eLaws | Code of Federal Regulations | United States Code |
 All Courts
 Federal Courts
 US Federal District Court Cases
 District Court, N.D. California
 2022-12

In Re Meta Pixel Healthcare Litigation ( 2022 )


Menu:
  • 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 IN RE META PIXEL HEALTHCARE Case No. 22-cv-03580-WHO LITIGATION 8 ORDER DENYING MOTION FOR 9 PRELIMINARY INJUNCTION 10 Re: Dkt. No. 46 11 12 13 INTRODUCTION 14 This case is about defendant Meta Platform, Inc.’s alleged use of proprietary computer 15 code to obtain certain healthcare-related information of Facebook users. According to plaintiffs, 16 the Meta Pixel allows Meta to intercept personally identifiable medical information and the 17 content of patient communications for Facebook users, which Meta then monetizes for its own 18 financial gain. Plaintiffs have brought several federal and state law claims to vindicate the harms 19 that they have allegedly experienced. They ask me to enjoin Meta from intercepting and 20 disseminating their patient information. 21 Our nation recognizes the importance of privacy in general and health information in 22 particular: the safekeeping of this sensitive information is enshrined under state and federal law. 23 The allegations against Meta are troubling: plaintiffs raise potentially strong claims on the merits 24 and their alleged injury would be irreparable if proven. To secure a mandatory injunction, 25 however, plaintiffs need to show “that the law and facts clearly favor [their] position, not simply 26 that [they are] likely to succeed.” Garcia v. Google, Inc., 786 F.3d 733, 740 (9th Cir. 2015) 27 (emphasis in original). Meta’s core defense is that it has systems in place to address the receipt of 1 for them to take further action. Without further factual development, it is unclear where the truth 2 lies, and plaintiffs do not meet the high standard required for a mandatory injunction. At this early 3 stage of the case, I DENY the motion for a preliminary injunction. 4 FACTUAL BACKGROUND 5 Plaintiffs are four Facebook users who are proceeding anonymously due to the sensitive 6 nature of this litigation. First Amended Complaint (“FAC”) [Dkt. 22] ¶¶ 32–35. They allege that 7 Meta1 improperly acquires their confidential health information in violation of state and federal 8 law and in contravention of Meta’s own policies regarding use and collection of Facebook users’ 9 data. Id. ¶¶ 1–2, 12. Each of plaintiffs’ healthcare providers—MedStar Health System, Rush 10 University System for Health, and UK Healthcare—allegedly installed the Meta Pixel on their 11 patient portals.2 See id. ¶¶ 3–9. Plaintiffs claim that when they logged into their patient portal on 12 their medical provider’s website, the Pixel transmitted certain information to Meta. Id. ¶¶ 4–9; see 13 also e.g., id. ¶¶ 86, 122, 146 (describing types of data transmitted by the Pixel). They contend that 14 this information, which is contemporaneously redirected to Meta, revealed their status as patients 15 and was monetized by Meta for use in targeted advertising. Id. ¶¶ 2, 17–18, 71. 16 The issues raised in plaintiffs’ motion for a preliminary injunction involve Meta’s alleged 17 receipt of certain health information through the Meta Pixel; the scope and meaning of certain 18 terms in Meta’s policies; the strength of plaintiffs’ legal claims; and Meta’s systems to prevent 19 receipt of this information. I describe the relevant facts below. 20 A. The Meta Pixel’s Technology 21 The Meta Pixel is a free and publicly available piece of code that Meta allows third-party 22 website developers to install on their websites. See Declaration of Tobias Wooldridge 23 24 25 1 Meta was previously known as Facebook, Inc. In late 2021, the company changed its name to Meta Platforms, Inc. but the social media platform itself is still known as Facebook. Opp. at 3 n.2. 26 2 Some of the medical providers, which are not defendants to the lawsuit, may have since removed the 27 Pixel: Meta asserts that as of November 23, 2022, the Pixel is not integrated into the patient portals for either Rush University System for Health or UK HealthCare. See Supplemental Declaration of Tobias 1 (“Wooldridge Decl.”) [Dkt. 77-4] ¶ 3.3 The Pixel is customizable: website developers choose 2 which types of user action to measure, and program the Pixel accordingly. Id. ¶¶ 3–4. Website 3 developers in a range of industries use the Pixel. Id. ¶ 3. In a nutshell, the Meta Pixel allows 4 website developers to learn: (1) if and when website users take certain actions on a website, and 5 (2) generalized information about website users, which can be used for targeting advertising. Id. 6 ¶¶ 3–4. 7 To understand how the Meta Pixel typically works, imagine the following scenario. A 8 shoe company wishes to gather certain information on customers and potential customers who 9 visit its website. The shoe company first agrees to Meta’s Business Tools Terms (discussed 10 below), which govern the use of data from the Pixel. Wooldridge Decl. ¶ 6. The shoe company 11 then customizes the Meta Pixel to track, say, every time a site visitor clicks on the “sale” button on 12 its website, which is called an “Event.” Id. ¶ 4. Every time a user accesses the website and clicks 13 on the “sale” button (i.e., an “Event” occurs), it triggers the Meta Pixel, which then sends certain 14 data to Meta. Id. Meta will attempt to match the customer data that it receives to Meta users— 15 Meta cannot match non-Meta users. Id. The shoe company may then choose to create “Custom 16 Audiences” (i.e., all of the customers and potential customers who clicked on the “sale” button) 17 who will receive targeted ads on Facebook, Instagram, and publishers within Meta’s Audience 18 Network. Id. Meta may also provide the shoe company with de-identified, aggregated 19 information so the shoe company understands the impact of its ads by measuring what happens 20 when people see them. Id. Meta does not reveal the identity of the matched Meta users to the 21 shoe company. Id. 22 Now, imagine that same process occurring but instead of a shoe company, substitute 23 MedStar Health System, plaintiff John Doe’s medical provider. Plaintiffs’ expert, Richard Smith, 24 who submitted a lengthy declaration in conjunction with the preliminary injunction motion, 25 asserted that MedStar Health System has the Meta Pixel on various pages of its website, 26 www.MedStarHealth.org. See Declaration of Richard M. Smith (“Smith Decl.”) [Dkt. 49] ¶ 19; 27 1 FAC ¶¶ 3–5; see also Supplemental Declaration of Tobias Wooldridge (“Supp. Wooldridge 2 Decl.”) [Dkt. 143-3] ¶ 4 (explaining that the Pixel is integrated into the MedStar page that allows 3 users to navigate to the login page). Plaintiffs allege that when John Doe or any other patient of 4 MedStar presses the login button to enter their MedStar patient portal using their username or 5 email address and password, the Meta Pixel source code causes Doe’s and all other patients’ 6 computing devices to re-direct the contents of their respective patient portal login communications 7 to Meta and then to MedStar, rather than just to MedStar. See Smith Decl. ¶¶ 27–28. Meta 8 allegedly redirects the patient portal login information to itself via a “SubscribedButtonClick” 9 transmission that includes, among other things: 10 • The patient’s identity in the form of cookies, IP address, and User-Agent 11 identifiers; 12 • Content of the button (“Log in”); 13 • Contents of the page from which the patient clicked to log in to the patient 14 portal; and 15 • Content of the page the patient will land as a result of clicking “Log in” to the 16 patient portal. 17 Id. ¶¶ 31–33. As a patient browses through the MedStar website, the Meta Pixel allegedly 18 continues to transmit information to Meta, including information about doctors, medical 19 conditions, and appointments associated with a patient’s session. Motion for Preliminary 20 Injunction (“Mot.”) [Dkt. 46] at 4; Smith Decl. ¶¶ 97, 130–31.4 21 Plaintiffs assert that Meta monetizes the information that it receives through the Meta Pixel 22 by using it to generate highly-profitable targeted advertising on- and off–Facebook. Notice of 23 Motion (“Not. of Mot.”) at 1; FAC ¶ 17. They claim that Meta can target ad campaigns to patients 24 based on patients’ browsing behavior on their medical providers’ website. FAC ¶¶ 18–19; see 25 26 4 According to Meta, the Pixel is not integrated into the MedStar login page itself. See Supp. Wooldridge 27 Decl. ¶ 4. Meta acknowledges, though, that as of November 2022 the Meta Pixel was integrated into the https://www.medstarhealth.org/mymedstar-patient-portal page, and that website users may click the “log 1 also Wooldridge Decl. ¶ 4 (explaining that website developers can target ads on Facebook, 2 Instagram, and other sites based on data transmitted by the Pixel). Meta may, for instance, target 3 ads to a person who has (1) used the patient portal and (2) viewed a page about a specific 4 condition, such as cancer. FAC ¶ 19. These allegations appear to be borne out by plaintiffs’ 5 expert’s experiences: after Smith visited five hospital websites which employ the Meta Pixel, he 6 allegedly received many new health-related advertisements. Smith Decl. ¶ 187; see also ¶ 188 7 (providing over a dozen examples of health-related advertisements). In particular, Smith noticed 8 that within two hours of searching for information on ulcerative colitis on one of the hospitals’ 9 websites, he was shown an advertisement related to ulcerative colitis in his Facebook video feed. 10 Id. ¶¶ 189–90. 11 According to plaintiffs, they have identified more than 660 entities covered under the 12 Health Insurance Portability and Accountability Act (“HIPAA”), from which Meta is receiving 13 information. Mot. at 2; FAC ¶ 15. 