Neil Getz v. CVS Health Corporation
2:25-cv-04689
C.D. Cal.
Oct 24, 2025
Check Treatment
Docket

Neil Getz v. CVS Health Corporation et al.

Case No. 2:25-cv-04689-MWC-E

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA

October 24, 2025

Thе Honorable Michelle Williams Court, United States District Judge

CIVIL MINUTES – GENERAL; Document 79; Filed 10/24/25

Present: The Honorable Michelle Williams Court, United States District Judge

T. JacksonNot Reported
Deputy ClerkCourt Reporter / Recorder

Attorneys Present for Plaintiffs: N/A

Attorneys Present for Defendants: N/A

Proceedings: (In Chambers) Order GRANTING IN PART and DENYING IN PART CVS‘s motion to dismiss and motion to strike (Dkt. # 45); GRANTING IN PART and DENYING IN PART Medallia‘s motion to dismiss (Dkt. # 56); GRANTING Criteo‘s motion to dismiss (Dkt. # 57); and DENYING as MOOT Criteo‘s motion to stay (Dkt. # 59).

Before the Court are four motions. First is a motion to dismiss or, in the alternative, to strike class allegations filed by Defendant CVS Pharmacy, Inc. (“CVS“) 1. Dkt. # 45 (“CVS MTD“). Plaintiff Justin Brewer (“Plaintiff“) opposed, Dkt. # 52 (“CVS Opp.“), and CVS replied, Dkt. # 58. Second is a motion to dismiss filed by Defendant Medallia, Inc. (“Medallia“). Dkt. # 56-1 (“Medallia MTD“). Plaintiff opposed, Dkt. # 66 (“Medallia Opp.“), and Medallia replied, Dkt. # 72 (“Medallia Reply“). Third is a motion to dismiss and to strike class allegations filed by Defendant Criteo, Inc. (“Criteo“). Dkt. # 57 (“Criteo MTD“). Plaintiff opposed, Dkt. # 65 (“Criteo Opp.“), and Criteo replied, Dkt. # 73. Fourth is a motion filed by Criteo to stay discovery pending resolution of its motion to dismiss. Dkt. # 59. Plaintiff opposed, Dkt. # 65, and Criteo replied, Dkt. # 74. The Court finds the matter appropriate for decision without oral argument and VACATES the hearing on October 24, 2025. See Fed. R. Civ. P. 78; L.R. 7-15. Having considered the papers, the Court GRANTS Criteo‘s motion to dismiss for lack of personal jurisdiction WITH LEAVE TO AMEND; GRANTS IN PART and

DENIES IN PART CVS‘s and Medallia‘s motions to dismiss WITH LEAVE TO AMEND; and DENIES CVS‘s motion to strike class allegations. Since the motions are resolved, the Court DENIES as MOOT Criteo‘s motion to stay discovery.

I. Background

A. Factual Background

Plaintiff brings a proposed data privacy class action arising out of Plaintiff‘s interactions with CVS‘s website, www.cvs.cоm (the “Website“). The first amended class action complaint (“FAC“) against Defendants CVS, Medallia, and Criteo (collectively, “Defendants“) alleges as follows:

CVS is a Delaware corporation with a principal place of business in Rhode Island and headquarters in California. FAC ¶¶ 10–11. CVS maintains an online pharmacy, retail store, vaccination center, and health clinic through the Website. Id. ¶ 1.

Criteo is a digital advertising company incorporated in Delaware with a principal place of business in New York. Id. ¶ 10. Criteo “regularly conduct[s] business in California.” Id. ¶ 11. Criteo specializes in creating personalized advertisements. Id. ¶¶ 5, 17. It describes itself as partnering with large, sophisticated consumer brands, retailers, commerce companies and media owners “to capture user activity on their websites and mobile applications [...], which we define as digital properties, and leverage that data to deliver superior ad performance to help marketers, brands and agencies reach their campaign objectives from top to bottom of the marketing funnel.” Id. ¶ 5.

Medallia is a digital advertising and data analysis company incorporated in Delaware with a principal place of business in California. Id. ¶ 11. Medallia focuses on collecting, compiling, and processing its clients’ customer and employee data. Id. ¶ 6. Medallia describes its digital solutions as permitting customers to “identify who is visiting your digital property and what they want while powering individualized next/best actions across your organization.” Id.

Website users took actions on the Website related to their personal healthcare, such as keyword searches, id. ¶ 41, viewing, clicking on, and purchasing medicine and merchandise, id. ¶ 45, scheduling vaccinations, id. ¶ 53, scheduling doctor appointments with CVS‘s MinuteClinic, id. ¶¶ 57–58, and managing prescription drugs, id. ¶ 60, which

conveyed Protected Health Information (“PHI“) and Personally Identifiable Information (“PII“) (collectively, “Private Information“) to CVS, id. ¶ 3. Plaintiff and Website users had a reasonable belief that CVS would take appropriate steps to maintain the privacy of these communications. Id. ¶ 3. Instead, CVS aided, employed, agreed and conspired with Criteo, Medallia, non-party Adobe, Inc. (“Adobe“) (collectively, “Third-Party Trackers“) and others to intercept Website users’ Private Information via third-party code embedded on the Website. Id. ¶¶ 4, 7.

CVS employed three kinds of third-party trackers.

First, CVS used non-party Adobe‘s software development kit (“Adobe Trackers“), which CVS embedded into the Website without users’ knowledge. Id. ¶ 23. Adobe Trackers intercept and collect Website users’ Private Information, including search queries, viewed or purchased over-the-counter and prescription drugs, scheduled vaccination details, and MinuteClinic appointment data. Id. The collected data is linked to unique user identifiers and transmitted to Adobe‘s servers, where it is analyzed to build user profiles. Id. ¶ 25. CVS then uses the Adobe Experience Cloud, Adobe‘s suite of integrated online marketing and web analytics products, to facilitate its marketing efforts. Id. ¶¶ 25-26; see id. ¶¶ 23–25, 28–40 (facts concerning Adobe Experience Cloud). Adobe Trackers operate whether users are logged in or browsing as guests. Id. ¶¶ 43, 50–52. Logged-in users also have persistent identifiers (PPIDs) transmitted, enabling Adobe to track behavior across sessions. Id. ¶¶ 43, 52, 55, 59, 61. Sensitive PHI, including medications and health conditions, are linked to the profiles, exposing Website users to targeted advertising based on their private health choices. Id. ¶ 26.

Second, CVS partnered with Criteo, a third-party advertising company, to install tracking code (“Criteo Trackers“) on its website. Id. ¶¶ 63, 65. These trackers “track users’ activity on the Website, unbeknownst to those users, together with unique identifiers capable of identifying them, for Criteo‘s and other third-parties’ marketing uses.” Id. ¶ 63. Using “various unique identifiers and informаtion that Criteo intercepts,” Criteo can “identify Website users across different devices, visits, and touchpoints, creating a unique customer profile.” Id. CVS then utilizes Criteo‘s “advertising platform and services” to target specific users. Id. ¶ 64. Criteo‘s interception of sensitive health-related information violated privacy rights and laws such as the California Invasion of Privacy Act (“CIPA“) and the Health Insurance Portability and Accountability Act (HIPAA). Id. ¶¶ 65–66. Upon information and belief, Adobe shares intercepted data with Criteo, permitting Criteo to further enhance its own advertising profiles by syncing

with Adobe‘s data. Id. ¶¶ 44, 56. Thus “Criteo directly intercepted, at a minimum, Website users’ Private Information, including keyword searches, prescription medicine, and page views, including checkout pages.” Id. ¶ 65.

