Court to briefs responding to motions that have since been denied, Plaintiffs have failed to properly defend claim 8.
Moreover, Plaintiffs fail to address the Moving Defendants’ argument that Plaintiffs have brought the claim under a subsection of the statute that does not exist. See generally Opp. Nor do they respond to the Moving Defendants’ argument that even Plaintiffs have brought claims under the correct subsection they apparently seek to invoke, no private right of action is available under that provision. See generally id. By failing to address these arguments, Plaintiffs concede the points made by the Moving Defendants, and the Court need not reach the additional arguments the Moving Defendants make with respect to this claim. See Genomics v. Song , No. 21-CV-04507- JST, 2023 WL 8852735, at *6 (N.D. Cal. Dec. 21, 2023) (“[Defendant] does not address this point and therefore concedes it by his silence”). Dismissal of claim 8 is therefore warranted WITHOUT LEAVE TO AMEND .
With respect to claim 7, the Moving Defendants argue that dismissal is appropriate because, among other reasons, there can be no aiding and abetting liability absent statutory authority. Mot. at 31. Rather than directly addressing the argument, Plaintiffs contend that the CMIA sounds in torts, and the Second Restatement of Torts § 876 (1979) “permits claims for aiding and abetting such violations.” Opp. at 32. Plaintiffs offer no case law in support of their position and fail to convince the Court that aiding and abetting liability attaches in the CMIA context. Because Plaintiffs have failed to address the Moving Defendants’ arguments about their proffered aiding and abetting theory, and without case law independently establishing its legal viability, the Court DISMISSES claim 7 WITHOUT LEAVE TO AMEND for lack of a cognizable legal theory. See Mendiondo v. Centinela Hosp. Med. Ctr. , 521 F.3d 1097, 1104 (9th Cir. 2008) (“Dismissal under Rule 12(b)(6) is appropriate . . . where the complaint lacks a cognizable legal theory . . . .”). The Court does not reach the parties’ remaining arguments about the claim.
g. UCL The UCL proscribes any “unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200. A UCL claim may only be brought by “a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. Plaintiffs, therefore, must “demonstrate some form of economic injury,” such as surrendering more or acquiring less in a transaction, having a present or future property interest diminished, being deprived of money or property, or entering into a transaction costing money or property that would otherwise have been unnecessary. Kwikset Corp. v. Superior Court , 51 Cal. 4th 310, 323 (2011).
The Moving Defendants seek dismissal of this claim on three grounds. First, they argue that Plaintiffs lack statutory standing. Mot. at 31-32. Second, they contend Plaintiffs are not entitled to restitution or injunctive relief. Id. at 32-33. Third, they argue that Plaintiffs have not alleged any unlawful, unfair, or fraudulent conduct. Id. at 33. The Court addresses each argument in turn, except for those relating to any UCL claim alleged under the statute’s fraud prong, which as confirmed during the hearing, Plaintiffs no longer intend to pursue.
“To satisfy the statutory standing requirement under the UCL, a plaintiff must merely suffer an injury in fact that is an economic injury.” Kwikset Corp. v. Superior Court , 51 Cal. 4th 310, 321-22 (2011). Here, Plaintiffs meet the UCL’s statutory standing requirement because they allege that the Moving Defendants took their data without compensating them for it and that the data has value to both companies and consumers. Compl. ¶¶ 356-358. “Indeed, the Ninth Circuit and a number of district courts . . . have concluded that plaintiffs who suffered a loss of their personal information suffered economic injury and had standing.” See Calhoun , 526 F. Supp. 3d at 636 (collecting cases).
With respect to the remedies Plaintiffs may seek under the UCL, “[i]n a private unfair competition law action, the remedies are generally limited to injunctive relief and restitution.” See Clark v. Superior Ct. , 50 Cal. 4th 605, 610 (2010) (internal quotations and citations omitted). While “the only monetary remedy Plaintiffs may seek is restitution,” see Calhoun , 526 F. Supp. 3d at 637, injunctive relief is available to prevent Defendants from continuing to engage in ongoing conduct, that is, “to immediately cease the use of GoodRx users’ data improperly obtained through their tracking technology and to permanently delete this data from all servers in all forms.” Compl. ¶ 215; see Brown v. Google LLC , 685 F. Supp. 3d 909, 942 (N.D. Cal. 2023) (denying motion for summary judgment on UCL claim where “[i]njunctive relief [wa]s necessary to address Google’s ongoing collection of users’ private browsing data.”).