14 B. Meta’s Data Policies 15 Meta has several policies governing how it collects and uses data, including through the 16 Pixel. When individuals sign up for a Facebook account, they agree to Meta’s Terms of Service, 17 Data Policy, and Cookies Policy. FAC ¶ 49. These policies are contractually binding on both 18 Meta and its users. Id. Because these policies bear on the important question of whether plaintiffs 19 knew and consented to Meta’s use of the Meta Pixel to receive health-related information, I 20 describe each policy below. 21 1. Terms of Service 22 The Terms of Service govern the “use of Facebook, Messenger, and the other products, 23 features, apps, services, technologies, and software” that Meta offers. See Declaration of Abigail 24 Barrera (“Barrera Decl.”) Ex. A (Terms of Service) [Dkt. 76-3] at 1. Meta informs users that it 25 “use[s] data about the connections you make, the choices and settings you select, and what you 26 share and do on and off our Products – to personalize your experience.” Id. at 2. The Terms of 27 Service explain that Meta shows users “personalized ads, offers, and other sponsored or 1 many businesses and organizations that use Facebook and other Meta Products.” Id. To provide 2 these services, Meta’s terms explain, Meta “collect[s] and use[s] your personal data.” Id. at 4. 3 The Terms of Service include several links to the Data Policy. Id. at 1, 3, 4. 4 2. Data Policy 5 The Data Policy5 “describes the information” that Meta “process[es] to support Facebook, 6 Instagram, Messenger and other products and features offered by Meta.” Barrera Decl., Ex. B 7 (Data Policy) [Dkt. 76-4] at 1. Among other things, the Data Policy tells users that: 8 Advertisers, app developers, and publishers can send us information 9 through Meta Business Tools they use, including our social plug-ins 10 (such as the Like button), Facebook Login, our APIs and SDKs, or the Meta pixel. These partners provide information about your 11 activities off of our Products—including information about your device, websites you visit, purchases you make, the ads you see, and 12 how you use their services—whether or not you have an account or are logged into our Products. For example, a game developer could 13 use our API to tell us what games you play, or a business could tell 14 us about a purchase you made in its store. We also receive information about your online and offline actions and purchases 15 from third-party data providers who have the rights to provide us with your information. 16 Partners receive your data when you visit or use their services or 17 through third parties they work with. We require each of these 18 partners to have lawful rights to collect, use and share your data before providing any data to us. 19 Id. at 4–5 (emphasis added). The Data Policy also notifies users that Meta uses this information 20 “to personalize features and content (including your ads, Facebook News Feed, Instagram Feed, 21 and Instagram Stories) and make suggestions for you . . . on and off our Products.” Id. at 5; see 22 also id. at 6 (“We use the information we have (including your activity off our Products, such as 23 the websites you visit and ads you see) to help advertisers and other partners measure the 24 effectiveness and distribution of their ads and services, and understand the types of people who 25 use their services and how people interact with their websites, apps, and services.”). Meta does 26 27 1 not, however, “share information that personally identifies” users with advertisers unless users 2 allow Meta to do so. Id. at 9. 3 3. Cookies Policy 4 Cookies are “small pieces of text used to store information on web browsers.” Barrera 5 Decl., Ex. C (Cookies Policy) [Dkt. 76-5] at 1. They “store and receive identifiers and other 6 information on computers, phones and other devices,” and they can serve a number of different 7 functions, such as “personalizing content, tailoring and measuring ads, and providing a safer 8 experience.” Id. at 1. 9 Meta’s Cookies Policy explains that Meta “use[s] cookies if you have a Facebook account, 10 use the Meta Products, including our website and apps, or visit other websites and apps that use 11 the Meta Products (including the Like button).” Id. Meta notes that cookies allow it to 12 “understand the information that we receive about you, including information about your use of 13 other websites and apps, whether or not you are registered or logged in,” and that it “use[s] 14 cookies to help us show ads and to make recommendations for businesses and other organisations 15 to people who may be interested in the products, services or causes they promote.” Id. at 1–2. 16 Cookies allow Meta “to provide insights about the people who use the Meta Products, as well as 17 the people who interact with the ads, websites and apps of our advertisers and the businesses that 18 use the Meta Products.” Id. at 3. The policy also describes the cookie used to enable the Meta 19 Pixel (“_fbp”) and explains that Meta’s “business partners may also choose to share information 20 with Meta from cookies set in their own websites’ domains, whether or not you have a Facebook 21 account or are logged in.” Id. at 4; see also id. at 4–5 (“Meta uses cookies and receives 22 information when you visit [websites and apps that use the Meta Products], including device 23 information and information about your activity, without any further action from you. This occurs 24 whether or not you have a Facebook account or are logged in.”). 25 4. Business Tools Terms and the Pixel Creation Process 26 Meta also has policies which govern third-party website developers’ use of the Meta Pixel. 27 Before a website developer can integrate the Pixel on a website, the developer must agree to 1 The Business Tools Terms require developers to “represent and warrant that you (and any 2 data provider that you may use) have all of the necessary rights and permissions and a lawful basis 3 (in compliance with all applicable laws, regulations and industry guidelines) for the disclosure and 4 use of Business Tool Data.” Barrera Decl., Ex. D (Business Tools Terms) [Dkt. 76-6] at 1. 5 Developers must also “represent and warrant that [they] have provided robust and sufficiently 6 prominent notice to users regarding the Business Tool Data collection, sharing and usage,” 7 including a “clear and prominent notice on each web page where [Meta] pixels are used that links 8 to a clear explanation [of] . . . how users can opt-out of the collection and use of information for ad 9 targeting [].” Id. at 3. As a condition of using the Pixel, developers specifically agree that they 10 will “not share Business Tool Data . . . that [they] know or reasonably should know . . . includes 11 health, financial information or other categories of sensitive information (including any 12 information defined as sensitive under applicable laws, regulations and applicable industry 13 guidelines).” Id. at 2 (emphasis added); see also Barrera Decl., Ex. E (Commercial Terms) [Dkt. 14 76-7] at 2 (similar provision in Commercial Terms). 15 During the Meta Pixel ID creation process, Meta reminds developers not to send sensitive 16 user data to Meta. Wooldridge Decl. ¶ 7. Meta has published several articles that explain and 17 give examples of the kinds of information (including health information) that developers should 18 not send to Meta, provide steps that developers can take to avoid sending such information, and 19 describe how to address instances in which sensitive information may have been sent. Id. 20 C. User Control and Meta’s Filtering Mechanism 21 Finally, outside of the policies discussed above, there are two technological tools that bear 22 on the matter at hand. 23 First, Meta gives users the ability to control the use of information about their off- 24 Facebook activity (such as activity on third-party websites) for advertising purposes. Wooldridge 25 Decl. ¶ 11. The Off-Facebook Activity tool allows users to view a summary of information that 26 Meta has received about their activity from third parties through the Business Tools, including the 27 Pixel. Id. Users can “disconnect” the off-Facebook activity that has been associated with their 1 storage of any future connections for all third-party websites (or on a website-by-website basis). 2 Id. The “Data About Your Activity From Partners” tool also allows users to opt out of receiving 3 personalized advertisements based on their activities on other websites and apps. Id. ¶ 12; see also 4 Barrera Decl., Exs. F, G, H, I (collecting screenshots and articles regarding these tools). 5 Importantly, Meta does not assert that these tools allow users to prevent their information from 6 being sent to Meta in the first place. See Reply at 3 (“[N]owhere in Meta’s Opposition does it 7 represent that patients can prevent Facebook from receiving [their data].”). 8 Second, Meta uses a filtering mechanism6 which attempts to screen out potentially 9 sensitive health data that Meta receives. Wooldridge Decl. ¶ 8. It developed the filter to detect 10 data—including health data—sent through the Pixel that Meta categorizes as potentially sensitive. 