Third, CVS pays Medallia for its data collection and processing services. Id. ¶ 70. Similarly to Criteo, Medallia offered snippets of code to CVS and other tracking services (“Medallia Trackers“) designed to surreptitiously track users’ activity on the Website. Id. Using “various unique identifiers and information that Medallia intercepts,” Medallia can “identify Website users across different devices, visits, and touchpoints, creating a unique customer profile.” Id. CVS disclosed and Medallia intercepted Website users’ private communications made to CVS on the Website. Id. ¶ 71. Thus “Medallia directly intercepted, at a minimum, Website users’ Private Information.” Id.

Plaintiff is a citizen and resident of California. Id. ¶ 14. On multiple occasions between July 2024 and July 2025, Plaintiff visited the Website from his home in California to research over-the-counter medical products relating to a serious medical condition affecting Plaintiff and relating to private sexual health products. Id. ¶ 103. Plaintiff searched for these over-the-counter products on the Website and viewed the corresponding product pages after performing his searches for these medications. Id. Plaintiff also purchased sexual health products after viewing them on the Website. Id. As a result of Defendants’ conduct, Plaintiff received targeted advertisements as he browsed online webpages, both on the Website and on other websites, relating to his private activity on the Website, i.e., advertisements related to the medical condition and related symptoms. Id. He also saw advertisements for similar sexual health products as those he purchased on the Website. Id.

Website users, including Plaintiff, had a reasonable expectation of privacy in the Private Information they communicated with CVS. Id. ¶ 77. The media has reported a rise in the value of Private Information. Id. ¶¶ 86–91.

B. Procedural Background

On March 19, 2025, Neil Getz filed a putative class action complaint in state court against CVS initiating this action. Dkt. # 1-1. On Mary 23, 2025, Defendant CVS removed the case to this court. Dkt. # 1. On July 9, 2025, Getz filed the FAC adding Brewer as an additional plaintiff and Criteo and Medallia as defendants. See FAC. On

September 4, 2025, Getz voluntarily dismissed his claims, leaving Brewer the sole named Plaintiff. See Dkt. # 51.

Plaintiff brings seven causes of action against Defendants: (1) violation of CIPA, California Penal Code § 631(a); (2) violation of CIPA, California Penal Code § 632(a); (3) violation of California‘s Unfair Competition Law (“UCL“), California Business & Professions Code §§ 17200 et seq.; (4) breach of confidence; (5) invasion of privacy under the California Constitution; (6) common law invasion of privacy and intrusion upon seclusion, and (7) negligence and negligence per se.2 See generally FAC.

Plaintiff brings the action against Defendants on behalf of himself and the following classes:

Nationwide Class: All persons in the United States who accessed the Website and had their Private Information transmitted to third parties via the Adobe Trackers within the statute-of-limitations period through the date of class certification (“Class“).

California Subclass: All persons in the state of California who accessed the Website and had their Private Information transmitted to third parties via the Adobe Trackers within the statute-of-limitations period through the date of class certification (“California Subclass“).

FAC ¶ 115.3

Plaintiff brings Counts 1, 2, 3, and 5 on behalf of himself and the California Subclass, and Counts 4, 6, and 7 on behalf of himself and the Nationwide Class. See FAC.

II. Motions to Dismiss

Medallia moves to dismiss under Rule 12(b)(1), contending Plaintiff lacks Article III standing as a result of Medallia‘s conduct. See Medallia MTD. Criteo moves to dismiss under Rules 12(b)(2), contending that Criteo is not subject to the Court‘s personal jurisdiction. See Criteo MTD. And each Defendant moves to dismiss the FAC under Federal Rule of Civil Procedure (“Rule“) 12(b)(6) for failure to state a claim against it. See CVS MTD, Medallia MTD, Criteo MTD.

The Court takes each motion in turn.

A. Whether Plaintiff has standing to bring claims against Medallia

i. Legal Standard (Rule 12(b)(1))

A motion to dismiss filed pursuant to Rule 12(b)(1) is a challenge to the court‘s subject matter jurisdiction. See Fed. R. Civ. P. 12(b)(1). “Federal courts are courts of limited jurisdiction,” and it is “presumed that a cause lies outside this limited jurisdiction.” . The party invoking the jurisdiction of the federal court bears the burden of establishing that the court has the requisite subject matter jurisdiction to grant the relief requested. Id.

A Rule 12(b)(1) jurisdictional attack can be facial, based on the legal sufficiency of the claim, or factual, based on the legal sufficiency of the jurisdictional facts. . When considering a facial attack, the Court considers the complaint‘s allegations ‍‌‌​​‌​​​‌​​​‌​​​​​​‌​‌‌​‌‌​‌​​​‌‌‌​​‌​‌​​​​​‌​‌‌‍to be true, and it draws all reasonable inferences in the plaintiff‘s favor. (citation оmitted). If a party raises a factual challenge to subject matter jurisdiction, the court may review other evidence to resolve the factual dispute concerning jurisdiction. . If the court determines at any time that it lacks subject-matter jurisdiction, it must dismiss the action. Fed. R. Civ. P. 12(h)(3).

ii. Discussion

Medallia seeks to dismiss all five counts against it on the grounds that Plaintiff lacks Article III standing to bring any of his claims, because Plaintiff has not shown sufficient injury in fact as to Medallia‘s alleged conduct. Medallia MTD 7–11; Medallia Reply 3–9.

Article III confines the federal judicial power to the resolution of “Cases” and “Controversies.” See . To establish standing, “a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” (citing ). “The party invoking federal jurisdiction bears the burden of establishing these elements.” . If “the plaintiff does not claim to have suffered an injury that the defendant caused and the court can remedy, there is no case or controversy for the federal court to resolve.” . “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly . . . allege facts demonstrating’ each element.” (internal citation omitted).

Medallia argues Plaintiff has not alleged a concrete injury pursuant to the Ninth Circuit‘s recent holding in . In , a right-to-privacy class action complaint involving internet tracking technology, the Ninth Circuit clarified that allegations of a violation of the California Invasion of Privacy Act (CIPA), alone, are not enough to confer Article III standing; instead, Plaintiff must demonstrate “a concrete injury even in the context of a statutory violation.” (quotation omitted). Under , Plaintiff must allege a harm “that has traditionally been actionable in our nation‘s legal system.” . These include “four distinct torts: intrusion upon seclusion, appropriation of another person‘s name or likeness, publicity given to another person‘s private life, and publicity that places one in a false light.” (emphasis original), quoting . The plaintiff alleged the information captured included “the date a user visited the website, the device the user accessed the website on, the type of browser the user accessed the website on, the operating system of the device used to access the website, the country where the user accessed the website from, a user‘s mouse

movements, a user‘s screen swipes, text inputted by the user on the website, and how far down a webpage a user scrolls.” The Court found the plaintiff lacked Article III standing because she “has not identified a harm that she experienced that is remotely similar to those protected by these torts.” .