Finally, by sufficiently pleading plausible claims as discussed in this order, Plaintiffs have alleged the necessary predicate violations to support a UCL claim under the unlawful prong. See Calhoun , 526 F. Supp. 3d at 636 (denying motion to dismiss claims under the UCL’s unlawful prong where the plaintiffs adequately pleaded CIPA and statutory larceny claims). These allegations “are also sufficient to state a claim under the ‘intentionally broad’ ‘unfair’ prong of the UCL.” See In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1025 (internal quotations and citations omitted).
The motion to dismiss Plaintiffs’ UCL claim is therefore DENIED . New York GBL [15] h. The New York GBL provides: “Deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful.” N.Y. Gen. Bus. Law. § 349. “A plaintiff bringing a claim under the GBL must allege (1) that the defendant’s deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result. An act is materially misleading if it is likely to mislead a reasonable consumer acting reasonably under the circumstances.” Martin v. Meredith Corp. , 657 F. Supp. 3d 277, 287 (S.D.N.Y. 2023) (citations omitted).
The Moving Defendants challenge this claim on four grounds. First, they argue that E.C. has failed to satisfy Rule 9(b)’s heightened pleading standard, Mot. at 33-34, but “GBL § 349 is not subject to the more demanding pleading requirements of Federal Rule of Civil Procedure 9(b).” In re Anthem, Inc. Data Breach Litig. , 162 F. Supp. 3d 953, 996 (N.D. Cal. 2016). Second, the Moving Defendants argue that E.C. has not alleged a deprivation of income or actual loss necessary to establish statutory standing. Mot. at 34. For purposes of the GBL, “[a] plaintiff must allege actual injury, although that need not take the form of a pecuniary harm.” Cooper v. Mount Sinai Health Sys., Inc. , 742 F. Supp. 3d 369, 383 (S.D.N.Y. 2024) (citation omitted). The privacy violations alleged here suffice as such an injury. See id. at 383-384 (“[A] privacy injury can be the basis for a § 349 claim where confidential, individually identifiable information—such as medical records or a social security number – is collected without the individual’s knowledge or consent.”) (internal quotations and citations omitted). Third, the Moving Defendants argue that E.C. has not alleged that they made a misrepresentation or omission. Mot. at 34. But here, Plaintiffs allege that Defendants violated the GBL “by, among other things, disclosing and intercepting Plaintiffs’ . . .’ sensitive data, including Private Information, without consent.” [16] Compl. ¶ 364. Such sharing of medical information without consent may constitute a deceptive act actionable under the GBL. See Anonymous v. CVS Corp. , 728 N.Y.S.2d 333, 339-40 (Sup. Ct. 2001) (“[T]he practice of intentionally declining to give customers notice of an impending transfer of their critical prescription information in order to increase the value of that information appears deceptive.”). Fourth, the Moving Defendants argue that even if E.C. had alleged any misrepresentation or omission, he has not alleged that it caused him injury. Mot. at 34. But E.C. has alleged that if he had “known GoodRx would share his prescription information and other sensitive data with third parties, including for advertising and other undisclosed purposes, he would never have used the website or shared his information with GoodRx.” Compl. ¶ 45. This is sufficient to satisfy the causation element at the pleading stage. See Boateng v. BMW AG , 753 F. Supp. 3d 215, 241 (E.D.N.Y. 2024), appeal filed , No. 24-2976 (2d Cir. Nov. 8, 2024) (where jury found that the plaintiff might not have purchased a vehicle absent the defendant’s material omission, the plaintiff’s theory of causation “fit comfortably within the New York precedent regarding GBL § 349 causation.”).
Accordingly, the motion to dismiss Plaintiffs’ GBL claim is DENIED . i. CIPA The wiretapping provision of CIPA provides: Any person who, by means of any machine, instrument, or contrivance, or in any other manner . . . willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to lawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars.