11 According to Meta, the filter prevents any such data that it detects from being ingested into its ads 12 ranking and optimization systems. Id. When it filters out data, it notifies the developer that Meta 13 detected and blocked data that may not comply with Meta’s policies. Id. ¶ 9. These notifications 14 provide details about the affected data, including the URL where the events occurred, the location 15 of the potentially violating information, steps that the developer can take to address the issue, and 16 an email address to contact with questions. Id. 17 PROCEDURAL BACKGROUND 18 This case is one of seven consolidated putative class actions involving the Meta Pixel that 19 are currently before me. Plaintiffs in the present case filed suit in June 2022. Dkt. 1. On July 15, 20 2022, plaintiffs filed the FAC, which is currently the operative pleading. See FAC. They bring 21 eight claims: (1) breach of contract, id. ¶¶ 108–23; (2) breach of the implied warranty of good 22 faith and fair dealing; id. ¶¶ 124–30; (3) intrusion upon seclusion and constitutional invasion of 23 privacy; id. ¶¶ 131–38; (4) violation of the Electronic Communications Privacy Act (“ECPA”); id. 24 ¶¶ 139–55; (5) violation of the California Invasion of Privacy Act (“CIPA”); id. ¶¶ 156–65; (6) 25 negligent misrepresentation; id. ¶¶ 166–73; (7) violation of California’s Unfair Competition Law; 26 27 6 The details of this filtering mechanism have been filed under seal. See, e.g., Wooldridge Decl. ¶ 8; Supp. Wooldridge Decl. ¶¶ 13–14, 19–20, 24–25. As discussed in the concurrently filed order granting the 1 id. ¶¶ 174–87; and (8) trespass, id. ¶¶ 188–99. 2 On August 25, 2022, plaintiffs filed the instant motion for a preliminary injunction, which 3 rests on plaintiffs’ claims under the ECPA, CIPA, and California tort law. See Mot. at 1. As part 4 of their motion, they seek an order that: (1) “[p]rohibits Meta from intercepting patient 5 information and communications from HIPAA-covered entities through its use of the Meta Pixel” 6 and (2) “[p]rohibits Meta from disseminating and/or using patient information and 7 communications that it has intercepted from HIPAA-covered entities through its use of the Meta 8 Pixel.” Not. of Mot. at 1. In conjunction with the opening motion, they submitted declarations by 9 plaintiff John Doe and their expert Richard Smith, a legal consultant who specializes in the 10 analysis of software systems. Dkts. 47, 49. Plaintiffs also submitted copies of five decisions from 11 state courts that have found that similar claims may lie against medical providers based on their 12 use of the Pixel. See Declaration of Jason Barnes (“Barnes Decl.”) [Dkt. 48] ¶¶ 5–10.7 13 In opposition, Meta included a declaration by Tobias Wooldridge, a senior software 14 engineer at Meta, which addressed technical aspects of the Pixel and described Meta’s filtration 15 system, among other things. See Wooldridge Decl. ¶¶ 4, 8–9. With their reply, plaintiffs included 16 a declaration by Christopher Wilson, a computer sciences professor who holds positions at 17 Northeastern University and Harvard University, who opined that Meta could, with slight 18 modifications, use its existing filtering system and other tools to comply with an injunction of the 19 sort that plaintiffs seek. See Declaration of Christopher Wilson (“Wilson Decl.”) [Dkt. 98] ¶¶ 1, 20 6–8, 10–20. Meta objected that the Wilson Declaration was new evidence improperly submitted 21 on reply. See Meta’s Objections [Dkt. 111] at 1. At the hearing, I allowed Meta the opportunity 22 to submit a supplemental declaration that addressed the issues raised in the Wilson Decl. See 23 November 14, 2022 Order [Dkt. 133] at 1. Meta then filed the Supp. Wooldridge Decl., and 24 25 7 These claims include: (1) a claim under the Maryland Wiretap Act, (2) a claim under the Massachusetts 26 Wiretap Act; (3) claims under the California Invasion of Privacy Act; (4) intrusion upon seclusion; (5) publication of private facts; and (6) Biddle claims. Barnes Decl. ¶¶ 5–10. (Biddle claims refer to the Ohio 27 Supreme Court decision, Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395 (1999), which established a common law tort under Ohio law for the unauthorized, unprivileged disclosure to a third party of nonpublic 1 plaintiffs subsequently submitted supplemental authority consisting of new guidance issued by the 2 Office for Civil Rights at the U.S. Department of Health and Human Services on December 1, 3 2022, regarding the obligations of HIPAA on certain entities when using online tracking 4 technologies, including the Meta Pixel. See Supp. Wooldridge Decl.; Plaintiffs’ Notice of 5 Supplemental Authority [Dkt. 148] at 2. 6 After full briefing and argument, my ruling follows. 7 LEGAL STANDARD 8 “A preliminary injunction is an extraordinary remedy never awarded as of right.” Winter 9 v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 24 (2008) (citation omitted). “A plaintiff seeking a 10 preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to 11 suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his 12 favor, and that an injunction is in the public interest.” Id. at 20. In each case, courts “must 13 balance the competing claims of injury and must consider the effect on each party of the granting 14 or withholding of the requested relief.” Id. at 24 (quoting Amoco Prod. Co. v. Vill. of Gambell, 15 AK, 480 U.S. 531, 542 (1987)). 16 Mandatory injunctions, which require affirmative action rather than maintaining the status 17 quo, are “particularly disfavored.” Garcia, 786 F.3d at 740 (quoting Stanley v. Univ. of S. 18 California, 13 F.3d 1313, 1320 (9th Cir. 1994)). To succeed, the plaintiff “must establish that the 19 law and facts clearly favor” his or her position, not simply that the plaintiff “is likely to succeed.” 20 Id. (emphasis in original). 21 DISCUSSION 22 My decision to deny the pending motion is based on Meta’s evidence that it is doing all it 23 can to minimize the problems raised by plaintiffs, and the need for discovery to clarify both the 24 scope of the problems and potential solutions for them. But as the discussion below suggests, it 25 appears that plaintiffs have plausible claims that may well succeed on the merits if that hurdle is 26 overcome, and that the injury alleged is irreparable. 27 Before I address Meta’s substantive challenges to the motion, I will dispense with a 1 filed at some point in the future, moots plaintiffs’ motion. See Opposition (“Opp.”) [Dkt. 77-3] at 2 10–11. It cites authority standing for the unremarkable principle that “[i]t is well-established” in 3 the Ninth Circuit “that an amended complaint supersedes the original, the latter being treated 4 thereafter as non-existent.” Ramirez v. Cnty. of San Bernardino, 806 F.3d 1002, 1008 (9th Cir. 5 2015) (internal citation and quotation marks omitted). It also cites my order establishing that the 6 consolidated complaint shall be the operative complaint in the consolidated action. Opp. at 10 7 (citing October 12, 2022 Order) [Dkt. 73] at 3. 8 Meta is missing the point. Yes, at some point a consolidated complaint will be filed and at 9 that point, the FAC will no longer be the operative pleading. That has not happened yet. None of 10 Meta’s cases support its novel theory that a motion for a preliminary injunction based on a 11 currently operative complaint is mooted by a currently non-existent consolidated complaint. I 12 note, too, that all of the plaintiffs from the consolidated and soon-to-be consolidated cases agreed 13 that the preliminary injunction briefing and hearing should proceed despite the cases being 14 consolidated. See Dkts. 65, 94, 95. I need to address plaintiffs’ motion on the merits. Having 15 determined that the motion is not moot, I turn to the four Winter factors. 16 I. LIKELIHOOD OF SUCCESS ON THE MERITS 17 Because plaintiffs’ purported consent is an overarching issue that could preclude relief for 18 all of the claims at issue, I begin with this topic. 19 A. Plaintiffs Did Not Consent to Meta’s Acquisition of Their Health Information. 20 The key question at the heart of this motion is whether a reasonable user would have 21 understood from Meta’s policies that Meta collects the health information at issue here. Plaintiffs 22 contend that the information at issue constitutes “protected health information” within the 23 meaning of HIPAA, and as a result, HIPAA’s heightened standard for consent applies. Mot. at 14. 24 I agree that the information at issue here appears to show patient status and thus constitutes 25 protected health information under HIPAA. But I do not reach the question of whether HIPAA’s 26 heightened standard for consent applies because, as set forth below, I do not believe that a 27 reasonable user would have understood that Meta may intercept their health information. 1. The Meta Pixel Captures Information Showing Patient Status. 1 Plaintiffs contend that the Pixel sends information revealing patient status because it 2 intercepts data relating to patient portal logins and logouts alongside identifiers for each patient. 3 Mot. at 6. I agree. 4 Plaintiffs have put forward evidence that the Pixel transmits “the patient status of 5 individuals logging into the ‘patient portals’ of their providers through click data, including the 6 Meta Pixel ‘SubscribedButtonClick’ . . .” Smith Decl. ¶ 4; see also id. ¶¶ 31–32, 164 (describing 7 “at least five” protected health information identifiers that are “routinely sent to third-parties in 8 tracking pixels when a MedStar Health patient is communicating with a MedStar Health hospital 9 at a MedStar Health Web site”). Meta concedes that plaintiff John Doe’s medical provider 10 MedStar Health, for instance, has integrated the Pixel into the webpage located at 11 https://www.medstarhealth.org/mymedstar-patient-portal. See Supp. Wooldridge Decl. ¶ 4. Using 12 the MedStar Health page as an example, this means that when a website user clicks on the “Log 13 in” button on that webpage, the Pixel transmits: (1) the 14 https://www.medstarhealth.org/mymedstar-patient-portal URL; (2) the content of the “Log in” 15 button; (3) the destination URL (i.e. the URL of the webpage that the user is directed to after 16 clicking the “Log in” button, which here is the patient portal); and (4) cookies which uniquely 17 identify a Facebook user. See Smith Decl. ¶¶ 31–37. 18 With the MedStar Health page as an example, I conclude that the Pixel transmits 19 information showing patient status. That is, the act of clicking the “Log in” button, when coupled 20 with the MedStar Health patient portal URL and the other information transmitted by the Pixel, 21 sufficiently identifies the website user as a patient. Next, I consider whether patient status 22 constitutes protected health information under HIPAA. 