1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 FOR THE EASTERN DISTRICT OF CALIFORNIA 10 11 LORI BELTRAN, et al., No. 2:23-cv-01670-DC-CKD 12 Plaintiffs, 13 v. ORDER GRANTING DEFENDANTS’ MOTION TO DISMISS 14 DOCTORS MEDICAL CENTER OF MODESTO, et al., (Doc. No. 29) 15 Defendants. 16 17 This matter is before the court on Defendants’ motion to dismiss Plaintiffs’ class action 18 complaint. (Doc. No. 29.) Pursuant to Local Rule 230(g), the pending motion was taken under 19 submission to be decided on the papers. (Doc. No. 33.) For the reasons explained below, the court 20 will grant Defendants’ motion to dismiss. 21 BACKGROUND 22 On August 10, 2023, Plaintiffs Lori Beltran, Brittany Matus, Preston Meisner, Paul 23 Blumberg, and Mark Mehring (collectively, “Plaintiffs”) filed a class action complaint against 24 Defendants Doctors Medical Center of Modesto (“DMC”) and Tenet Health (“Tenet”) 25 (collectively, “Defendants”) for allegedly intercepting and transmitting their protected health 26 information (“PHI”) and personally identifiable information (“PII”) to Meta Platforms, Inc. 27 ///// 28 ///// 1 (“Meta”), formerly known as Facebook,1 without their knowledge or consent.2 (Doc. No. 1 at 1– 2 5.) Plaintiffs allege Defendants transmitted their PHI and PII to Meta via a hidden tracking tool 3 known as Meta Pixel (“Pixel”), that was installed on Defendant DMC’s website at 4 https://www.dmc-modesto.com/ (“Website”). (Id. at ¶¶ 1, 6, 15, 66.) 5 Plaintiffs bring five causes of action against Defendants: (1) invasion of privacy – 6 intrusion upon seclusion under California common law; (2) invasion of privacy under the 7 California Constitution, Art. I § 1; (3) violation of the California Confidentiality of Medical 8 Information Act (“CMIA”), California Civil Code §§ 56.06 et seq.; (4) violation of the California 9 Invasion of Privacy Act (“CIPA”), California Penal Code §§ 630 et seq.; and (5) breach of 10 implied contract. (Id. at 40–60.) 11 Plaintiffs bring this data privacy action against Defendants on behalf of themselves, a 12 “nationwide class,” and a “California subclass.” (Id. at ¶ 162.) The “nationwide class” is defined 13 as “[a]ll natural persons in the United States whose PHI was collected through [Meta’s] Pixel 14 through the Website.” (Id.) The “California subclass” is defined as “[a]ll natural persons residing 15 in California whose PHI was collected through [Meta] Pixel through the Website.” (Id.) 16 Plaintiffs’ common law claims for invasion of privacy and breach of implied contract are brought 17 on behalf of Plaintiffs and the nationwide class. (Id. at 43, 60.) Plaintiffs’ remaining claims, 18 which arise under the California Constitution and California statutes, are brought on behalf of 19 Plaintiffs and the California subclass. (Id. at 47, 50, 57.) 20 A. Factual Background 21 Plaintiffs allege the following in their complaint. Defendant Tenet is a health system and 22 services platform comprised of three different business units—surgical centers, hospital 23 1 Plaintiffs refer to Meta as both “Meta” and “Facebook” throughout their complaint. For clarity 24 in this order, the court uses “Meta” to refer to the corporation and “Facebook” to refer only to Meta’s social media platform. 25
2 Plaintiffs also named Meta as a defendant in this action, but on October 12, 2023, the court 26 severed and transferred all claims against Defendant Meta to the Northern District of California 27 so those claims could be related to the pending litigation In re Meta Pixel Healthcare Litig., No. 3:22-cv-3580-WHO (N.D. Cal. 2022). (Doc. No. 25.) Defendant Meta was therefore terminated 28 from this action on October 12, 2023. 1 operations, and healthcare-focused customer service and revenue management. (Doc. No. 1 at 2 ¶ 31.) Defendant DMC is a full-service, comprehensive healthcare facility in Modesto, California. 3 (Id. at ¶ 30.) Defendant DMC is the largest hospital between the California cities of Stockton and 4 Fresno, admits more than 22,000 patients annually, and treats more than 100,000 emergency 5 patients each year. (Id.) 6 Defendant DMC maintains a public-facing Website where prospective and current 7 patients can “search for information related to their health conditions, hospital locations and 8 doctors.” (Id. at ¶¶ 1, 30.) Specifically, the Website includes a “search bar” that allows users to 9 search for information about medical conditions, such as “cancer,” “diabetes,” or “pregnancy 10 care.” (Id. at ¶¶ 6–7, 13, 104–05.) The Website also includes a “Find a Doctor” webpage that 11 allows users to search for doctors by specialty and location. (Id. at ¶¶ 6–7, 97–99.) 