NOT PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ______________
No. 25-1449 ______________
ANGELA COLE, individually and on behalf of all others similarly situated; BEATRICE ROCHE, individually and on behalf of all others similarly situated, Appellants
v.
QUEST DIAGNOSTICS INC ______________
On Appeal from the United States District Court for the District of New Jersey (D.C. No. 2:23-cv-20647) U.S. District Judge: Honorable William J. Martini ______________
Submitted Under Third Circuit L.A.R. 34.1(a) November 10, 2025 ______________
Before: SHWARTZ, MATEY, and MONTGOMERY-REEVES, Circuit Judges.
(Filed: November 13, 2025) ______________
OPINION* ______________
* This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent. SHWARTZ, Circuit Judge.
Plaintiffs, users of websites operated by Quest Diagnostics Inc., allege that Quest
transmitted to Facebook their browsing data in violation of the California Invasion of
Privacy Act, California Penal Code § 631(a) (“CIPA”) and the Confidentiality of Medical
Information Act, California Civil Code § 56.06(a) (“CMIA”). Because Plaintiffs directly
transmitted to Facebook their browsing data and none of that data was substantive
medical information, we will affirm the District Court’s orders dismissing Plaintiffs’
claims.
I1
Quest operates two websites: www.questdiagnostics.com (the “General Website”)
and www.myquest.diagnostics.com (“MyQuest”). The General Website is “available to
all internet users” who can “browse articles, read publications, and access [Quest’s] other
services and products.” App. 56. MyQuest is a “password-protected platform” that
allows users to create an account and “review test results, schedule appointments, or pay
bills” for clinical lab services Quests provides to its patients. App. 56.
Both websites incorporate the Facebook tracking pixel. The pixel collects
information about internet users’ activity for advertising purposes. When a user accesses
a host website that incorporates the pixel, the user’s browser runs code to access the host
website and “send[s] a separate message to Facebook’s servers . . . concurrent with the
1 “In reviewing a motion to dismiss under Rule 12(b)(6), we treat as true all well- pleaded facts in the complaint, which we construe in the ‘light most favorable to the plaintiff.’” Santomenno ex rel. John Hancock Tr. v. John Hancock Life Ins. Co. (U.S.A), 768 F.3d 284, 290 (3d Cir. 2014) (citations omitted). 2 communications with the host website.” App. 55. This pixel communicates that the user
is accessing that host website and transmits to Facebook any “additional data that the
pixel is configured to collect.” App. 55. Facebook then matches this information “with
personally identifiable information” associated with the user’s Facebook account “so it
can later retarget patients [with advertisements] on Facebook.” App. 61.
When a user accesses the General Website, Plaintiffs allege the pixel transmits to
Facebook “the URL of the page requested, along with the title of the page, keywords
associated with the page, and a description of the page.” App. 59. Likewise, when a user
accesses MyQuest, the pixel transmits to Facebook the URL “showing, at a minimum,
that a patient has received and is accessing test results.” App. 59.
Plaintiffs allege that when they retrieved their medical test results by “navigat[ing]
to the General Website, which redirected [them] to [MyQuest],” Quest transmitted to
Facebook their personal information. App. 51-52. They filed a putative class-action
complaint alleging this violated (1) CIPA because Quest “aided, agreed with, and
conspired with Facebook to track and intercept Plaintiffs’ and Class members’ internet
communications,” App. 66, and (2) CMIA because Quest “disclosed the URL of the
webpage [Plaintiffs] accessed to review test results” along with Plaintiffs’ identifying
information connected to their Facebook accounts,2 App. 67.
Quest moved to dismiss. In separate rulings, the District Court dismissed both the
CIPA and CMIA claims. See Cole v. Quest Diagnostics, Inc. (Cole I), 2:23-CV-20647-
2 Plaintiffs have Facebook accounts and “typically remain[] logged in” on their devices after using their accounts. App. 51-52. 3 WJM, 2024 WL 3272789 (D.N.J. July 2, 2024); Cole v. Quest Diagnostics, Inc. (Cole II),
2:23-CV-20647-WJM, 2025 WL 88703 (D.N.J. Jan. 14, 2025).