23 2. Patient Status Is Protected Health Information. 24 HIPAA defines “protected health information” as “individually identifiable” information 25 that is “created or received by a health care provider” (or similar entities) that “[r]elates to the past, 26 present, or future physical or mental health or condition of an individual” or the “provision of 27 health care to an individual.” 45 C.F.R. § 160.103. At least one court has previously found that 1 information which shows patient-status constitutes protected health information. See Arvidson v. 2 Buchar, No. ST-16-cv-410, 2018 WL 10613032, at *10 (V.I. Super. Ct. June 6, 2018) (ruling that 3 patient names and a patient list were PHI which were therefore subject to special disclosure 4 requirements under HIPAA). And the Department of Health and Human Services has issued 5 guidance—including as recently as this past month—instructing that information which connects 6 an individual with a healthcare provider “is indicative that the individual has received or will 7 receive health care services,” and thus “relates to the individual’s past, present, or future health or 8 health care or payment for care.” See Use of Online Tracking Technologies by HIPAA Covered 9 Entities and Business Associates, U.S. Health & Human Services (content current as of Dec. 1, 10 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online- 11 tracking/index.html;8 see also 78 Fed. Reg. 5642 (Jan. 25, 2013) (observing that it would be a 12 HIPAA violation for a covered entity to disclose a list of patient names, addresses, and hospital 13 identification numbers because “the protected health information is obviously identifiable”). 14 Meta does not challenge plaintiffs’ assertion that patient status is protected information 15 under HIPAA, but instead relies on Smith v. Facebook, 262 F. Supp. 3d 943 (N.D. Cal. 2017). But 16 Smith does not forestall my conclusion that patient status is protected health information. It dealt 17 with the question of whether Facebook users had consented to Facebook collecting information 18 about them via their browsing through certain health-related websites (such as 19 http://www.cancer.net) that had an embedded Facebook “Like” button. Smith, 262 F. Supp. 3d at 20 948. Smith concluded that there was no protected health information because the information 21 transmitted to Facebook when a user visited the http://www.cancer.net page was the same kind of 22 information transmitted to Facebook any time a user visited any page on the internet that 23 contained a Facebook button. Id. at 954. In other words, the URLs did not “relate[] specifically to 24 Plaintiffs’ health.” Id. at 954. Smith further explained: 25 The URLs at issue in this case point to pages containing information 26 about treatment options for melanoma, information about a specific 27 doctor, search results related to the phrase “intestine transplant,” a 1 wife’s blog post about her husband’s cancer diagnosis, and other 2 publicly available medical information. These pages contain general health information that is accessible to the public at large. 3 The same pages are available to every computer, tablet, smartphone, or automated crawler that sends GET requests to these URLs. 4 Nothing about the URLs, or the content of the pages located at those URLs, relates “to the past, present, or future physical or mental 5 health or condition of an individual.” 45 C.F.R. § 6 160.103 (emphasis added). As such, the stricter authorization requirements of HIPAA (as well as Cal. Civ. Code § 1798.91) do 7 not apply. 8 Id. at 954–55 (underline in original). 9 This case is different than Smith. Unlike the “general health information that is accessible 10 to the public at large,” the URLs and other information transmitted through the Pixel establish that 11 a user is about to log in to a healthcare provider’s website. Smith Decl. ¶¶ 31–37. Unlike in 12 Smith, then, the Pixel captures information that connects a particular user to a particular healthcare 13 provider—i.e., patient status—which falls within the ambit of information protected under 14 HIPAA. Smith involved users browsing through websites providing healthcare information to the 15 public at large, not users navigating to patient portals on healthcare providers’ websites. The act 16 of navigating to a patient portal on a healthcare provider’s website is not the general internet 17 browsing contemplated in Smith. As a result, Smith does not bear on the question of whether the 18 information at issue here constitutes patient health information. 19 3. Meta Has Not Established Consent to the Conduct at Issue. 20 Meta’s policies notify Facebook users that Meta collects and uses their personal data, 21 including data about their browsing behavior on some third-party websites, at least in part for 22 targeted advertising. See Terms of Service at 4 (providing that Meta “collect[s] and use[s] your 23 personal data”); Data Policy at 4–5 (explaining that third-parties which are partnered with Meta 24 “provide information about your activities off of our Products”); Cookies Policy at 4 (providing 25 that Meta’s “business partners may also choose to share information with Meta”). Meta’s policies 26 do not, however, specifically indicate that Meta may acquire health data obtained from Facebook 27 users’ interactions with their medical providers’ websites. Its generalized notice is not sufficient 1 to establish consent. 2 Consent “can be explicit or implied, but any consent must be actual.” In re Google, Inc., 3 2013 WL 5423918, at *12 (N.D. Cal. Sept. 26, 2013) (citation omitted). “In order for consent to 4 be actual, the disclosures must ‘explicitly notify’ users of the practice at issue.” Calhoun v. 5 Google LLC, 526 F. Supp. 3d 605, 620 (N.D. Cal. 2021) (internal quotation omitted); see also 6 Campbell v. Facebook, Inc., 77 F. Supp. 3d 836, 847–48 (N.D. Cal. 2014) (explaining that, for a 7 finding of consent, the disclosures must have given users notice of the “specific practice” at issue). 8 As the Restatement explains, “[i]n order to be effective, the consent must be to the particular 9 conduct of the actor, or to substantially the same conduct.” Restatement (Second) of Torts § 892A 10 (1979). In other words, “consent to a fight with fists is not consent to an act of a very different 11 character, such as biting off a finger, stabbing with a knife, or using brass knuckles.” Id. The test 12 is whether a reasonable user who viewed Meta’s disclosures would have understood that Meta was 13 collecting the information at issue. See Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190, 1212 14 (N.D. Cal. 2014). Meta has the burden to show consent. Calhoun, 526 F. Supp. 3d at 620. 15 First, I am skeptical that a reasonable user who viewed Meta’s policies would have 16 understood that Meta was collecting protected health information.9 The nature of the data 17 collection that plaintiffs agreed to is akin to the general internet browsing at issue in Smith; the 18 collection of protected health information from a medical provider is a different matter entirely. 19 Second, even if a reasonable Facebook user would have understood that Meta’s data 20 collection included health information from their medical provider, that must still be squared with 21 its representation that it “requires” any third-party to have “lawful rights to collect, use and share 22 your data before providing any data to us.” Data Policy at 5. For purposes of the likely 23 forthcoming motion to dismiss, I note that Meta’s policies “must have only one plausible 24 interpretation for a finding of consent.” Calhoun, 526 F. Supp. 3d at 620 (citation omitted); see 25 26 9 This is especially true because other Meta policies (such as the Business Tool Terms) expressly provide 27 that website developers will not share data that they “know or reasonably should know . . . includes health, financial or other categories of sensitive information (including any information defined as sensitive under 1 also In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 794 (N.D. Cal. 2 2019) (internal citation omitted) (hereinafter “Facebook Consumer Priv. Litig.”) (denying 3 Facebook’s motion to dismiss based on plaintiffs’ purported consent where there were multiple 4 plausible interpretations of the term “allowed”). In Meta’s view, the Data Policy provision is 5 satisfied because any third party that wishes to use the Pixel must “represent and warrant” to Meta 6 that the third party has “all of the necessary rights and permissions and a lawful basis (in 7 compliance with all applicable laws, regulations, and industry guidelines) for the disclosure and 8 use” of the data. Opp. at 19 (citing Business Tool Terms at 1). But “require” is susceptible to 9 multiple meanings. It could mean, for instance, that all developers using the Meta Pixel have told 10 Meta that they may lawfully share this information with them. This is, of course, Meta’s preferred 11 interpretation. But it could also mean that—in the context of the health information at issue 12 here—Meta required a HIPAA-compliant authorization before receiving such information. In 13 light of the multiple plausible interpretations of “require,” it is unlikely that Meta will be able to 14 establish that plaintiffs consented to the data collection at issue here. 15 In sum, it does not appear to me that consent will bar plaintiffs’ claims. I go on to consider 16 the strength of plaintiffs’ claims under the Wiretap Act, CIPA, and California law. 17 B. Wiretap Act Claim 18 There are two questions that I must answer to determine whether plaintiffs are likely to 19 prevail on their Wiretap Act claim. First, I must examine whether plaintiffs have shown that each 20 of the five elements are met. Second, I must consider whether any of the Wiretap Act’s 21 exceptions could exempt Meta from liability. I address each question below. 