Cal. Penal Code § 631(a). The recording provision of CIPA states that it is unlawful for any person to “intentionally and without the consent of all parties to a confidential communication, use[ ] [a] recording device to . . . record the confidential communication[.]” Cal. Penal Code § 632(a). A “confidential communication” is “any communication carried on in circumstances as may reasonably indicate that any party to the communication desired it to be confined to the parties thereto[.]” Cal. Penal Code § 632(c)
The Moving Defendants challenge Plaintiffs’ CIPA claims on four grounds. First, they argue Plaintiffs’ allegations do not describe communications that are “confidential” with the meaning of the statute. Mot. at 35-36. Second, they argue that, as to the out-of-state plaintiffs, any such communications would not have been “sent from” or “received at” California and that, as to Criteo, due process prohibits the application of California law absent the requisite contacts with the state. Id. at 36. Third, the Moving Defendants argue that Criteo is covered by the party exception. Id. at 36-37. Fourth, they argue that Criteo did not receive any contents. Id. at 37. The Court addresses each argument in turn.
Despite the Moving Defendants’ contention to the contrary, Plaintiffs’ interactions with the GoodRx platform – by seeking discounts on specific prescriptions, seeking treatment for specific conditions, and disclosing symptoms – constitute confidential communications. See Norman- Bloodsaw v. Lawrence Berkeley Lab’y , 135 F.3d 1260, 1269 (9th Cir. 1998) (“One can think of few subject areas more personal and more likely to implicate privacy interests than that of one’s health or genetic make-up.”); In re Meta Pixel Healthcare Litig. , 647 F. Supp. 3d 778, 799 (N.D. Cal. 2022) (“[H]ealth-related communications with a medical provider are almost uniquely personal.”).
The Moving Defendants’ two-fold challenge to the claims non-California plaintiffs assert under California law is also unsuccessful, at least at this stage. With respect to Google and Meta, Plaintiffs allege that each maintains its principal place of business in California, and so, it is reasonable to infer that the data Plaintiffs allege was intercepted was “sent from” or “received at” the California locations where Google and Meta operate. See Meta Platforms, Inc. , 690 F. Supp. 3d at 1080 (“Plaintiffs plead that Meta is headquartered in California and Meta ‘designed and effectuated its scheme to track the patient communications at issue here from California.’ That is sufficient at this stage.”).
With respect to Criteo’s argument that due process prohibits the application of California law against it for lack of the requisite contacts with the state, the Court finds it premature at this stage. At least two California Plaintiffs – Marquez and Wilson – allege that Criteo intercepted their PII, health information, and other sensitive data they shared with GoodRx communications with the GoodRx Platform. See Compl. ¶¶ 46-52, 54-58, 161. In light of these allegations, which plausibly connect some of Criteo’s conduct to California, the Court cannot conclude, as a matter of law, that Criteo’s conduct lacks a substantial nexus to California such that permitting Plaintiffs to assert California claims against it is improper. See Meta Platforms, Inc. , 690 F. Supp. 3d at 1079 (denying rejecting extraterritoriality argument at motion to dismiss stage based, in part, on it being premature); Kellman v. Spokeo, Inc. , 599 F. Supp. 3d 877, 893 (N.D. Cal. 2022) (explaining that “[e]xtraterritoriality . . . is a complicated issue and different states and different statutes take different approaches[,]” and following “[o]ther courts [that] have often deferred determination of th[e] issue until there has been discovery . . . .”). Should discovery bear out no such nexus, Criteo may renew its arguments at summary judgment or seek an appropriate stipulation from Plaintiffs.
Criteo’s attempt to invoke the party-exception also fails. See In re Facebook, Inc. Internet Tracking Litig. , 956 F.3d 589, 608 (9th Cir. 2020) (“Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users’ information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule.”). The argument that Criteo received no contents is also unpersuasive. Here, Plaintiffs allege that Criteo intercepted the “PII, health information, and other sensitive data” they shared with GoodRx “to obtain medical treatment and prescriptions.”. Compl. ¶ 161. This is sufficient. See FullStory , 712 F. Supp. 3d at 1261 (rejecting argument that the plaintiff had failed to sufficiently allege “contents” where she alleged that she submitted information on the Hey Favor platform to secure prescriptions and birth control products); Meta Platforms, Inc. , 690 F. Supp. 3d at 1077 (“[P]laintiffs have adequately alleged covered content is transferred. The boundaries of what transferred information is content under the Act is better determined on a full evidentiary record.”).