12 1. Defendants’ Use of Meta Pixel 13 Defendants embedded Pixel, a “snippet of computer code,” on the Website. (Id. at ¶¶ 6– 14 7.) When a user accesses a webpage containing Pixel on the Website, Pixel tracks the actions 15 taken by the user (i.e., clicking a button or searching a term) and transmits that data to Meta. (Id. 16 at ¶¶ 13, 75, 91-110.) Pixel was developed by Meta “as an innovative solution for reporting and 17 optimizing conversions (clicks to purchases), audience building, and gaining valuable insights 18 into website usage.” (Id. at ¶ 67.) Pixel enables “Defendants to analyze user experiences and 19 behavior on the Website to assess the Website’s traffic and functionality,” and aids Defendants in 20 targeting Website users with advertisements and “measuring how well those advertisements are 21 working.” (Id. at ¶ 10.) 22 Pixel functions by monitoring for “events” and transmitting data directly to Meta in real- 23 time when an “event” occurs. (Id. at ¶¶ 7, 68, 75, 91.) On the Website, a Pixel “event” is triggered 24 when a user searches for information related to health conditions using the “search bar,” or 25 searches for doctors by specialty and location on the “Find a Doctor” webpage. (Id. at ¶¶ 6–7, 97– 26 110.) The data transmitted to Meta when a Pixel “event” is triggered consists of a “full-string 27 detailed URL, which includes the name of the website, the web pages the [user] viewed, the name 28 of the doctor a [user] is considering, and search terms entered by the [user].” (Id. at ¶ 109.) Meta 1 also receives the Website user’s PII, including their internet protocol (IP) address, name, email, 2 and phone number. (Id. at ¶ 74.) If a Website user is signed into Facebook or has previously 3 signed into Facebook within the past year using the same browser that was used to access the 4 Website, Meta also receives the Website user’s Facebook ID (“FID”). (Id. at ¶¶ 6–8, 87.) Data on 5 the Website user’s activity and FID is sent to Meta as “one data point,” allowing Meta to “link” 6 the user’s interactions with the Website to their Facebook profile. (Id. at ¶¶ 8, 101, 104.) 7 2. Allegations Specific to Plaintiffs 8 Plaintiffs are residents of California who used the Website to search for information about 9 health conditions, symptoms, and doctors. (Id. at ¶¶ 25–29.) Plaintiffs are also Facebook users. 10 (Id.) Plaintiffs allege that when they used the Website, information regarding their interaction 11 with the Website was intercepted and transmitted to Meta via Pixel without their consent, 12 alongside their FIDs. (Id. at ¶¶ 6, 25–29, 126–27.) According to Plaintiffs, the information 13 transmitted to Meta regarding their interaction with the Website included their PHI and PII. (Id. at 14 ¶¶ 6, 112, 119.) 15 Specifically, Plaintiffs allege the following individual interactions with the Website: 16 a. Plaintiff Lori Beltran 17 Plaintiff Beltran began visiting the Website in or around 2022 “to search for information 18 related to health conditions or suspected health conditions, and to search for doctors and services 19 to treat actual or potential medical conditions.” (Id. at ¶ 25.) Plaintiff Beltran also used the 20 “Website’s search function . . . to search for information related to symptoms or conditions she 21 was experiencing, as recently as November 2022.” (Id.) Plaintiff Beltran has been a Facebook 22 user since approximately 2006. (Id.) While utilizing the Website, Plaintiff Beltran was signed into 23 her Facebook profile or had signed into her Facebook profile in the same browser within the past 24 year of using the Website. (Id.) 25 b. Plaintiff Brittany Matus 26 Plaintiff Matus began visiting the Website in or around 2022 “to search for information 27 related to health conditions or suspected health conditions, and to search for doctors and services 28 to treat actual or potential medical conditions.” (Id. at ¶ 26.) Plaintiff Matus also used the 1 “Website’s search function . . . to search for information related to symptoms or conditions she 2 was experiencing, as recently as November 2022.” (Id.) Plaintiff Matus has been a Facebook user 3 since approximately 2009. (Id.) While utilizing the Website, Plaintiff Matus was signed into her 4 Facebook profile or had signed into her Facebook profile in the same browser within the past year 5 of using the Website. (Id.) 6 c. Plaintiff Preston Meisner 7 Plaintiff Miesner began visiting the Website in or around 2022 “to search for information 8 related to health conditions or suspected health conditions, and to search for doctors and services 9 to treat actual or potential medical conditions.” (Id. at ¶ 27.) Plaintiff Miesner also used the 10 “Website’s search function . . . to search for information related to symptoms or conditions she 11 [sic] was experiencing, as recently as July 2023.” (Id.) Plaintiff Miesner has been a Facebook user 12 since approximately 2008. (Id.) While utilizing the Website, Plaintiff Miesner was signed into his 13 Facebook profile, or had signed into his Facebook profile in the same browser within the past 14 year of using the Website. (Id.) 15 d. Plaintiff Paul Blumberg 16 Plaintiff Blumberg began visiting the Website in or around 2022 “to search for doctors 17 and services to treat actual or potential medical conditions as recently as May 2023.” (Id. at ¶ 28.) 