22 1. Elements of a Wiretap Act Claim 23 “The Wiretap Act prohibits the unauthorized ‘interception’ of an ‘electronic 24 communication.’” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606–07 (9th Cir. 25 2020), cert. denied sub nom. Facebook, Inc. v. Davis, 141 S. Ct. 1684 (2021) (quoting 18 U.S.C. § 26 2511(1)(a)–(e)). Plaintiffs must show that Meta (1) intentionally (2) intercepted (3) the contents 27 of (4) plaintiffs’ electronic communications (5) using a device. See In re Pharmatrak, Inc., 329 1 F.3d 9, 18 (1st Cir. 2003) (listing elements for a Wiretap Act claim). Meta challenges only the 2 “contents” element. 3 a. Meta’s “Intentional” “Interception” 4 “Intercept” is defined under the Wiretap Act as “the aural or other acquisition of the 5 contents of any wire, electronic, or oral communication through the use of any electronic, 6 mechanical, or other device.” 18 U.S.C. § 2510(4). Although the statute does not define 7 “acquisition,” the Ninth Circuit has construed the term according to its ordinary meaning as the 8 “act of acquiring, or coming into possession of [.]” United States v. Smith, 155 F.3d 1051, 1055 9 n.7 (9th Cir. 1998). “Such acquisition occurs when the contents of a wire communication are 10 captured or redirected in any way.” Noel v. Hall, 568 F.3d 743, 749 (9th Cir. 2009) (internal 11 citation and quotation marks omitted). 12 According to plaintiffs, the Pixel is “designed for the very purpose of intercepting 13 communications on third-party websites by surreptitiously and contemporaneously redirecting 14 these communications to Meta.” Mot. at 11 (citing Smith Decl. ¶¶ 7–14). Plaintiffs have put 15 forward evidence that Meta receives information through the Pixel. See, e.g., Smith Decl. ¶¶ 4–5, 16 32–33. Meta does not dispute that the intentional or interception elements are met. See Opp. at 17 20–21. Plaintiffs appear likely to succeed on these two elements of their claim. 18 b. “Contents” of “Electronic Communications” on “Devices” 19 Of the remaining three elements, only “contents” is in dispute. Meta says that the names 20 of buttons clicked on websites and their associated URLs are not “content” within the meaning of 21 the statute. I disagree. As set forth below, because the “Log in” button and full-string URLs 22 concern the “substantive, purport, or meaning of a communication,” these transmissions likely 23 constitute “contents.” 24 The statute broadly defines “content” to include “any information concerning the 25 substance, purport, or meaning of [a] communication.” 18 U.S.C. § 2510(8). “Contents” refers to 26 the “intended message conveyed by the communication”—it does not include record information 27 regarding the characteristics of the message that is generated in the course of the communication. 1 provided as part of a sign-up process constitutes “content” because this information is the subject 2 of the communication. Id. at 1107 (“Because the users had communicated with the website by 3 entering their personal medical information into a form provided by the website, the First Circuit 4 correctly concluded that the defendant was disclosing the contents of a communication.”). And 5 while a URL that includes “basic identification and address information” is not “content,” a URL 6 disclosing a “search term or similar communication made by the user” “could constitute a 7 communication” under the statute. Id. at 1108–09. 8 In my view, the log-in buttons and the kinds of descriptive URLs identified in the Smith 9 Decl. are “contents” within the meaning of the statute. Unlike in Zynga, the URLs at issue here 10 would not merely reveal the name of a Facebook user or group—as Smith explained, the 11 transmitted URLs include both the “path” and the “query string.”10 Smith Decl. ¶¶ 50–51; see 12 also id. ¶ 189 (showing hardfordhospital.org/services/digestive-health/conditions-we- 13 treat/colorectal-small-bowel-disorders/ulcerative-colitis URL). These items are content because 14 they concern the substance of a communication. See Zynga, 750 F.3d at 1107; In re Google Inc. 15 Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 137 (3d Cir. 2015) (“If an address, phone 16 number, or URL is . . . part of the substantive information conveyed to the recipient, then by 17 definition it is ‘content.’”); see also In re Google RTB Consumer Priv. Litig., No. 21-cv-2155- 18 YGR, 2022 WL 2165489, at *10 (N.D. Cal. June 13, 2022) (finding that categories of the website, 19 categories that describe the current section of the website, and referrer URL that caused navigation 20 to the current page constituted “content”). 21 As noted above, Meta does not challenge plaintiffs’ assertion that the Pixel transmits 22 “electronic communications” through the use of “devices.” And plaintiffs’ internet 23 communications on their healthcare providers’ websites appear to fall squarely within the statutory 24 definitions. See 18 U.S.C. §§ 2510(5), (12) (defining “device” and “electronic communication”). 25 26 10 The “path” identifies where a file or resource can be found on a website. Smith Decl. ¶ 50. Take the https://www.medstarhealth.org/doctors/paul-a-sack-md URL: here, the “path” is doctors/dr-paul-a-sack- 27 md. Id. A “query string” provides a list of parameters. An example of a URL which includes a query string is https://www.medstarheatlh.org/sxa/search/results/?q=diabetes. Id. The query string parameters in 1 In sum, plaintiffs have made a strong showing as to each of the elements of their Wiretap 2 Act claim. But to ultimately succeed, plaintiffs must also overcome Meta’s arguments regarding 3 the applicability of the Wiretap Act exceptions. 4 2. Wiretap Act’s Exceptions 5 Importantly, the Wiretap Act exempts liability in certain circumstances. The statute 6 provides that: 7 It shall not be unlawful under this chapter for a person not acting 8 under color of law to intercept a wire, oral, or electronic 9 communication where such person is a party to the communication or where one of the parties to the communication has given prior 10 consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious 11 act in violation of the Constitution or laws of the United States or of any State. 12 13 18 U.S.C. § 2511(2)(d). In other words, the Wiretap Act allows interception where the 14 interception is made by a “party” to the communication or where a “party” has consented to the 15 interception. Id. This exception does not apply, however, where the interceptor acts “for the 16 purpose of” committing any crime or tort in violation of state or federal law. Id. 17 Putting the question of plaintiffs’ consent to the side, the healthcare providers who 18 configured the Pixel on their websites presumably consented to Meta’s receipt of the information. 19 Because the Wiretap Act is a one-party consent statute, see Rodriguez v. Google LLC, No. 20-cv- 20 04688-RS, 2021 WL 2026726, at *6 (N.D. Cal. May 21, 2021), this means that whether or not 21 plaintiffs consented, Meta is exempt from liability—so long as Meta did not act “for the purpose 22 of” committing any crime or tort. 18 U.S.C. § 2511(2)(d). Plaintiffs’ Wiretap Act claim rises and 23 falls with this exception to the exception. 24 The Ninth Circuit has explained that the crime-tort exception to the Wiretap Act’s consent 25 defense focuses on whether “the purpose for the interception—its intended use—was criminal or 26 tortious.” Sussman v. Am. Broad. Companies, Inc., 186 F.3d 1200, 1202 (9th Cir. 1999) 27 1 does not sanitize an interception that was also made for an illegitimate purpose. Id. Under this 2 exception, plaintiffs must allege that either the “primary motivation or a determining factor in [the 3 defendant’s] actions has been to injure plaintiffs tortiously.” Brown v. Google LLC, 525 F. Supp. 4 3d 1049, 1067 (N.D. Cal. 2021) (quotation omitted). 5 To ultimately succeed on this claim, plaintiffs must show that the purpose for Meta’s 6 interception was to injure plaintiffs tortiously. Meta contends that the crime-tort exception does 7 not apply because its purpose was merely advertising, which is neither a crime nor a tort. Opp. at 8 20. Multiple courts in this district have found that the crime-tort exception to the Wiretap Act is 9 inapplicable where the defendant’s primary motivation was to make money, not to injure plaintiffs 10 tortiously. See Rodriguez, 2021 WL 2026726, at *6 n.8 (finding crime-tort exception inapplicable 11 where Google’s alleged interceptions occurred with the consent of app developers and were 12 financially motivated); In re Google Inc. Gmail Litig., No. 13-md-02430-LHK, 2014 WL 13 1102660, at *18 n.13 (N.D. Cal. Mar. 18, 2014) (“[T]he tort or crime exception cannot apply 14 where the interceptor’s ‘purpose has plainly not been to perpetuate torts on millions of Internet 15 users, but to make money.’”) (internal citation omitted). 16 Plaintiffs respond that the use of patient data for advertising in the absence of express 17 written consent is criminal and tortious. Reply at 11; see also FAC ¶ 154 (alleging that Meta had 18 a tortious purpose in acquiring the content of patient communications related to patient portals). 19 Plaintiffs cite several state court decisions establishing that tort claims may lie against health care 20 providers over their use of the Pixel. Reply at 11. And as discussed in Part I.D. infra, plaintiffs’ 21 tort claims against Meta appear viable. There is a not-insignificant chance, then, that plaintiffs 22 may be able to show that the crime-tort exception applies. Cf. Brown, 525 F. Supp. 3d at 1067 23 (finding that the crime-tort exception may apply where plaintiffs had “adequately alleged that 24 Google’s association of their data with preexisting user profiles violated state law, including 25 CDAFA, intrusion upon seclusion, and invasion of privacy”). 