Plaintiff bases his claims upon intrusion upon seclusion. Medallia Opp. 6–9. “To show intrusion upon seclusion, a plaintiff must show ‘an intentional interference with his interest in solitude or seclusion, either as to his person or as to his private affairs or concerns, of a kind that would be highly offensive to a reasonable man.‘” (9th Cir. Aug. 26, 2025), quoting .

Plaintiff‘s allegations are sufficiently similar to the “highly offensive interferences or disclosures actionable at common law” to state an intrusion upon seclusion claim. See . For one, the nature of the information alleged to have been captured is more sensitive than the information regarding pet supplies captured in . See FAC ¶¶ 103–04; (plaintiff “identifie[d] no embarrassing, invasive, or otherwise private information collected by [defendant‘s session-replay technology]. Additionally, the nature of session replay technology differs from the Medallia Tracker as alleged. The Ninth Circuit observed, “[T]he monitoring of Popa‘s interaction with [the website] seems more similar to a store clerk‘s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.” Here, unlike a store clerk monitoring sales activity within the store, the FAC alleges that Plaintiff later received targeted advertisements on other webpages related to his private activity on the Website, the medical condition, related symptoms, and similar sexual health products. FAC ¶ 104.

Medallia argues the alleged invasion is not highly offensive, because Plaintiff never alleges that “the information was never used for any purpose other than CVS‘, the entity that, Plaintiff alleges, ‘was authorized to obtain’ it.” Medallia Opp. 9:1-3. Medallia argues that its actions as alleged are akin to CVS providing consumer information to a third party to package and ship items on the Site, which no one would find injurious. See Reply 6. Medallia also submits a declaration attesting that Medallia is contractually prevented from using for its own purposes any of the information collected on the Website. Dkt. # 56-2. In response, Plaintiff argues that there is no requirement that the tracking software provider use the sensitive data for its own purpose. Opp. 7–8. Moreover, the FAC adequately alleges that Medalliа did use the data for its purpose. Id.

The Court follows other district courts in finding that loss of control of sensitive data is sufficient to allege a concrete injury. See, e.g., (finding plaintiff‘s “allegations that [website owner] deprived him [of] control of personal information regarding his digital activity and profile” sufficiently pled a concrete injury to his right to privacy); (“Numerous courts, including the Ninth Circuit, have found allegations concerning the interference with plaintiffs’ control over their personal data to be sufficient for standing“). Here, the FAC alleges Medallia deprived Plaintiff control of his personal information regarding his digital activity, when it intercepted Plaintiff‘s data to create unique profiles and targeted advertisements. See FAC ¶ 70-71. This sufficiently alleges a loss of control.

Additionally, courts are generally prohibited from “consider[ing] any material beyond the pleadings” on a motion to dismiss. . Medallia‘s submission of declaration evidence on a motion to dismiss suggests its arguments that it did not benefit from Plaintiff‘s data are better suited for summary judgment.

Finally, as required to plead intrusion upon seclusion, Plaintiff has alleged a reasonable expectation of privacy in his Private Information and a substantial impact on his privacy interests. In determining whether an invasion is “highly offensive,” courts consider “the degree and setting of the intrusion,” along with “the intruder‘s motives and objectives.” . Due to the factually intensive nature of the inquiry, “[c]ourts are generally hesitant to decide claims of this nature at the pleading stage.” . Only if the allegations “show no reasonable expectation of privacy or an insubstantial impact on privacy interests” can the “question of [a serious or highly offensive] invasion [] be adjudicated as a matter of law.” .

As noted, the FAC alleges that Medallia deprived Plaintiff control of his sensitive health information and digital activity. At the pleading stage, this is enough to show a concrete injury to his right to privacy and, subsequently, confer Article III standing.

B. Whether the Court may exercise personal jurisdiction over Criteo

i. Legal Standard

Under Rule 12(b)(2), a defendant may seek dismissal of an action due to lack of personal jurisdiction. See Fed. R. Civ. P. 12(b)(2). “Where the motion is based on written material rather than on an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts. ; see (when resolving a motion to dismiss under Rule 12(b)(2) based on written materials, courts accept uncontroverted facts in the complaint as true and resolve conflicts in affidavits in the plaintiff‘s favor).

“Federal courts ordinarily follow state law in determining the bounds of their jurisdiction over persons.” . “Because California‘s long-arm statute allows the exercise of personal jurisdiction to the full extent permissible under the U.S. Constitution, our inquiry centers on whether exercising jurisdiction comports with [constitutional] due process.” (internal quotation marks and citation omitted); see Cal. Code Civ. Proc. § 410.10 (“A court of this state may exercise jurisdiction on any basis not inconsistent with the Constitution of this state or of the United States.“).

“Federal due process permits a court to exercise personal jurisdiction over a nonresident defendant if that defendant has at least ‘minimum contacts’ with the relevant forum such that the exercise of jurisdiction ‘does not offend traditional notions of fair play and substantial justice.‘” (quoting ). “Those contacts may be so continuous and systematic as to render a defendant essentially at home in the forum state and amenable to any suit there. Alternatively, a court may exercise jurisdiction over ‘issues deriving from, or connected with, the very controversy that establishes jurisdiction.‘” (quoting ). “The Supreme Court has referred to these different bases for personal jurisdiction as ‘general’ and ‘specific’ jurisdiction.” (citing ).

Because Plaintiff does not dispute that Criteo is not subject to general jurisdiction, see Criteo MTD Opp. 4, the Court will analyze only whether the FAC adequately alleges a basis for specific jurisdiction.

For a court to exercise specific jurisdiction, the lawsuit must arise out of or relate to the defendant‘s contacts with the forum. . The Ninth Circuit “ha[s] established a three-part test for specific personal jurisdiction.” , cert. denied, . The three parts are:

(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;

(2) the claim must be one which arises out of or relates to the defendant‘s forum related activities; and

(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.

Id. (citing ). “The plaintiff has the burden of proving the first two prongs.” (citing ). “If the plaintiff meets that burden, the burden then shifts to the defendant to present a compelling case that the exercise of jurisdiction would not be reasonable.” (internal quotation marks and citation omitted).

ii. Purposeful direction

Criteo primarily disputes the first of the Ninth Circuit‘s three-part test. See Criteo MTD 6 (summarily addressing parts two and three). To establish part one, courts generally apply either a “purposeful availment” or “purposeful direction” test. . “Purposeful availment generally provides a more useful frame of analysis for claims sounding in contract, while purposeful direction is often the better

approach for analyzing claims in tort.” Id. at 1107. Because privacy and data use violations are sound in tort, the Ninth Circuit often employs a purpose direction analysis, and so will this Court. See .