18 Plaintiff Paul Blumberg has been a Facebook user for “at least the last several years.” (Id.) While 19 utilizing the Website, Plaintiff Blumberg was signed into his Facebook profile or had signed into 20 his Facebook profile in the same browser within the past year of using the Website. (Id.) 21 e. Plaintiff Mark Mehring 22 Plaintiff Mehring began visiting the Website in or around 2015 “to search for information 23 related to health conditions or suspected health conditions.” (Id. at ¶ 29.) Plaintiff Mehring also 24 used the “Website’s search function . . . to search for information related testing [sic] he had 25 scheduled for a health condition as recently as March and April of 2023.” (Id.) Plaintiff Mehring 26 has been a Facebook user since approximately 2006. (Id.) While utilizing the Website, Plaintiff 27 Mehring was signed into his Facebook profile or had signed into his Facebook profile in the same 28 browser within the past year of using the Website. (Id.) 1 B. Procedural Background 2 On October 3, 2023, the court issued an order relating this action to two other actions 3 pending in this district: (1) Harrill v. Emanuel Medical Center, et al., No. 2:23-cv-01672-DC- 4 CKD, and (2) Doe v. Tenet Healthcare Corp., et al., No. 1:23-cv-01106-DC-CKD. 5 On October 18, 2023, Defendants filed the pending motion to dismiss Plaintiffs’ claims 6 pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief 7 can be granted. (Doc. No. 29.) On June 28, 2024, Defendants filed a notice of supplemental 8 authority in support of their motion to dismiss. (Doc. No. 41.) On July 5, 2024, Plaintiffs filed an 9 opposition to the pending motion. (Doc. No. 42.) On July 19, 2024, Defendants filed their reply 10 thereto. (Doc. No. 46.) 11 LEGAL STANDARD 12 A motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6) is a challenge to 13 the sufficiency of the allegations set forth in the complaint. Navarro v. Block, 250 F.3d 729, 732 14 (9th Cir. 2001). “Dismissal under Rule 12(b)(6) is proper when the complaint either (1) lacks a 15 cognizable legal theory or (2) fails to allege sufficient facts to support a cognizable legal theory.” 16 Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013). In determining whether a complaint 17 states a claim upon which relief can be granted, the court accepts as true the allegations in the 18 complaint and construes the allegations in the light most favorable to the plaintiff. Manzarek v. St. 19 Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). However, the court is not 20 required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, 21 or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) 22 (citation omitted). 23 Under Federal Rule of Civil Procedure Rule 8(a), a complaint must include “a short and 24 plain statement of the claim showing that the pleader is entitled to relief,” in order to “give the 25 defendant fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. 26 v. Twombly, 550 U.S. 544, 555 (2007). A complaint must allege enough facts to state a claim to 27 relief that is plausible on its face. Id. at 570. “A claim has facial plausibility when the plaintiff 28 pleads factual content that allows the court to draw the reasonable inference that the defendant is 1 liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “The plausibility 2 standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility 3 that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556). If a claim is 4 dismissed for failure to comply with these requirements, “[l]eave to amend should be granted 5 unless the district court ‘determines that the pleading could not possibly be cured by the 6 allegation of other facts.’” Knappenberger v. City of Phoenix, 566 F.3d 936, 942 (9th Cir. 2009) 7 (quoting Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000)). 8 ANALYSIS 9 Defendants move to dismiss all of Plaintiffs’ claims brought against them. (Doc. No. 29.) 10 Defendants contend that Plaintiffs’ complaint should be dismissed because it (1) fails to allege 11 facts sufficient to support a cognizable legal theory, (2) is deficient with respect to each claim, 12 and (3) is wholly or partly time-barred by the applicable statute of limitations. (Id.) The court 13 addresses each argument in turn. 14 A. Allegations Regarding the Disclosure of Plaintiffs’ Protected Health Information 15 As an initial matter, Defendants move to dismiss Plaintiffs’ complaint in its entirety based 16 on Plaintiffs’ failure to allege facts sufficient to support a cognizable legal theory. (Doc. No. 29 at 17 11–12.) The overarching theory underlying all of Plaintiffs’ claims is that Defendants violated 18 Plaintiffs’ privacy rights by collecting and transmitting their PHI and PII from the Website to 19 Meta via Pixel, without their knowledge or consent. (Doc. No. 1 at 1–5.) Defendants argue 20 Plaintiffs’ theory is conclusory because Plaintiffs’ complaint does not indicate “what information 21 [Plaintiffs] entered [on the Website] and what information was shared with [Meta].” (Doc. No. 29 22 at 12.) Specifically, Defendants assert Plaintiffs fail to allege “what information regarding their 23 ‘health conditions or suspected health conditions’ they supposedly searched for on the Website, 24 or what symptoms or conditions they were allegedly experiencing.” (Id. at 9.) In Defendants’ 25 view, Plaintiffs merely “conclude that [the information they entered] was health information.” 