As to the CIPA claim, the District Court found that CIPA “is aimed only at
‘eavesdropping, or the secret monitoring of conversations,’” and that Facebook received
information directly from “[P]laintiffs’ ‘browsers’” about webpages the Plaintiffs visited,
and, thus, “‘there is no need for [Facebook to have eavesdropped] to acquire that
information from transmissions to which they are not a party.’” Cole II, 2025 WL 88703,
at *2 (quoting In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125,
140-41 (3d Cir. 2015)).
As to the CMIA claim, the District Court reasoned that CMIA bars the unlawful
disclosure of “substantive” medical information, Cole I, 2024 WL 3272789, at *5 (citing
Eisenhower Med. Ctr. v. Superior Ct., 172 Cal. Rptr. 3d 165, 170 (Ct. App. 2014)), and
Plaintiffs alleged only that Quest disclosed “information reveal[ing] a patient has
received and is accessing test results” but did not disclose to Facebook “[i]nformation
regarding what kind of medical test was done or what the results were,” Id., at *5
(citation omitted). As a result, the Court held that Plaintiffs did not allege the disclosure
of “medical information” under CMIA. Cole I, 2024 WL 3272789, at *5.
Plaintiffs appeal.
II3
3 The District Court had jurisdiction pursuant to 18 U.S.C. § 1332(d)(2)(A), and we have jurisdiction under 28 U.S.C. § 1291. We exercise plenary review of a district court’s order granting a motion to dismiss for failure to state a claim. See Burtch v. Milberg Factors, Inc., 662 F.3d 212, 220 (3d Cir. 2011). 4 A
CIPA provides a private right of action against “[a]ny person” who “willfully and
without the consent of all parties to the communication . . . read[s] . . . the contents or
meaning of any message, report, or communication while the same is in transit.” Cal.
Penal Code §§ 631(a), 637.2. The statute prohibits “eavesdropping, or the secret
monitoring of conversations by third parties.” Ribas v. Clark, 696 P.2d 637, 640 (Cal.
1985). Section 631(a) does not apply to “recording by a participant to a conversation.”
Warden v. Kahn, 160 Cal. Rptr. 471, 475 (Ct. App. 1979).
In Google Cookie, we considered whether online advertising businesses, like
Facebook, were parties to communications and, thus, exempt from CIPA liability. 806
F.3d at 152. There, internet users alleged that when they accessed certain websites, the
Free access — add to your briefcase to read the full text and ask questions with AI
NOT PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ______________
No. 25-1449 ______________
ANGELA COLE, individually and on behalf of all others similarly situated; BEATRICE ROCHE, individually and on behalf of all others similarly situated, Appellants
v.
QUEST DIAGNOSTICS INC ______________
On Appeal from the United States District Court for the District of New Jersey (D.C. No. 2:23-cv-20647) U.S. District Judge: Honorable William J. Martini ______________
Submitted Under Third Circuit L.A.R. 34.1(a) November 10, 2025 ______________
Before: SHWARTZ, MATEY, and MONTGOMERY-REEVES, Circuit Judges.
(Filed: November 13, 2025) ______________
OPINION* ______________
* This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent. SHWARTZ, Circuit Judge.
Plaintiffs, users of websites operated by Quest Diagnostics Inc., allege that Quest
transmitted to Facebook their browsing data in violation of the California Invasion of
Privacy Act, California Penal Code § 631(a) (“CIPA”) and the Confidentiality of Medical
Information Act, California Civil Code § 56.06(a) (“CMIA”). Because Plaintiffs directly
transmitted to Facebook their browsing data and none of that data was substantive
medical information, we will affirm the District Court’s orders dismissing Plaintiffs’
claims.