26 That said, in light of the authority in this district finding that liability does not lie where a 27 defendant’s primary motivator was to make money, I am not convinced that plaintiffs have met 1 Of course, this claim will present differently in a motion to dismiss context. The parties will have 2 the opportunity to refine their arguments regarding Meta’s purpose in intercepting the information 3 at issue here later in the litigation. 4 C. CIPA Claim11 5 The California Invasion of Privacy Act (“CIPA”) mirrors the federal Wiretap Act, but with 6 a few important exceptions. “The purpose of the act was to protect the right of privacy by, among 7 other things, requiring that all parties consent to a recording of their conversation.” Flanagan v. 8 Flanagan, 27 Cal. 4th 766, 769 (2002). 9 Plaintiffs allege that Meta violated two provisions of CIPA: section 631(a) (the 10 wiretapping provision), and section 632(a) (the recording provision). Mot. at 15–16. The 11 wiretapping provision of CIPA provides: 12 Any person who, by means of any machine, instrument, or 13 contrivance, or in any other manner . . . willfully and without the 14 consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or 15 meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent 16 from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to 17 communicate in any way, any information so obtained, or who aids, 18 agrees with, employs, or conspires with any person or persons to lawfully do, or permit, or cause to be done any of the acts or things 19 mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars. 20 Cal. Penal Code § 631(a). Put simply, “CIPA is violated when a person reads, or attempts to read, 21 or to learn the contents or meaning of any message, report, or communication while the same is in 22 transit or passing over any wire, line, or cable.” Cline v. Reetz-Laiolo, 329 F. Supp. 3d 1000, 1050 23 (N.D. Cal. 2018) (internal quotation marks and citation omitted). 24 The recording provision of CIPA states that it is unlawful for any person to “intentionally 25 and without the consent of all parties to a confidential communication, use[] [a] recording device 26 27 11 The parties do not dispute that California law applies. See Mot. at 15 (explaining why Meta is subject to 1 to . . . record the confidential communication[.]” Cal. Penal Code § 632(a). A “confidential 2 communication” is “any communication carried on in circumstances as may reasonably indicate 3 that any party to the communication desired it to be confined to the parties thereto[.]” Cal. Penal 4 Code § 632(c). 5 1. Elements of CIPA Claim (Wiretapping Provision) 6 “The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” 7 Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 127 (N.D. Cal. 2020) (quoting Cline, 329 F. Supp. 3d 8 at 1051). I have already concluded that plaintiffs will likely establish the elements of a claim 9 under the federal Wiretap Act. See Section I.B.1 supra. Meta mounts a single challenge to a 10 single element here, arguing that plaintiffs cannot show that the intercepted information is 11 “content” based on its arguments under the federal Wiretap Act. See Opp. at 21. For the reasons 12 given above, this challenge fails. 13 2. Elements of CIPA Claim (Recording Provision) 14 As noted above, section 632(a) applies only to eavesdropping or recording of a 15 confidential communication. See Cal. Penal Code § 632(a). Meta argues that the communications 16 at issue here were not confidential because they were transmitted via the Internet. Opp. at 21–22. 17 I disagree. 18 A communication is confidential under section 632(a) if one of the parties “has an 19 objectively reasonable expectation that the conversation is not being overheard or 20 recorded.” Flanagan, 27 Cal. 4th at 777. “And in California, courts have developed a 21 presumption that Internet communications do not reasonably give rise to that expectation.” 22 Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 WL 5485330, at *3 (N.D. Cal. Oct. 23 23, 2019) (citing and collecting authorities); see also Rodriguez, 2021 WL 2026726, at *7 24 (explaining that plaintiffs “must plead unique, definite circumstances” to rebut California’s 25 presumption against online confidentiality). The question is whether plaintiffs have shown that 26 there is something unique about these particular internet communications which justify departing 27 from the presumption. For the reasons expressed below, I conclude that they have done so. 1 Communications made in the context of a patient–medical provider relationship are readily 2 distinguishable from online communications in general for at least two reasons. First, patient- 3 status and medical-related communications between patients and their medical providers are 4 protected by federal law. See, e.g., 42 U.S.C. § 1320d-6 (providing criminal and civil penalties for 5 disclosing protected health information without authorization); 45 C.F.R. § 164.508 (requiring a 6 “valid authorization” for use or disclosure of protected health information); Section I.A.2 supra 7 (finding that patient status is protected health information under HIPAA). Second, unlike 8 communications made while inquiring about items of clothing on a retail website, Revitch, 2019 9 WL 5485330, at *3, health-related communications with a medical provider are almost uniquely 10 personal. “One can think of few subject areas more personal and more likely to implicate privacy 11 interests than that of one’s health or genetic make-up.” Norman-Bloodsaw v. Lawrence Berkeley 12 Lab’y, 135 F.3d 1260, 1269 (9th Cir. 1998); see also Doe v. City of New York, 15 F.3d 264, 267 13 (2d Cir. 1994) (“Extension of the right to confidentiality to personal medical information 14 recognizes there are few matters that are quite so personal as the status of one’s health”); cf. 15 Facebook Consumer Priv. Litig., 402 F. Supp. 3d at 783 (“So, for example, if you are diagnosed 16 with a medical condition, you can expect to conceal it completely only if you keep it between you 17 and your doctor. But it does not follow that if you send an email to selected colleagues and 18 friends explaining why you’ll be out of commission for a while, you’ve relinquished any privacy 19 interest in your medical condition, such that the email provider could disseminate your diagnosis 20 to anyone who might be interested in your health status.”). For these reasons, it seems to me that 21 plaintiffs will likely be able to show that they had an objectively reasonable expectation that their 22 communications with their medical providers were confidential. 23 Accordingly, plaintiffs will likely be able to show that the communications at issue here 24 were confidential under the CIPA. 25 D. Invasion of Privacy and Intrusion upon Seclusion Claims 26 To prevail on these claims, plaintiffs must show that they had an objectively reasonable 27 expectation of privacy in their medical communications and Meta’s conduct was highly offensive. 1 Consumer Priv. Litig., 2022 WL 2165489, at *7 (same). 2 Courts are generally hesitant to decide claims of this nature at the pleading stage. See 3 Facebook Consumer Priv. Litig., 402 F. Supp. 3d at 797 (“Under California law, courts must be 4 reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy 5 intrusion is.”); Williams v. Facebook, Inc., 384 F. Supp. 3d 1043, 1054 (N.D. Cal. 2018) 6 (observing that whether conduct rises to the level of highly offensive “is indeed a factual question 7 best left for a jury”) (internal quotation marks and citation omitted); Opperman v. Path, Inc., 205 8 F. Supp. 3d 1064, 1080 (N.D. Cal. 2016) (“A judge should be cautious before substituting his or 9 her judgment for that of the community.”). At this early stage, plaintiffs’ claims appear fairly 10 strong. I address each element in turn. 11 1. Reasonable Expectation of Privacy12 12 I have already found that—in the context of the CIPA claim—plaintiffs will likely be able 13 to show that they had an objectively reasonable expectation that their communications with their 14 medical providers were confidential based on the laws and regulations protecting the 15 confidentiality of medical information. See Section I.C.2 supra. Case law also supports plaintiffs’ 16 position that individuals maintain a reasonable expectation of privacy in detailed URLs. See In re 17 Facebook, Inc. Internet Tracking Litig., 956 F.3d at 605–06 (finding plaintiffs adequately pleaded 18 a reasonable expectation of privacy in “full-string detailed URLs” which contain “the name of a 19 website, folder and sub-folders on the web-server, and the name of the precise file requested”). 20 Meta argues that plaintiffs lacked a reasonable expectation of privacy because its policies 21 convey that it may collect and use their personal data, including data about their browsing 22 behavior on some third-party websites, even while users are not logged into Facebook. But I have 23 already found that the policies at issue did not adequately disclose that Meta collects the kind of 24 sensitive health information at issue in this case, especially in light of the policy provision 25 providing that Meta will “require” partners to obtain “lawful rights” to share user data before Meta 26 will acquire it and Meta’s directives to its partners to not send any health information. See Data 27 1 Policy at 5; Business Tool Terms at 2. As a result, Meta’s policies tend to support, rather than 2 diminish, the likelihood that a user has an objectively reasonable expectation of privacy in this 3 specific information. Cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 603 (finding an 4 objectively reasonable expectation of privacy existed where plaintiffs plausibly alleged that 5 Facebook did not disclose that the information at issue would be collected). 