“[T]he purposeful direction test requires that the defendant (1) commit an intentional act, that is (2) expressly aimed at the forum state, and (3) which causes harm that the defendant knows will be suffered in the forum state.” (citation omitted). This test, also known as the effects test, is drawn from the Supreme Court‘s decision in .

a. Intentional act

The first prong of the effects test requires an intentional act, defined as “an intent to perform an actual, physical act in the real world, rather than an intent to accomplish a result or consequence of that act.” . “This standard focuses on the defendant‘s deliberate conduct, not the intent to cause harm, ensuring the act is purposeful and not incidental.” . “A number of California district court cases have ruled that where a plaintiff adequately alleges a CIPA or intrusion-based claim, tortious conduct can satisfy the ‘intentional act’ requirement for specific jurisdiction.” (collecting cases).

The FAC alleges as to Criteo that “Criteo offered snippets of code to CVS and other tracking services (‘Criteo Trackers‘), which were designed to track users’ activity on the Website, unbeknownst to those users, together with unique identifiers capable of identifying them, for Criteo‘s and other third-parties’ marketing uses. Upon information and belief, the various unique identifiers and information that Criteo intercepts employs allow it to identify Website users across different devices, visits, and touchpoints, creating a unique customer profile similar to Adobe‘s Identity Graph.” FAC ¶ 63. It also alleges, “Upon information and belief, CVS contracted with Criteo for the implementation of the Criteo Trackers on its Website, after which CVS and Criteo implemented those tracking technologies onto the Website. As a result, CVS disclosed and Criteo intercepted Website users’ private communications made to CVS on the Website.” Id. ¶ 65.

The Court finds the FAC has sufficiently alleged deliberate conduct; thus, the FAC sufficiently alleges Criteo committed intentional acts.

b. Aimed at the forum state

However, Plaintiff has not sufficiently alleged Criteo‘s intentional conduct was aimed at the forum state.

In , the plaintiff (“Briskin“), a California resident, filed a purported class action alleging privacy related torts against Shopify, a web-based payment platform that facilitates online sales for merchants with whom it contracts. . According to the complaint, Briskin made an online clothing purchase from a California retailer that used Shopify. Id. The complaint alleged Shopify sends “executable JavaScript code to consumers’ computers or mobile devices” during the process of facilitating credit card transactions for retailers using Shopify, “which then load and execute the code to display the payment form.” Id. The complaint alleged, while knowing that the device Briskin used to shop was located in California, “Shopify surreptitiously implanted cookies that permanently remained on Briskin‘s device, tracked its physical location, and collected data regarding Briskin‘s online shopping activity.” Id. The complaint further “allege[d] that Shopify used the resulting data to compile a consumer ‍‌‌​​‌​​​‌​​​‌​​​​​​‌​‌‌​‌‌​‌​​​‌‌‌​​‌​‌​​​​​‌​‌‌‍profile that Shopify marketed widely, including to many California merchants.” Id. at 746.

The Ninth Circuit‘s en banc panel vacated its prior opinion and held that Shopify “expressly aimed its conduct at California by extracting, maintaining and сommercially distributing California consumers’ personal data violating California laws.” Id. at 756. The court explained the “expressly aimed” prong was satisfied because Shopify‘s interactive platform “deliberately reached out beyond its home state by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither ‘random, isolated, [n]or fortuitous.‘” Id. at 759 (citation omitted). By analogy, the court explained that pre-internet, “there would be no doubt that the California courts would have specific personal jurisdiction over a third party who physically entered a California[n]‘s home by deceptive means to take personal information from the Californian‘s files for its own commercial gain.” Id. The Ninth Circuit further held that expressly aiming does not require a nationwide interactive website to have a “forum-specific focus” or “differential targeting.” Id. at 757-58.

At the same time, the court left undisturbed requirements, laid out in , that a court must find “‘something more’ than just a foreseeable effect” in the forum state. . “[V]arious factors we had considered in our prior cases to determine whether the website operator had done ‘something more’ in the forum state: ‘the interactivity of the defendant‘s website; the geographic scope of the defendant‘s commercial ambitions; and whether the defendant ‘individually targeted’ a plaintiff known to be a forum resident.” Id. at 754 (citing ). Thus the court found the following allegations satisfied the requirement of express aiming: “Shopify knows about its California consumer base, conducts its regular business in California, contacts California residents, interacts with them as an intermediary for its merchants, installs its software onto their devices in California, and continues to track their activities. This ‘conduct connects [Shopify] to [California] in a meaningful way.‘” , quoting .

Plaintiff argues that “Criteo‘s interception of the private data of CVS Website users from throughout the country, including in California, in order to create audience maps of CVS’ customers by their geographic location, satisfies the second prong.” Criteo Opp. 5-6. He also argues, citing , that “Criteo cultivates just such a nationwide audience. It collects Website users’ precise geolocation data, both directly from CVS and via Adobe, and uses that location data to connect its advertising customers with ‘audiences,’ including in California.” Criteo Opp. 6.

However, Plaintiff does not cite any allegation in the FAC for these propositions, and the Court finds none. For examplе, the FAC does not allege that Criteo knew Plaintiff‘s (or any user‘s) “precise geolocation data.” Compare FAC and Criteo Opp. 5–6. Nor does the FAC allege that the CVS Website has “users from throughout the country, including in California,” or that Criteo created audience maps of users in California, besides Plaintiff. Compare id. The FAC‘s relevant allegations are limited to the following: Criteo, as one of the “Defendants[,] regularly conduct[s] business in California,” FAC ¶ 11; Criteo Trackers obtain Website users’ IP addresses, id. ¶ 67; and Criteo maintains customer profiles based on “unique identifiers” shared from Adobe, see id. ¶ 56, which may include IP addresses, id. ¶ 33. Additionally, Plaintiff used the Website in California. Id. ¶ 102.

Even if the Court were to take judicial notice sua sponte of the fact that the Website is available nationwide, including in California, see Fed. R. Evid. 201, the FAC still falls short of establishing “something more” than a foreseeable effect in the forum. Accordingly, the FAC does not sufficiently allege that Criteo expressly aimed its conduct toward California.

c. Conduct Criteo knew would cause harm in California

Nor does the FAC satisfy the third prong of the purposeful direction test: that Criteo “cause[d] harm that [it] knows will be suffered in the forum state.” .

Plaintiff concludes this prong is satisfied because, when users visit the Website, “Criteo then uses the data of Plaintiff and other California Website users, which it knows at that point to originate from individuals who reside in Cаlifornia, to inflict harm on them in California, by matching them with Criteo‘s advertiser customers based on their characteristics and subjecting them to targeted advertising where they live.” Criteo Opp. 6–7. However, the allegation it cites for this proposition, FAC ¶ 104, states only that “Plaintiff Brewer received targeted advertisements as he browsed online webpages, both on the Website and on other websites, relating to his private activity on the Website.” The cited allegation goes on to specify that the targeting Plaintiff experienced was aimed at the “medical condition and related symptoms” he had searched on the Website. See id. Nothing is alleged about Criteo‘s knowledge of harm in California, or, as Plaintiff argues, that users are subjected to targeted advertising based on location. See FAC.