I1
Quest operates two websites: www.questdiagnostics.com (the “General Website”)
and www.myquest.diagnostics.com (“MyQuest”). The General Website is “available to
all internet users” who can “browse articles, read publications, and access [Quest’s] other
services and products.” App. 56. MyQuest is a “password-protected platform” that
allows users to create an account and “review test results, schedule appointments, or pay
bills” for clinical lab services Quests provides to its patients. App. 56.
Both websites incorporate the Facebook tracking pixel. The pixel collects
information about internet users’ activity for advertising purposes. When a user accesses
a host website that incorporates the pixel, the user’s browser runs code to access the host
website and “send[s] a separate message to Facebook’s servers . . . concurrent with the
1 “In reviewing a motion to dismiss under Rule 12(b)(6), we treat as true all well- pleaded facts in the complaint, which we construe in the ‘light most favorable to the plaintiff.’” Santomenno ex rel. John Hancock Tr. v. John Hancock Life Ins. Co. (U.S.A), 768 F.3d 284, 290 (3d Cir. 2014) (citations omitted). 2 communications with the host website.” App. 55. This pixel communicates that the user
is accessing that host website and transmits to Facebook any “additional data that the
pixel is configured to collect.” App. 55. Facebook then matches this information “with
personally identifiable information” associated with the user’s Facebook account “so it
can later retarget patients [with advertisements] on Facebook.” App. 61.
When a user accesses the General Website, Plaintiffs allege the pixel transmits to
Facebook “the URL of the page requested, along with the title of the page, keywords
associated with the page, and a description of the page.” App. 59. Likewise, when a user
accesses MyQuest, the pixel transmits to Facebook the URL “showing, at a minimum,
that a patient has received and is accessing test results.” App. 59.
Plaintiffs allege that when they retrieved their medical test results by “navigat[ing]
to the General Website, which redirected [them] to [MyQuest],” Quest transmitted to
Facebook their personal information. App. 51-52. They filed a putative class-action
complaint alleging this violated (1) CIPA because Quest “aided, agreed with, and
conspired with Facebook to track and intercept Plaintiffs’ and Class members’ internet
communications,” App. 66, and (2) CMIA because Quest “disclosed the URL of the
webpage [Plaintiffs] accessed to review test results” along with Plaintiffs’ identifying
information connected to their Facebook accounts,2 App. 67.
Quest moved to dismiss. In separate rulings, the District Court dismissed both the
CIPA and CMIA claims. See Cole v. Quest Diagnostics, Inc. (Cole I), 2:23-CV-20647-
2 Plaintiffs have Facebook accounts and “typically remain[] logged in” on their devices after using their accounts. App. 51-52. 3 WJM, 2024 WL 3272789 (D.N.J. July 2, 2024); Cole v. Quest Diagnostics, Inc. (Cole II),
2:23-CV-20647-WJM, 2025 WL 88703 (D.N.J. Jan. 14, 2025).
As to the CIPA claim, the District Court found that CIPA “is aimed only at
‘eavesdropping, or the secret monitoring of conversations,’” and that Facebook received
information directly from “[P]laintiffs’ ‘browsers’” about webpages the Plaintiffs visited,
and, thus, “‘there is no need for [Facebook to have eavesdropped] to acquire that
information from transmissions to which they are not a party.’” Cole II, 2025 WL 88703,
at *2 (quoting In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125,
140-41 (3d Cir. 2015)).
As to the CMIA claim, the District Court reasoned that CMIA bars the unlawful
disclosure of “substantive” medical information, Cole I, 2024 WL 3272789, at *5 (citing
Eisenhower Med. Ctr. v. Superior Ct., 172 Cal. Rptr. 3d 165, 170 (Ct. App. 2014)), and
Plaintiffs alleged only that Quest disclosed “information reveal[ing] a patient has
received and is accessing test results” but did not disclose to Facebook “[i]nformation
regarding what kind of medical test was done or what the results were,” Id., at *5
(citation omitted). As a result, the Court held that Plaintiffs did not allege the disclosure
of “medical information” under CMIA. Cole I, 2024 WL 3272789, at *5.