6 2. Highly Offensive Intrusion 7 The next question is whether plaintiffs have shown that Meta’s intrusion was “highly 8 offensive.” A jury will have to weigh the injury alleged, which is potentially highly offensive, 9 against Meta’s defense that it has developed comprehensive systems (discussed in Section III, 10 below) to guard against the intrusion in the most effective manner practicable. Plaintiffs have 11 offered support for the position that Meta’s conduct is highly offensive. 12 In determining the “offensiveness” of an invasion of a privacy interest, courts may 13 consider: “the degree of the intrusion, the context, conduct and circumstances surrounding the 14 intrusion as well as the intruder’s motives and objectives, the setting into which he intrudes, and 15 the expectations of those whose privacy is invaded.” Hill v. Nat’l Collegiate Athletic Assn., 7 Cal. 16 4th 1, 26 (1994) (internal citation and quotation marks omitted). “If voluntary consent is present, 17 a defendant’s conduct will rarely be deemed ‘highly offensive to a reasonable person’ so as to 18 justify tort liability.” Id. (citation omitted). 19 There is support for plaintiffs’ position that Meta has behaved egregiously. By enacting 20 criminal and civil statutes forbidding the disclosure of protected health information without proper 21 authorization, Congress has made policy decisions regarding the importance of safekeeping this 22 information. See, e.g., 42 U.S.C. § 1320d-6 (providing criminal and civil penalties for disclosing 23 protected health information without authorization); 45 C.F.R. § 164.508 (requiring a “valid 24 authorization” for use or disclosure of protected health information). Courts have also found that 25 taking personal contact information without consent could be deemed highly offensive. See 26 Opperman v. Path, 87 F. Supp. 3d 1018, 1060–61 (N.D. Cal. 2014) (finding that a jury must 27 decide whether the “surreptitious theft of personal contact information” is highly offensive). 1 Ninth Circuit has found to be relevant in the “highly offensive” inquiry. See In re Facebook, Inc. 2 Internet Tracking Litig., 956 F.3d at 606 (finding that highly offensive element was sufficiently 3 pleaded where Facebook collected full-string detailed URLs and where “Plaintiffs have alleged 4 that internal Facebook communications reveal that the company’s own officials recognized these 5 practices as a problematic privacy issue.”). These arguments have merit. 6 It is true that “[c]ourts in this district have consistently refused to characterize the 7 disclosure of common, basic digital information to third parties as serious or egregious violations 8 of social norms.” In re Google, Inc. Privacy Pol’y Litig., 58 F. Supp. 3d 968, 985 (N.D. Cal. 9 2014). But that is not the kind of information at issue here. Meta does not point to a single case 10 where a court found that the collection of the kinds of information at issue here did not constitute a 11 highly offensive invasion of privacy.13 12 A preliminary injunction is an extraordinary remedy that requires the movant to carry the 13 burden of persuasion by a “clear showing.” Mazurek v Armstrong, 520 U.S. 968, 972 (1997). It 14 is by no means clear at this stage of the case whether plaintiffs will prevail in this litigation. 15 Whether it is likely is a close call, and it will depend on the strength of Meta’s defense, which I 16 discuss below in sections III and IV. 17 II. IRREPARABLE HARM 18 Plaintiffs contend that they are irreparably harmed by Meta’s ongoing interference with 19 their right to confidential medical care and communications.14 Mot. at 19. I agree that the harm 20 itself is irreparable. 21 22 13 Meta’s reliance on Hammerling v. Google is misplaced. In Hammerling, plaintiffs alleged that Google violated California privacy laws by collecting personal information via various apps. See No. 21-cv- 23 09004-CRB, 2022 WL 2812188, at *1 (N.D. Cal. July 18, 2022). But the data at issue in Hammerling involved “usage and engagement” data—i.e., the average number of days that users were active on 24 particular apps and a user’s total time spent on non-Google apps. Id. at *1. Hammerling explicitly noted that “the plaintiffs d[id] not allege that Google can read the specific information (i.e., content) that a user 25 inputs.” Id. at *14. Because the kind of data collected in Hammerling is not analogous to the data at issue here, Hammerling’s conclusion that the data disclosure was not highly offensive does not bear on the 26 present matter. 27 14 Although Meta has implemented measures to prevent its receipt of health information, Meta 1 The legal standard for injunctive relief requires that a plaintiff “demonstrate that 2 irreparable injury is likely in the absence of an injunction.” Winter, 555 U.S. at 22 (emphasis 3 removed). “Irreparable harm is traditionally defined as harm for which there is no adequate legal 4 remedy, such as an award of damages.” Arizona Dream Act Coal. v. Brewer, 757 F.3d 1053, 1068 5 (9th Cir. 2014) (citation omitted). “Because intangible injuries generally lack an adequate legal 6 remedy, ‘intangible injuries [may] qualify as irreparable harm.’” Id. (quoting Rent-A-Ctr., Inc. v. 7 Canyon Television & Appliance Rental, Inc., 944 F.2d 597, 603 (9th Cir. 1991)). 8 The invasion of privacy triggered by the Pixel’s allegedly ongoing disclosure of plaintiffs’ 9 medical information is precisely the kind of intangible injury that cannot be remedied by damages. 10 See, e.g., Meyer v. Portfolio Recovery Assocs., LLC, 707 F.3d 1036, 1045 (9th Cir. 2012) (finding 11 that violation of privacy shows irreparable harm); Brooks v. Thomson Reuters Corp., No. 21-cv- 12 01418-EMC, 2021 WL 3621837, at *11 (N.D. Cal. Aug. 16, 2021) (holding that injunctive relief 13 may be available “because the injury here is an invasion of privacy that can never be fully 14 remedied through damages” and loss of privacy is “irreparable”); Maxcrest Ltd. v. United States, 15 No. 15-mc-80270-JST, 2016 WL 6599463, at *4 (N.D. Cal. Nov. 7, 2016) (“[A]ny harm to 16 Maxcrest’s privacy interests would be irreparable because there is nothing a court can do to 17 withdraw all knowledge or information that IRS agents may have acquired by examination of the 18 requested information once that information has already been divulged.”) (cleaned up). Plaintiffs’ 19 actions underscore the seriousness of the alleged loss of privacy. For example, plaintiff John Doe 20 has elected to stop accessing his medical provider’s online portal, except where medically 21 necessary or where his attorneys have counseled him to do so, in order to prevent his health data 22 from being sent to Meta. Declaration of John Doe (“Doe Decl.”) [Dkt. 47] ¶ 7. 23 Meta does not challenge the severity of the harm that plaintiffs have articulated. Instead, 24 Meta argues that there is no irreparable harm because: (1) plaintiffs purportedly delayed in seeking 25 injunctive relief, and (2) Meta is purportedly not causally connected to the irreparable harm. Opp. 26 at 11. Those arguments are meritless. 27 A. Plaintiffs Did Not Delay Before Seeking a Preliminary Injunction. 1 injunction, which—according to Meta—undermines their claim of irreparable harm.15 Opp. at 11. 2 A “long delay before seeking a preliminary injunction implies a lack of urgency and irreparable 3 harm.” Oakland Trib., Inc. v. Chron. Pub. Co., 762 F.2d 1374, 1377 (9th Cir. 1985) (citation 4 omitted); see also Garcia, 786 F.3d at 746 (waiting “months to seek an injunction . . . undercut[s] 5 Garcia’s claim of irreparable harm”). But “delay is only one factor among the many that we 6 consider in evaluating whether a plaintiff is likely to suffer irreparable harm absent interim relief.” 7 Cuviello v. City of Vallejo, 944 F.3d 816, 833 (9th Cir. 2019). 8 The two month period at issue here is readily distinguishable from the situations where 9 courts have found that a delay in seeking an injunction weighs against irreparable harm. In 10 Oakland Tribune, for instance, the Ninth Circuit affirmed the denial of a preliminary injunction 11 where “the exclusivity provisions which plaintiff seeks to enjoin have been in effect for a number 12 of years.” 762 F.2d at 1377. And in Garcia, the plaintiff moved for a preliminary injunction 13 approximately four months after the film (which formed the basis for her copyright claim) was 14 posted on the internet. 786 F.3d at 737–38. In addition to the cases cited by Meta, other Ninth 15 Circuit decisions suggest that waiting two months before seeking an injunction does not lessen a 16 claim of irreparable harm. See Arc of California v. Douglas, 757 F.3d 975, 990 (9th Cir. 2014) 17 (challenging a law which “was passed only months before the initiation of this lawsuit” weighed 18 against finding delay); cf. Cuviello, 944 F.3d at 822, 834 (finding that plaintiff delayed by seeking 19 preliminary injunction almost two years after learning of restraint on speech but that plaintiff had 20 still shown irreparable harm); Lydo Enterprises, Inc. v. City of Las Vegas, 745 F.2d 1211, 1213–14 21 (9th Cir. 1984) (finding that a five year delay before “taking any action” weighed against finding 22 of irreparable harm). 23 The issues in this case are factually, technologically, and legally complex. The two month 24 period between the complaint and the motion for a preliminary injunction does not undermine 25 plaintiffs’ showing of irreparable injury. 26 27 B. Plaintiffs Allege Irreparable Harm Causally Connected to Meta’s Conduct. 