Without more, Plaintiff has not satisfied the third element of the purposeful direction test.

iii. Arises out of or relates to Criteo‘s forum-related activities

As to the second part of the purposeful direction test, the FAC does not sufficiently allege that the claims against Criteo arise out of its activities in California. The only reason for the contact between Plaintiff and Criteo, that the FAC alleges, is that Criteo entered into a contract with CVS to utilize its trackers on CVS‘s Website, and Plaintiff visited the Website while in California. FAC ¶¶ 13, 102; see also Opp. 7 (element met because “Plaintiff‘s claims all arise out of the Criteo Trackers on CVS’ Website.“). “[J]urisdiction must arise out of the contacts that ‘defendant himself creates

with the forum state,’ and not defendant‘s contacts with entities that do business or reside there.” . Nor may Plaintiff establish personal jurisdiction based on his contact with the forum. (for personal jurisdiction, “it is the defendant, not the plaintiff or third parties, who must create contacts with the forum State.“).

The FAC does not allege Criteo created contacts with California from which the claims arise.

iv. Conclusion

Because the Court lacks personal jurisdiction over Criteo pursuant to Rule 12(b)(2), the Court declines to analyze the merits of Criteo‘s motion to dismiss pursuant to Rule 12(b)(6). See (refraining from analyzing a Rule 12(b)(6) motion after finding lack of personal jurisdiction over the defendants).

C. Whether Plaintiff failed to state a claim

i. Legal Standard

To survive a Rule 12(b)(6) motion, a complaint must “contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.‘” (quoting ). In assessing the adequacy of the complaint, the court must accept all plеaded facts as true and construe them in the light most favorable to the plaintiff. See ; . The court then determines whether the complaint “allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” . A cause of action‘s elements that are “supported by mere conclusory statements, do not suffice.” Id. Accordingly, “for a complaint to survive a motion to dismiss, the non-conclusory factual content, and reasonable inferences from that content, must be plausibly suggestive of a claim entitling the plaintiff to relief.” (internal quotation marks omitted).

The Court considers whether the FAC plausibly states claims against CVS as to all seven counts, and against Medallia as to counts 1, 2, 5, 6 and 7.

ii. Failure to allege specific facts

As an initial matter, CVS moves to dismiss the FAC in its entirety based on Plaintiff‘s failure to allege specific facts to support a cognizable legal theory. CVS argues that Plaintiff fails to identify what personal or health information was shared, and does not allege that his individually identifiable information was disclosed. CVS MTD 6–8.

The FAC describes Plaintiff‘s particular use of the Website as follows:

103. Plaintiff has used the Website on numerous occasions within the past year to research over-the-counter medical products rеlating to a serious medical condition affecting Plaintiff and relating to private sexual health products. Plaintiff searched for these over-the-counter products on the Website and viewed the corresponding product pages after performing his searches for these medications. Plaintiff Brewer also purchased sexual health products after viewing them on the Website.

104. As a result of Defendants’ conduct, Plaintiff Brewer received targeted advertisements as he browsed online webpages, both on the Website and on other websites, relating to his private activity on the Website. Specifically, after searching on the Website for products related to his medical condition, Plaintiff saw advertisements for medications relating to that medical condition and related symptoms. He also saw advertisements for similar sexual health products as those he purchased on the Website.

Id. ¶¶ 103-104. Elsewhere, the FAC alleges that “patients” may run any searches on the Website, regardless of which products CVS stocks.” Id. ¶ 41. It alleges examples of “sensitive healthcare products” that Website users may search for, including “birth control,” “pregnancy tests,” and “paternity tests,” which Adobe Trackers intercept in the URL generated by the keyword search. Id. ¶¶ 41–44. And the FAC alleges various

services Website users may employ, such as vaccination scheduling and doctor visits. See, e.g., id. ¶ 23. Plaintiff does not allege a specific search term that he utilized, nor that he used the services of the MinuteClinic or related to vaccinations.

Other courts within the Ninth Circuit have found similar allegations to be deficient. See, e.g., (“Cousin I“) (finding plaintiffs’ complaint regarding “sensitive personal and health information” lacked sufficient factual support because it only provided hypothetical examples and failed to specify what information plaintiffs provided defendants through their browsing history); (dismissing claims where plaintiff vaguely alleged a “search for information related to symptoms or conditions she was experiencing and to schedule treatment for those actual or potential medical conditions“). Additionally, Plaintiff does not allege he used the Website to access a patient portal, schedule an appointment, call a doctor‘s office, refill a prescription, view test results, and review notes from an appointment—types of activity that courts have found to be sufficient to demоnstrate disclosure of PHI. (finding the plaintiffs’ privacy claims based on the disclosure of personal medical information to be sufficiently stated where plaintiffs alleged they used defendants’ website and patient portal to schedule appointments, refill prescriptions, and view test results and appointment notes).

On the other hand, Plaintiff does identify the category of sensitive health information that he disclosed. FAC ¶¶ 103–04. Plaintiff argues he need not divulge the particular medical condition and medicine to establish the sensitivity of his Private Information, Opp. 5–7, and there is support for Plaintiff‘s contention. See, e.g., (finding inapposite to plaintiffs’ allegations that they visited defendant Walgreen‘s website and placed specific items—a yeast infection treatment and diabetes test kit—in their online shopping carts, in part because plaintiffs “adequately connect their overarching theory of how [d]efendant‘s website collected and transmitted users’ information to plaintiffs’ specific interactions with that website“); (denying motion to dismiss where “plaintiffs identify the specific types of information they provided to their healthcare providers that they believe Meta collected without their consent[,]” including “the health conditions for which they sought treatment or services, as well as examples of

their queries, appointment requests, or other information and services which they communicated with their providers“); cf. (where plaintiffs generally alleged that they used a patient portal, “plaintiffs are required to amend to describe the types or categories of sensitive health information [...]. That basic amendment (which can be general enough to protect plaintiffs’ specific privacy interests) will allow these privacy claims to go forward.“).

The Court finds allegations of the specific product or condition would not further satisfy notice pleading rules under Rule 8. At this stage, the FAC‘s allegations of categories of sensitive data are sufficient to plead Plaintiff‘s theory that Defendants violated his privacy rights by collecting and transmitting his Private Information to third parties.

The Court proceeds to addresses the sufficiency of Plaintiff‘s allegations as to each claim below.

iii. Cal. Pen. Code § 631(a) (CIPA) (Count 1)

CIPA prohibits any person from using electronic means to “learn the contents or meaning” of any “communication” “without consent” or in an “unauthorized manner.” Cal. Pen. Code § 631(a). Section 631(a) creates four avenues for relief:

(1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . with any telegraph or telephone wire, line, cable, or instrument“;

(2) where a person “willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit“;

(3) where a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained“; and

(4) where a person “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above.”

(quoting Cal. Pen. Code § 631(a)).

a. Aiding and abetting

Since CVS was a party to the communication, CVS may only ‍‌‌​​‌​​​‌​​​‌​​​​​​‌​‌‌​‌‌​‌​​​‌‌‌​​‌​‌​​​​​‌​‌‌‍be liable under the aiding and abetting clause. (noting that “California law is well settled that a party to the communication is not liable for recording their own conversation under section 631(a)“). The FAC alleges that CVS aided third parties, including Adobe, Criteo and Medallia, in intercepting users’ interactions with the Website, including Plaintiff‘s private health information, by installing the alleged trackers on the Website. See, e.g., FAC ¶¶ 4, 8, 63–76. CVS allegedly installed these tracking technologies to optimize its advertising and marketing. See, e.g., id. ¶¶ 23, 25–26. And the FAC details how the tracking works and how the alleged interception occurs. Id. ¶¶ 41–62. These allegations plausibly plead that CVS “aid[ed], agree[d] with, employ[ed], or conspire[d] with” third parties Adobe, Criteo and Medallia to intercept Plaintiffs information. Cal. Pen. Code § 631(a).

b. Contents of communication

CVS argues that Plaintiff has not alleged the “contents” of his communication he made to the Website. CVS MTD 9–11.