Plaintiffs appeal.
II3
3 The District Court had jurisdiction pursuant to 18 U.S.C. § 1332(d)(2)(A), and we have jurisdiction under 28 U.S.C. § 1291. We exercise plenary review of a district court’s order granting a motion to dismiss for failure to state a claim. See Burtch v. Milberg Factors, Inc., 662 F.3d 212, 220 (3d Cir. 2011). 4 A
CIPA provides a private right of action against “[a]ny person” who “willfully and
without the consent of all parties to the communication . . . read[s] . . . the contents or
meaning of any message, report, or communication while the same is in transit.” Cal.
Penal Code §§ 631(a), 637.2. The statute prohibits “eavesdropping, or the secret
monitoring of conversations by third parties.” Ribas v. Clark, 696 P.2d 637, 640 (Cal.
1985). Section 631(a) does not apply to “recording by a participant to a conversation.”
Warden v. Kahn, 160 Cal. Rptr. 471, 475 (Ct. App. 1979).
In Google Cookie, we considered whether online advertising businesses, like
Facebook, were parties to communications and, thus, exempt from CIPA liability. 806
F.3d at 152. There, internet users alleged that when they accessed certain websites, the
servers hosting those sites would “instruct[] the user’s web browser to send a . . . request
to [online advertising businesses] to display the relevant advertising information for
[inclusion in] the space on the page” the user received. Id. at 140. In relevant part, we
rejected users’ argument that these online advertising businesses violated CIPA because
they “acquired and tracked the plaintiffs’ internet usage.” Id. at 139, 152. We explained
that “[i]f users’ browsers directly communicate with [online advertising businesses] about
the webpages they are visiting . . . then there is no need for [those businesses] to acquire
that information from transmissions to which they are not a party.” Id. at 140-41.
Therefore, we affirmed the order dismissing the CIPA claim because those online
advertising businesses “were parties to any communications that they acquired.” Id. at
145, 152; see also In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 276 (3d Cir.
5 2016) (footnotes omitted) (relying on Google Cookie to hold that CIPA “does not apply
when the alleged interceptor was a party to the communications”).4
Plaintiffs’ CIPA claim similarly lacks merit. Like the users in Google Cookie,
Plaintiffs here directly “sen[t] a separate message to Facebook’s servers . . . concurrent
with the communications with [Quest]” that allegedly disclosed their browsing activity.
App. 55. As the recipient of a direct communication from Plaintiffs’ browsers, Facebook
was a participant in Plaintiffs’ transmissions such that Quest did not aid or assist
Facebook in eavesdropping on or intercepting such communications, even if done
without the users’ knowledge. See Google Cookie, 806 F.3d at 151 n.130 (“The decision
to use one or another technology is the decision to choose its features, even if the lay user
may not actually know what all those features are in their specifics.”). Because there was
no eavesdropping, Plaintiffs’ CIPA claim was properly dismissed.
B
The District Court also correctly dismissed Plaintiffs’ CMIA claim. CMIA
prohibits a “provider of health care” from “disclos[ing] medical information regarding a
patient . . . without first obtaining an authorization.” Cal. Civ. Code § 56.10(a).