1 Meta also contends that there is no irreparable harm because “plaintiffs have not shown 2 that their alleged harm is caused by the defendant.” Opp. at 12. It claims that it is not responsible 3 because (1) plaintiffs can purportedly avoid injury by disconnecting their off-Facebook activity, 4 and (2) third party website developers, not Meta, are to blame. Id. Neither argument defeats 5 plaintiffs’ showing of irreparable harm. 6 Meta says that plaintiffs can “avoid” their injuries by disconnecting their off-Facebook 7 activity from their accounts, which they can do—according to Meta’s senior software engineer— 8 for all third-party websites, or on a website-by-website basis. Opp. at 12; see also Wooldridge 9 Decl. ¶ 11 (explaining that Meta users can control or disconnect their off-Facebook activity). Its 10 misunderstanding of plaintiffs’ claim is laid bare with this statement from its opposition brief: 11 “Meta gives users the ability to control the use of information about their off-Facebook activity 12 (such as activity on third-party websites) for advertising purposes.” Opp. at 6 (emphasis added). 13 Plaintiffs do not merely object to receiving targeted advertising based on their health 14 information. The heart of plaintiffs’ complaint—and the core injury asserted therein—is that Meta 15 is accessing their health information in violation of state and federal law. During the hearing, 16 Meta conceded that it does not enable Facebook users to prevent Meta from accessing their 17 information. See PI Hrg. Tr. at 7:23–8:23. Because Meta does not enable plaintiffs to “opt out” of 18 using the Pixel, Meta’s argument and authorities regarding “self-inflicted” harm are irrelevant. 19 Meta’s other argument hinges on the premise that Meta cannot stop website developers 20 from sending it health information. Opp. at 12–13. But Meta conceded that it “has the ability to 21 block all data coming in from a specific website or specific Pixel ID,” which Meta has done in 22 certain circumstances. See Supp. Wooldridge Decl. ¶ 51 (emphasis in original). Putting aside the 23 appropriateness of such a measure, which is discussed in the balance of the equities section below, 24 the fact stands that Meta is capable of turning the Pixel off for certain websites. Plaintiffs have 25 alleged that Meta is causally connected to their injury. That website developers may also be liable 26 does not mean, of course, that Meta is exempt from liability. And Meta’s efforts to prevent receipt 27 of health information do not diminish the irreparable invasion of privacy that plaintiffs have 1 experienced. 2 III. BALANCE OF EQUITIES 3 The balance of equities factor requires me to weigh the “competing claims of injury” and 4 “consider the effect on each party of the granting or withholding of the requested relief.” Winter, 5 555 U.S. at 24 (citation omitted). To succeed in securing an injunction, plaintiffs must show that 6 the balance of equities tips in their favor. Id. at 20. For the reasons set forth below, I find that 7 plaintiffs have not done so. 8 As noted above, plaintiffs describe a weighty injury. Privacy is “a most fundamental 9 human right” that is “older than the Bill of Rights[.]” See Kewanee Oil Co. v. Bicron Corp., 416 10 U.S. 470, 487 (1974); Griswold v. Connecticut, 381 U.S. 479, 486 (1965). And while privacy is 11 important, it is also fragile: with a mere click of the mouse, one’s personal information may be 12 disseminated to the world. There is no way to undo a loss of privacy. 13 Without minimizing the gravity of plaintiffs’ injury, though, two points merit caution. 14 First, Meta contends that plaintiffs’ recommendations for how Meta could modify its existing 15 filtration systems to comply with an injunction are either already implemented or are infeasible in 16 light of Meta’s existing systems. See Supp. Wooldridge Decl. ¶¶ 16, 23–26, 31, 33–39. The 17 Supp. Wooldridge Decl. describes the resources16 that Meta has already invested in its filtration 18 systems and contextualizes the technological issues implicated by an injunction of the sort that 19 plaintiffs seek. Id. ¶ 46. Wooldridge explained that Meta designed its existing filtering 20 mechanism to detect and filter out potentially sensitive data transmitted via the Pixel in light of the 21 vast quantity of data that floods Meta every day. Id. ¶ 8. According to Meta, Meta’s existing 22 filtration systems are “the most effective and feasible methods” for Meta to detect and prevent the 23 receipt of potentially sensitive information at scale. Id. ¶ 47. At this point, I have no reason not to 24 credit Meta’s assertions regarding the design of the filtration systems or the feasibility of Wilson’s 25 26 16 There are currently 15 Meta employees (including four dedicated engineers) working on improving the 27 integrity systems used to detect and filter out potentially sensitive health data sent via the Meta Pixel, and 80 employees who are involved in other aspects of Meta’s filtration systems. Supp. Wooldridge Decl. 1 recommendations. 2 Second, at this early stage of litigation, many of the facts are unknown or still developing. 3 It is not clear to me, for instance, how many hospital systems currently use the Pixel on their 4 patient portals.17 Nor do I know how successfully Meta’s filtration systems flag and block the 5 health information at issue in this case. Plaintiffs claim that the filtration systems are 6 “ineffective,” see Reply at 6 n.4, but without the benefit of discovery, plaintiffs must rely on 7 anecdotal evidence from their expert. See Smith Decl. ¶¶ 187–90. And while Wilson described 8 steps that Meta purportedly already has available to comply with an injunction based on the filings 9 from this case so far, Meta’s senior software engineer contends that these steps are infeasible in 10 light of how Meta’s systems actually function. See Supp. Wooldridge Decl. ¶¶ 16, 23–26, 31, 33– 11 39. All this is to say: plaintiffs have described what is potentially a serious problem. But at this 12 point, the precise contours of this problem—the number of HIPAA-entities currently sending 13 patient information to Meta, the amount of data that seeps through the filtration systems, and the 14 feasibility of other technological solutions—remain unknown. 15 Discovery will eliminate some of these unknowns. Once plaintiffs learn more about 16 Meta’s filtration systems and develop an understanding of the kinds of data that are or are not 17 blocked, plaintiffs will be on stronger footing regarding both the feasibility and necessity of 18 technological changes. Should plaintiffs learn that Meta’s filtration system is indeed ineffective or 19 that Meta can readily refine its systems to block the patient information at issue here, the balance 20 of equities may at that point tilt in favor of an injunction. In the meantime, I expect Meta to 21 continue to refine its filtration systems to address the issues raised by this case.18 22 The record is not sufficiently developed at this stage to make a judgment regarding the 23 24 17 Plaintiffs allege that they “have identified at least 664 hospital systems or medical provider web 25 properties where Facebook has received patient data via the Facebook Pixel.” FAC ¶ 15. But the extent to which these entities currently use the Pixel is unclear. Smith observed that after plaintiffs had filed suit, the 26 Pixel was removed “from a number of” hospital websites. Smith Decl. ¶¶ 192–97. And Meta contends that the three hospital systems used by plaintiffs do not currently feature the Pixel on the patient portal 27 webpage. See Supp. Wooldridge Decl. ¶¶ 3–6. 1 equities in this case. I suspect it will be clearer after discovery. 2 IV. PUBLIC INTEREST 3 The balance of equities focuses on the parties, but “the public interest inquiry primarily 4 addresses impact on non-parties rather than parties,” and takes into consideration “the public 5 consequences in employing the extraordinary remedy of injunction.” hiQ Labs, Inc. v. LinkedIn 6 Corp., 31 F.4th 1180, 1202 (9th Cir. 2022) (quoting Bernhardt v. Los Angeles Cnty., 339 F.3d 7 920, 931–32 (9th Cir. 2003)). For the reasons set forth in the preceding section, I find that the 8 public interest factor does not—at this point—favor an injunction. 9 To be sure, the public has an interest in privacy in general and health information in 10 particular. But I must also consider the “public consequences” of imposing injunctive relief under 11 these circumstances. See hiQ Labs., 31 F.4th at 1202. Although key information remains 12 unknown, plaintiffs ask me to impose a mandatory injunction against a company that has already 13 gone to some lengths to address these issues. Putting the efficacy of Meta’s filtering system to the 14 side, the fact remains that Meta has designed and implemented the systems which it believes are 15 the “most effective and feasible methods” to address the receipt of sensitive information. Supp. 16 Wooldridge Decl. ¶ 47. Against this backdrop, I am not convinced that the public interest would 17 support imposing an injunction against companies in Meta’s position. 18 In light of the systems in place that Meta has created to block receipt of this sensitive 19 information and the factual uncertainties described above, it is too early to find that the public 20 interest supports a mandatory injunction. Of course, my perspective may evolve as the factual 21 record develops in the case. 22 CONCLUSION 23 My analysis of the Winter factors shows that neither the equities nor the public interest 24 currently supports an injunction. Although plaintiffs have potentially strong arguments on both 25 the merits and irreparable injury, they cannot meet the high standard required for a mandatory 26 27 1 injunction. Their request for a preliminary injunction is DENIED. 2 IT IS SO ORDERED. 3 Dated: December 22, 2022 4 5 . 6 ® imam H. Orrick 7 United States District Judge 8 9 10 11 a 12 15 16 it Z 18 19 20 21 22 23 24 25 26 27 28
Leave a Comment

Document Info

Docket Number: 3:22-cv-03580

Filed Date: 12/22/2022

Precedential Status: Precedential

Modified Date: 6/20/2024