“[D]escriptive URLs that reveal specific information about a user‘s queries” may reflect the “contents” of communications under CIPA. ; (“[s]earch terms constitute ‘contents’ of a communication.“). In King, cited by CVS, a district court found the plaintiff failed to allege the “contents’ of her communications were intercepted” where the complaint alleged “examples of the types of ‘full-string URLs’ allegedly intercepted by Meta, but [p]laintiff does not allege she conducted the searches or visited the webpages provided in the examples.”

. Here, the FAC alleges the contents of Plaintiff‘s communications with more specificity. It alleges Plаintiff used the Website to search for, view, and purchase sexual healthcare products. FAC ¶ 103. Plaintiff also alleges that the Website intercepts each search, view, and purchase for Website users, including Plaintiff. ¶¶ 41–44, 67, 73.

Accordingly, Plaintiff adequately identifies the “contents” of communication as the search text that populates descriptive URLs.

c. In transit

“While a plaintiff must do more than ‘merely restate[ ] the pleading requirement of real time interception,’ the standard is not overly burdensome.” . “[A]llegations that [communications] are intercepted in real time through the use of computer code provides sufficient factual detail to support the ‘in transit’ requirement.” ; see also (explaining that “the key to the interception analysis is whether the plaintiff alleges that transmission was simultaneous“).

CVS and Medallia challenge the sufficiency of Plaintiff‘s allegations that, under Section 631(a)‘s second clause, Defendants “read one of his communications while it was still in transit, i.e., before it reached its intended recipient.” See ; CVS MTD 12; Medallia MTD 16–19.

CVS argues, “given the speed of internet communications, [Plaintiff] cannot allege that an interception while in transit occurred, rather than a recording of information thаt was held in storage.” CVS MTD 12, citing (dismissing Section 631(a) claims on summary judgment). However, the FAC does allege “[t]he Tracking Technologies are designed so that they transmit each of the user‘s actions taken on the webpage to the Third-Party Trackers contemporaneously with the user making the communications. Thus, the communications were intercepted while they were in transit to the intended recipient, CVS.” FAC ¶ 138. Plaintiff has sufficiently alleged that real-time interception occurred.

Medallia additionally asserts that Plaintiff needed and failed to allege Medallia “read or learned the content of his communications with CVS.” Medallia MTD 17 (alterations omitted). “Though section 631 does not define ‘read’ or ‘attempt to read,’ courts generally conclude that liability under prong two of section 631 ‘requires some effort at understanding the substantive meaning of the message, report or communication.‘” . The FAC alleges that “the various unique identifiers and information that Medallia intercepts . . . allow it to identify Website users across different devices, visits, and touchpoints, creating a unique customer profile . . . for its own commercial benefit.” FAC ¶¶ 70–71.

Viewing the facts in the light most favorable to Plaintiff, the Court finds that Plaintiff sufficiently pleads communicatiоns were intercepted in transit to survive dismissal under Rule 12(b)(6). Defendants’ arguments regarding what constitutes “in transit” are best left for resolution at the summary judgment stage.

d. Injury

Finally, CVS argues that the Section 631 claim fails because Plaintiff has not sufficiently alleged that he suffered harm. CVS MTD 12. Medallia likewise argues that its violations of CIPA did not injure Plaintiff, because Plaintiff has not alleged injury-in-fact under Article III. Medallia 15–16.

Plaintiff has sufficiently alleged a concrete injury, see supra Section II.B.i, and for those reasons he has also alleged injury for purposes of his claim under Section 631(a) (and Section 632(a)). Thus, the FAC is not deficient in this regard.

iv. Cal. Pen. Code § 632(a) (CIPA) (Count 2)

Section 632 punishes a person who “intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication.” Cal. Pen. Code § 632(a). CVS argues Plaintiff has not alleged he engaged in any “confidential communications.” CVS MTD 14–15.

A communication is confidential under Section 632(a) only if a party has “an objectively reasonable expectation that the conversation is not being overheard or recorded.” (quotation omitted). Courts have held that Internet communications meet the confidentiality threshold when they involve “protected health information.” See e.g., (“Plaintiffs’ interactions with the GoodRx platform – by seeking discounts on specific prescriptions, seeking treatment for specific conditions, and disclosing symptoms – constitute confidential communications.“).

The FAC alleges Plaintiff used the Website to “research over-the-counter medical products relating to a serious medical condition affecting [him],” “searched for these over-the-counter products on the Website and viewed the corresponding product pages after performing his searches,” and later “saw advertisements for medications relating to that medical condition and related symptoms.” FAC ¶¶ 104–05. The FAC sufficiently alleges interactions with the Website constitute confidential communications.

The Section 632(a) claim is adequately pled.

v. Invasion of privacy under the California Constitution and common law invasion of privacy and intrusion upon seclusion (Counts 5 & 6)

“The California Constitution and the common law set a high bar for an invasion of privacy claim.” . “When alleged together, the Court asses[es] the two claims together and examine[s] the largely parallel elements of these two claims which call on the Court to consider (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests.” (citation omitted). “[A]nalysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion,” while “the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a matter of public policy.” (citation omitted).

a. Reasonable expectation of privacy

As discussed above, the FAC sufficiently alleges the captured information at issue is Plaintiff‘s private health information. See supra sections II.A.ii, II.C.ii. Thus, Plaintiff‘s privacy interest is adequately pled. See 02431-VC” cite=“2023 WL 6882766” pinpoint=“*2” court=“N.D. Cal.” date=“2023“>Doe I v. Google LLC, No. 3:23-cv-02431-VC, 2023 WL 6882766, at *2 (N.D. Cal. Oct. 18, 2023) (stating “[t]here is a reasonable expectation of privacy in one‘s private health information.” (citation omitted)); (stating “individuals maintain a reasonable expectation of privacy in detailed URLs.“).

b. Highly offensive or serious intrusion

CVS argues that the FAC fails to allege any highly offensive conduct. CVS MTD 16. Medallia also argues that its conduct is not alleged to have resulted in an offensive or serious invasion of privacy, because it acted solely as a service provider to CVS and collected data on CVS‘s behalf. Medallia 11–13.