“Medical information” is “any individually identifiable information . . . in possession of
or derived from a provider of health care . . . regarding a patient’s medical history, mental
health application information, reproductive or sexual health application information,
4 Although Plaintiffs argue that we should follow rulings from the California state courts, absent intervening precedent from the United States Supreme Court or en banc reconsideration from this Court, we are “obligated to follow our precedent.” Karns v. Shanahan, 879 F.3d 504, 514 (3d Cir. 2018); 3d Cir. I.O.P. 9.1. 6 mental or physical condition, or treatment.” Id. § 56.05(j)(1). This information must
“relat[e] to medical history, mental or physical condition, or treatment of the individual”
and “does not encompass demographic or numeric information that does not reveal
medical history, diagnosis, or care.” Eisenhower, 172 Cal. Rptr. 3d at 169-70; see also
Tamraz v. Bakotic Pathology Assocs., LLC, 22-CV-0725-BAS-WVG, 2022 WL
16985001, at *4 (S.D. Cal. Nov. 16, 2022) (medical information under CMIA “must be
‘substantive,’ rather than merely administrative” (quoting Eisenhower, 172 Cal. Rptr. 3d
at 168)).
Although the nature of treatment is medical information, the fact that treatment
occurred is not. Compare Gray v. Luxottica of Am., Inc., 8:24-CV-00160-MRA-DFM,
2024 WL 5689566, at *9 (C.D. Cal. Dec. 16, 2024) (holding disclosure that plaintiff had
scheduled eye exam was not “medical information” because it revealed that plaintiff “[a]t
best . . . may have been a patient of [eyeglass store] at some time”), with Tamraz, 2022
WL 16985001, at *5 & n.4 (finding disclosure of “specimen or test information”—
including “the results of test and the types of specimens”—constituted “medical
information”), and Strong v. LifeStance Health Grp. Inc., CV-23-00682-PHX-KML,
2025 WL 317552, at *10 (D. Ariz. Jan. 28, 2025) (citation omitted) (holding defendant
disclosed medical information where it revealed “the type of medical treatments
[patients] sought, and their medical conditions” (internal quotation marks omitted)).
7 Assuming Quest qualifies as a CMIA medical provider,5 Plaintiffs allege that
Quest “disclosed the URL of the webpage a patient accessed to review test results,”6 but
did not allege that Quest disclosed those test’s nature or results or any other substantive
medical information. App. 67. Thus, at most, Plaintiffs alleged that Quest disclosed
Plaintiffs had been its patients, which is not medical information protected by CMIA.
See Wilson v. Rater8, LLC, 20-CV-1515-DMS-LL, 2021 WL 4865930, at *5 (S.D. Cal.
Oct. 18, 2021) (holding that a person being treated by a provider “‘is not in itself medical
information’” under CMIA (quoting Eisenhower, 172 Cal. Rptr. 3d at 169)). Therefore,
the District Court properly dismissed the CMIA claim.
5 Under CMIA, a “provider of health care” is “[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.” Cal. Civ. Code § 56.06(a). While at least one other court has concluded that an entity that provides “laboratory services to health care providers” is a health care provider under CMIA, Tamraz v. Bakotic Pathology Associates, LLC, 22-CV-0725-BAS-WVG, 2022 WL 16985001, at *1 (S.D. Cal. Nov. 16, 2022), some courts have held that public websites providing generic healthcare information do not meet CMIA’s definition of “provider of health care,” e.g., Harrill v. Emanuel Med. Ctr., 2:23-CV-01672-DC-CKD, 2025 WL 1635428, at *8 (E.D. Cal. June 9, 2025) (finding medical center that disseminated information “not exclusively available to [its] patients” on health conditions did not constitute a “provider of health care” under the statute). We need not decide whether Quest is such a provider to resolve this appeal. 6 Plaintiffs also argue that “Quest disclosed the titles of the articles users read, which revealed symptoms and conditions” on the General Website, Appellant’s Br. at 29 (citing App. 59), but this is not alleged in their complaint. A brief may not amend a complaint, see Gov’t Emps. Ins. Co. v. Mount Prospect Chiropractic Ctr., P.A., 98 F.4th 463, 472 (3d Cir. 2024), and the complaint does not allege that Plaintiffs used the General Website for anything more than accessing MyQuest. See App. 51-52 (“Plaintiff . . . navigated to the General Website, which redirected her to [MyQuest], where she created an account.”). 8 III
For the foregoing reasons, we will affirm.