Accordingly, the motion to dismiss Plaintiffs’ CIPA claim is DENIED . j. Intrusion upon seclusion Plaintiffs bring two causes of action (claims 1 and 2) for intrusion upon seclusion. Compl. ¶¶ 230-261. To consider this claim, courts generally “ask whether: (1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” Calhoun v. Google LLC , 526 F. Supp. 3d 605, 629 (N.D. Cal. 2021). “To meet the first element, the plaintiff must have had an objectively reasonable expectation of seclusion or solitude in the place, conversation, or data source.” Id. (internal quotations and citations omitted). “[T]he relevant question here is whether a user would reasonably expect that [the defendant] would have access to the user’s individual data . . . .” In re Facebook, Inc. Internet Tracking Litig. , 956 F.3d 589 at 602. Whether a plaintiff meets the second element “requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive.” Id. at 606.
The Moving Defendants argue that Plaintiffs fail to satisfy each element. Not so. Plaintiffs allege that the Moving Defendants have illegally intercepted their medical information, and “[p]ersonal medical information is understood to be among the most sensitive information that could be collected about a person.” See UC Regents , 672 F. Supp. 3d at 820. With respect to the second element, “[t]he ultimate question of whether [the defendant’s] tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” In re Facebook, Inc. Internet Tracking Litig. , 956 F.3d at 606.
Accordingly, the motion to dismiss Plaintiffs’ intrusion upon seclusion claims is DENIED. k. Unjust enrichment Plaintiffs’ third cause of action is for unjust enrichment. Compl. ¶¶ 262-270. “To allege unjust enrichment as an independent cause of action, a plaintiff must show that the defendant received and unjustly retained a benefit at the plaintiff’s expense.” ESG Cap. Partners, LP v. Stratos , 828 F.3d 1023, 1038 (9th Cir. 2016).
The Moving Defendants seek dismissal of Plaintiffs’ unjust enrichment claim for two reasons. Mot. at 38. First, they argue that Plaintiffs have failed to allege an actionable wrong. Id. Second, they argue that the claim is barred by Plaintiffs’ agreement to Meta’s terms of service. Both arguments fail.
Plaintiffs have adequately alleged facts to support a claim for unjust enrichment. They allege that the Moving Defendants unlawfully intercepted their sensitive health data, that the Moving Defendants did so without Plaintiffs’ consent, and that the Moving Defendants have unjustly retained the proceeds of monetizing the illegal obtained data. Compl. ¶¶ 262-270.
That Plaintiffs may have agreed to Meta’s terms of service does not preclude the claim from moving past the pleading stage. While “[a]n action based on an implied-in-fact or quasi- contract cannot lie where there exists between the parties a valid express contract covering the same subject matter[,] . . . Meta has not established that the parties had a contract.” In re Meta Pixel Tax Filing Cases , 724 F. Supp. 3d at 1008 (internal quotations and citations omitted).
Accordingly, the motion to dismiss Plaintiffs’ unjust enrichment claim is DENIED .
III.
CONCLUSION For the reasons set forth above, the pending motion to dismiss is GRANTED IN PART AND DENIED IN PART .
IT IS SO ORDERED.
Dated: July 22, 2025 A RACELI M ARTÍNEZ -O LGUÍN United States District Judge
NOTES
[1] The factual background is based on the allegations in Plaintiffs’ consolidated class action complaint, ECF 102 (“Compl.”), which are taken as true and construed in the light most favorable to them for the purpose of this motion. See Manzarek v. St. Paul Fire & Marine Ins. Co. , 519 F.3d 1025, 1031 (9th Cir. 2008).