As discussed in finding Article III standing, see supra Section II.A.ii, courts have found that “[t]he ultimate question of whether [a defendant‘s] tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” . (citаtion omitted). “[Q]uestions of whether conduct is ‘egregious,’ ‘offensive,’ or violates ‘social norms’ tend by their very nature to be subjective determinations about which reasonable jurists may differ. As such, these questions are typically more appropriately resolved by a jury.” . And while the California Supreme Court has instructed that courts may “weed out claims that involve so insignificant or de minimus an intrusion on a constitutionally protected privacy interest as not even to require an explanation or justification by the defendant,” , the Court finds Plaintiff‘s allegations about the interception of his private health information are not trivial or de minimus. See (“The complaint plausibly alleges that Toy had a reasonable expectation of privacy in her use of at-home health tests provided by Life Line, and whether Life Line‘s alleged intrusion by disclosing that sensitive information to Facebook and/or Google was highly offensive is an issue not suitable for decision on the pleadings“).

Another “important factor that courts often rely on is whether the plaintiff alleges that the defendant used the private or confidential information obtained for some improper purpose.” (emphasis original). Medallia argues that Plaintiff has not alleged it misused his information. Medallia MTD 12. But Plaintiff does allege that Medallia creates user profiles, then sells those profiles to CVS and other third parties to generate revenue. FAC ¶ 70. This is a purpose that could plausibly constitute an egregious breach of social norms. See . Additionally, Plaintiff has alleged that Defendants’ invasion of privacy continued even after Plaintiff had logged out and ceased using the Website, which the Ninth Circuit in considered indicia of a highly offensive invasion of privacy. (citing cases).

For these reasons, the motion to dismiss the invasion of privacy claims is denied.

vi. Negligence and negligence per se (Count 7)

“To state a claim for negligence in California, a plaintiff must establish the following elements: (1) the defendant had a duty, or an ‘obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks,’ (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff‘s injuries, and (4) damages.” (internal citations omitted). The Court addresses Defendants’ primary arguments below.

a. Duty of care

CVS and Medallia argue Plaintiff has not sufficiently alleged a duty of care. CVS MTD 18–19; Medallia MTD 13–14. The FAC alleges, “Defendants violated their duty to not intercept and to protect the сonfidentiality of Plaintiffs’ and Class Members’ information by using the Tracking Technologies to communicate and intercept patients’ individually identifying information and confidential medical communications.” FAC ¶ 176; see also . The FAC alleges this duty arose under HIPAA and corresponding Department of Health and Human Services (“HHS“) regulations. . Plaintiff also argues the duty also arises under CIPA itself. CVS Opp. 16, citing, inter alia, FAC ¶¶ 19–22.

As to a common law duty, Plaintiff does not meaningfully address CVS‘s contention that it is insufficiently pled. See CVS Opp. 16. The FAC alleges, “Defendants had a duty to safeguard and not disclose or intercept Plaintiffs’ and Class Members’ sensitive and protected medical information and individually identifiable information as described above without Plaintiffs’ knowledge or consent.” FAC ¶¶ 205, 208. The allegations are conclusory and do not adequately plead common law duty.

Plaintiffs have sufficiently alleged a regulatory duty of care arising from HIPAA and the HHS, which enforces HIPAA. See FAC ¶ 207. “The Court . . . follows the published precedent of this District in concluding that a duty may arise from HIPAA and serve as the basis for a negligence ‍‌‌​​‌​​​‌​​​‌​​​​​​‌​‌‌​‌‌​‌​​​‌‌‌​​‌​‌​​​​​‌​‌‌‍claim under California law.” . The FAC contains specific allegations concerning the duty of care owed by Defendants in accordance with HIPAA. See FAC ¶¶ 78–79 (quoting 45 C.F.R. § 164.530(c)(1)); 80–85. CVS argues that the FAC does not allege the Private Information to be “individually identifiable,” as required by HIPAA. CVS MTD 19; see FAC ¶ 83. However, the FAC does allege that the tracking technologies create profiles are customized to each Website user, even if the user is logged out. See FAC ¶¶ 43–44. At this stage, it is plausibly alleged that the Private Information conveyed could be traced to an individual user.

b. Harm

Under California law, “negligence claims must result in actual damages from the complained-of conduct.” . Accordingly, to state a negligence claim, Plaintiffs must allege an “appreciable, nonspeculative, present injury.” (citation omitted).

CVS argues Plaintiff does not allege “appreciable, nonspeculative, present injury.” CVS Opp. 20. Medallia similarly argues that the FAC is devoid of harm resulting from Medallia‘s conduct, because “Plaintiff does not allege that Medallia disclosed his information to anyone. . . . Plaintiff merely alleges that Medallia ‘collected and processed’ his information on behalf of CVS.” Medallia MTD 13. However, as described above, Plaintiff plausibly alleges a concrete injury. See supra Section II.A.ii. Plaintiff also alleges “the dissemination of [his] information is ongoing.” FAC ¶ 168. An appreciable, nonspeculative, present injury has been adequately pled.

Accordingly, the FAC plausibly alleges a negligence claim. “Because Plaintiffs’ negligence cause of action may proceed, the Court does not dismiss the references to the negligence per se doctrine.” , quoting .

i. Breach of confidence (CVS only) (Count 4)

Breach of confidence under California law “is based upon the concept of an implied obligation or contract between the parties that confidential information will not be disclosed.” . A plaintiff must allege “(1) the plaintiff conveyed ‘confidential and novel information’ to the defendant; (2) the defendant had knowledge that the information was being disclosed in confidence; (3) there was an understanding between the defendant and the plaintiff that the confidence be maintained; and (4) there was a disclosure or use in violation of the understanding.” .

CVS argues that the FAC fails to allege any “novel” or confidential information disclosed, and that there was no mutual understanding of confidentiality. CVS MTD 17. CVS argues that the tort has historically been used for novel ideas, such as a screenplay. However, recent case law has permitted breach of confidence claims to proceed in the context of disclosure of PHI through website tracking software. See, e.g., .

Here, the FAC alleges that Plaintiff conveyed confidential information related to his sexual health. See supra Section II.C.ii. The FAC also alleges that CVS had obligations, under HIPAA and HHS guidance and CIPA, to keep Plaintiff‘s health information confidential (see, e.g., FAC ¶¶ 81–85), but nonetheless encouraged Plaintiff to use the Website to search for and purchase over-the-counter medications and healthcare products (). The FAC then alleges CVS surreptitiously shared that information with third parties. See, e.g., id. ¶ 4. Drawing all inferences in Plaintiff‘s favor, the FAC sufficiently alleges breach of a mutual understanding of confidentiality.

The FAC‘s allegations suffice to state a claim for breach of confidence.

ii. Unfair Competition Law (“UCL) (CVS only) (Count 3)

To state a claim under the UCL, “a plaintiff must show either an (1) ‘unlawful, unfair, or fraudulent business act or practice,’ or (2) ‘unfair, deceptive, untrue or misleading advertising.‘” (citation omitted). Additionally, a plaintiff must have suffered an economic injury to establish UCL standing. Cal. Bus. & Prof. Code § 17204.

The FAC alleges a UCL violation under the unlawful and unfair prongs. FAC ¶¶ 163–166. CVS argues, among other things, that the FAC fails to allege an economic injury caused by CVS‘s allegedly unfair business practice. .

In order to bring a UCL claim, a plaintiff must have UCL standing, which is distinct from Article III standing. See (“[A] federal plaintiff‘s [Article III] ‘injury in fact’ may be intangible and need not involve lost money or property . . . a UCL plaintiff‘s ‘injury in fact’ [must] specifically involve lost money or property.“) To establish standing under the UCL, a plaintiff “must establish that [he] (1) suffered an injury in fact and (2) lost money or property as a result of the unfair competition.” (citing Cal. Bus. & Prof. Code § 17204).

To demonstrate economic loss under the UCL, the FAC alleges as follows:

169. As result of Defendants’ violations of the UCL, Plaintiffs and Class Members have suffered injury in fact and lost money or property, including but not limited to payments to Defendants for services and/or other valuable consideration, e.g., access to their private and personal data. Plaintiffs and Class Members would not have used Defendants’ services, or would have paid less for them, had they known the Defendants were breaching confidentiality by disclosing and intercepting their Private Information.

170. The unauthorized access to Plaintiffs’ and Class Members’ private and personal data also has diminished the value of that information.

Plaintiff‘s benefit of the bargain argument fails because he does not adequately allege that he paid money or property “in exchange for a product or service, and [have] not received what [they] bargained for.” See . Though the FAC alleges that if Plaintiff were aware his information would be disclosed, he “would not have used Defendants’ services, or would have paid less for them,” FAC ¶ 169, the allegation is conclusory and untethered to the other facts alleged.

Plaintiffs’ diminution in value argument also fails. The FAC has facts from public sources discussing what consumers’ data is worth. See FAC ¶¶ 86–91. Nonetheless, Plaintiff‘s allegations concerning the economic value of his information “are unsupported by any facts explaining what economic value the information held to Plaintiff[] and how it was lost through Defendants’ dissemination.” See (emphasis original); see also (“That the information has external value, but no economic value to plaintiff, cannot serve to establish that plaintiff has personally lost money or property.“). Further, “the case concerns the receipt of personal health information which Plaintiff[] consider[s] too private to share with third parties. As such, it is unclear how Plaintiff[] could and would participate in a legitimate market for health care information. . . . Without specific facts alleging how Plaintiff[] would so participate (as opposed to how the market for health data functions on a broader scale, . . . ), the Court cannot conclude that their information lost value.” See (quotation and citations omitted).

The Court concludes that Plaintiffs have failed to adequately рlead an injury of fact sufficient to support the UCL claim. The claim is thus DISMISSED WITH LEAVE TO AMEND.

III. Motion to Strike Class Allegations

CVS argues that the Court should strike Plaintiff‘s class allegations under Rule 12(f). CVS MTD 21–25. It argues that the class definition is facially uncertifiable and overly broad for two reasons. First, the proposed classes do not limit membership to Website users who actually suffered an injury or could otherwise assert a claim. For example, the class definition fails to exclude messages sent to individuals who had provided express consent. . Second, use of the vague term “Private Information” in the proposed definitions results in a similarly over broad definition. . Finally, Plaintiff does not satisfy the typicality requirements of Rule 23, because the class definition encompasses much broader Website use than Plaintiff‘s allegations, which are limited to browsing and purchasing.

A. Legal Standard

Rule 12(f) authorizes a court to “strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Fed. R. Civ. P. 12(f). A Rule 12(f) motion helps avoid wasting “time and money that must arise from litigating spurious issues by dispensing with those issues prior to trial.” . A motion to strike is generally disfavored and should only be granted if “the matter to be stricken clearly could have no possible bearing on the subject of the litigation,” but if “any doubt whether the portion to be stricken might bear on an issue in the litigation, the court should deny the motion.” (citation omitted). “Ultimately, whether to grant a motion to strike lies within the sound discretion of the district court.” (citing ).

“A decision to grant a motion to strike class allegations . . . is the functional equivalent of denying a motion to certify a case as a class action.” . Striking class allegations prior to a formal certification motion is generally disfavored because the factual record is usually undeveloped. See (stating “it is in fact rare to [strike class allegations] in advance of a motion for class certification,” and holding “it is premature to determine if this matter should proceed as a class action” because discovery has not begun); (“[I]n general, class allegations are not tested at the pleading stage and are instead scrutinized after a party has filed a motion for class certification.“). “[A]s the Supreme Court has explained, ‘[s]ometimes the issues are plain enough from the pleadings to determine whether the interests of the absent parties are fairly encompassed within the named plaintiff‘s claim.‘” , citing . A court may thus strike class allegations whеn no class action can possibly be maintained on the face of the pleading. See . “As with motions to dismiss, when ruling on a motion to strike, the Court takes the plaintiffs allegations as true and must liberally construe the complaint in the light most favorable to the plaintiff.”

B. Discussion

The Court refrains from deciding disputed and substantial factual and legal issues on this motion to strike. See (noting courts should not resolve disputed and substantial factual and legal issues in deciding a motion to strike); (“The Court concludes that it cannot determine from the face of the pleadings that a class is not certifiable as a matter of law, as there are factual and legal issues yet to be determined. The issues raised by Defendant are better suited for a determination at the class certification stage.“).

At this stage, the Court declines to grant the motion to strike based on speculation that some proposed class members may have given their express consent, or that Plaintiff does not meet typicality requirements. In arguing that the class definition is impermissibly broad, CVS cites orders addressing motions for class certification, including , , and . There, the plaintiffs had the benefit of discovery and carried a much highеr burden than on a motion to strike. Accordingly, the Court DENIES CVS‘s motion to strike.

IV. Conclusion

For the foregoing reasons, the Court GRANTS Criteo‘s motion to dismiss for lack of personal jurisdiction. The Court GRANTS IN PART and DENIES IN PART CVS‘s and Medallia‘s motions to dismiss; the UCL claim is dismissed with leave to amend, and all other claims remain live. The Court DENIES CVS‘s motion to strike the class allegations. The Court DENIES as MOOT Criteo‘s motion to stay discovery pending resolution of its motion to dismiss.

Plaintiff is GRANTED LEAVE TO AMEND the complaint consistent with this Order no later than November 14, 2025. No new claims or parties may be added without the Court‘s prior approval or stipulation by the parties. Fed. R. Civ. P. 15.

IT IS SO ORDERED.

Initials of Preparer TJ

Notes

1
The Motion was originally brought by Defendants CVS Health Corporation and CVS Pharmacy, Inc. See Dkt. # 45. Plaintiff subsequently filed a notice of dismissal as to Defendant CVS Health Corporation. See Dkt. # 55.
2
In their motions to dismiss, Medallia and Criteo aver that Plaintiff agreed in meet-and-confers to dismiss claims 3 and 4 against them. See Medallia MTD, 5 n. 13; Criteo MTD, 1 n. 1. Plaintiff does not dispute this contention in his opposition papers. See generally Medallia Opp.; Criteo Opp.
3
Excluded from the Classes are Defendants; any affiliate, parent, or subsidiary of Defendants; any entity in which Defendants have a controlling interest; any officer director, or employee of Defendants; any successor ‍‌‌​​‌​​​‌​​​‌​​​​​​‌​‌‌​‌‌​‌​​​‌‌‌​​‌​‌​​​​​‌​‌‌‍or assign of Defendants; anyone employed by counsel in this action; any judge to whom this case is assigned, his or her spouse and immediate family members; and members of the judge‘s staff. FAC ¶ 118.