[2] Also in March 2019, GoodRx promised it adhered to the Digital Advertising Alliance principles, which discourage companies from collecting and using “pharmaceutical prescriptions, or medical records about a specific individual for Online Behavioral Advertising without Consent.” Compl. ¶ 108. 28
[3] Doe used the same device to access her accounts with Facebook, Instagram, Google Maps, and 25 YouTube. Id. ¶ 24. 26
[4] Doe II used the same device to access her Facebook and Google accounts. Id. ¶ 31. 27
[5] During the time E.C. accessed the GoodRx Platform, he also had Facebook, Instagram, and Google Accounts. Id. ¶ 42. 28
[6] During this time, Marquez had Facebook, Instagram, and Google accounts, and he accessed those accounts with the same device he used to access the GoodRx Platform. Id. ¶¶ 49, 50.
[7] At the time, Wilson had Facebook, Instagram, YouTube, and Google Accounts. Id. ¶ 56. 28
[8] At the hearing, Plaintiffs indicated that they are not pursuing the ICFA claim or a claim under the 25 UCL’s fraud prong. The motion to dismiss is therefore GRANTED WITHOUT LEAVE TO AMEND as to those claims. 26
[9] Though the Moving Defendants seek to dismiss the complaint “in full,” their briefing does not 27 address Plaintiffs’ claims for violation of the CLRA, negligence, and negligence per se. See generally Mot. Those claims, which Plaintiffs assert against GoodRx, see Compl. ¶¶ 332-344, 28 ¶¶ 374-387, ¶¶ 388-396, remain live.
[10] In ruling on the pending motion, the Court has not considered arguments appearing in the 27 footnotes of the parties’ briefs or material they have attempted to incorporate by reference, in violation of the Court’s Standing Order for Civil Cases ¶ H.3. The Court will strike future similar 28 filings.
[11] The Court also rejects the Moving Defendants other efforts to raise the bar Plaintiffs must clear at this stage. For example, the Moving Defendants advocate for a Rule 9(b) standard where none applies, see, e.g. , Mot. at 25 (arguing that certain of Plaintiffs’ allegations about intent sound in conspiracy such that they must satisfy Rule 9(b)), and they similarly seek to impose additional elements on Plaintiffs’ claims though not required under existing law, see e.g. , Mot. at 38 (contending that Plaintiffs lack allegations of “plus factors” needed to establish highly offensive conduct).
[12] The Moving Defendants highlight that the promises on which Plaintiffs rely remained in effect 23 only through 2019. See Mot. at 27-28. And, while Plaintiffs have yet to specify a class period or relevant time period in their complaint, “[a]t this point, the contents of each applicable policy or 24 other binding representation made by [the platform] regarding treatment of personal or healthcare information has not been established as a matter of law.” See FullStory, Inc. , 712 F. Supp. 3d at 25 1254; see also Meta Platforms, Inc. , 690 F. Supp. 3d at 1078 (“Determination of whether actual consent was given depends on what Meta disclosed to healthcare providers, how it described and trained healthcare providers on the Pixel, and how the healthcare providers understood the Pixel 26 worked and the information that then could or would be collected by Meta.”). 27
[13] The Moving Defendants rely on the Ninth Circuit’s unpublished decisions in Smith and Lloyd v. 28 Facebook , No. 23-15318, 2024 WL 3325389 (9th Cir. July 9, 2024). See Mot. at 26-29. In Smith ,
[14] Nor does the Court consider the Moving Defendants’ arguments about the effect of Plaintiffs’ failure to defend claims in prior motion to dismiss briefing. See Mot. at 19. The prior motions to dismiss were denied without prejudice, see ECF 166, and thus have been superseded by those currently pending.
[15] Plaintiff E.C. brings this claim on behalf of himself and the proposed New York subclass and in 28 the alternative to Plaintiffs’ claim under the UCL. Compl. ¶¶ 361-367.
[16] In their opposition brief, Plaintiffs argue that “[u]nder the GBL, the wrongful misappropriation of health data without notice is itself a deceptive act or practice[,]” and that “[i]t does not, as Defendants contend . . . , require a material misrepresentation or omission.” Opp. at 31. The Court interprets this argument as Plaintiffs disclaiming any theory of recovery under the GBL that is premised on paragraph 365 of their complaint, which alleges “GoodRx further engaged in unfair business practices because it made material misrepresentations and omissions concerning the information that it assured users it would not share with third parties, which deceived and misled users of the GoodRx Platform.” The motion to dismiss is therefore GRANTED as to the GBL to that limited extent; it is otherwise DENIED for the reasons set forth above.