26 (Doc. No. 46 at 3.) 27 In their opposition to the pending motion, Plaintiffs argue they have alleged facts allowing 28 the court to draw a reasonable inference that Defendants are liable for the alleged misconduct. 1 (Doc. No. 42 at 10.) Namely, “that [Plaintiffs used] Defendants’ Website to search for 2 information related to symptoms or conditions they were experiencing and to schedule treatment 3 for those actual or potential medical conditions.” (Id.) (citing Doc. No. 1 at ¶¶ 25–29). 4 The court finds the allegations in Plaintiffs’ complaint deficient. Plaintiffs do not identify 5 with specificity what information they provided to Defendants via their browsing activity on the 6 Website and thus what information was subsequently transmitted to Meta. Although Plaintiffs’ 7 complaint spans over fifty pages, only two pages are dedicated to detailing Plaintiffs’ interactions 8 with Defendants’ Website. (Doc. No. 1 at ¶¶ 25–29.) Plaintiffs vaguely allege that they used the 9 Website to search for information related to “actual or potential” health conditions. (Id.) In their 10 allegations, Plaintiffs do not describe the types of searches they conducted or the webpages they 11 viewed, even though their browsing activity on the Website forms the basis for their assertion that 12 their information was purportedly shared with Meta. (See id. at ¶¶ 6-7, 104.) 13 For instance, Plaintiffs’ complaint provides examples of health conditions Website users 14 may search for, such as “diabetes,” and searches for doctors based on specialty, such as 15 “psychiatry,” but Plaintiffs do not specify the types of health conditions and doctors Plaintiffs 16 actually searched for on the Website. (Id. at ¶¶ 104–05.) Similarly, Plaintiffs’ complaint describes 17 how Pixel transmits information to Meta when Website users visit the “Find a Doctor” webpage, 18 but Plaintiffs do not allege that they visited the “Find a Doctor” webpage. (Id. at ¶¶ 99–105.) 19 Thus, Plaintiffs’ allegations of examples are insufficient to support their theory that Defendants 20 violated their privacy rights by collecting and transmitting their information to Meta. See Cousin 21 v. Sharp Healthcare, 681 F. Supp. 3d 1117, 1123 (S.D. Cal. 2023) (“Cousin I”) (finding the 22 plaintiffs’ complaint lacked sufficient factual support because it only provided hypothetical 23 examples and failed to specify what information plaintiffs provided defendants through their 24 browsing history). 25 Further, Plaintiffs have not alleged that their browsing history on the Website related to 26 the provision of healthcare or patient status, such that Defendants’ disclosure of their browsing 27 history to Meta constituted the disclosure of their PHI. The “disclosure of browsing activity on a 28 publicly available website that does not relate to ‘the past, present, or future physical or mental 1 health or condition of an individual is not actionable.’” Nienaber v. Overlake Hosp. Med. Ctr., 2 733 F. Supp. 3d 1072, 1084 (W.D. Wash. 2024). Indeed, “[a]n internet user might research 3 medical information for reasons unrelated to the user’s own health conditions.” R.C. v. Walgreen 4 Co., 733 F. Supp. 3d 876, 893 (C.D. Cal. 2024) (noting courts have precluded “claims for public 5 browsing activities that do not reveal personal medical information”); see also Smith v. Facebook, 6 Inc., 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 2017), aff’d, 745 F. App’x 8 (9th Cir. 2018) 7 (“search results related to the phrase ‘intestine transplant’” constituted “general health 8 information . . . accessible to the public at large,” not “protected health information”). Thus, the 9 collection and transmission of information from “unauthenticated webpages (i.e., pages that do 10 not require a user to log in to access the website)” is “only actionable where the information 11 disclosed either (1) ‘demonstrates that the plaintiff’s interactions plausibly relate to the provision 12 of healthcare,’ or (2) ‘connects a particular user to a particular healthcare provider’ or otherwise 13 identifies patient status, which is protected health information.” Nienaber v. Overlake Hosp. Med. 14 Ctr., No. 2:23-cv-01159-TL, 2025 WL 692097, at *4 (W.D. Wash. Mar. 4, 2025) (citing Cousin 15 v. Sharp Healthcare, 702 F. Supp. 3d 967 (S.D. Cal. 2023) (“Cousin II”)). 16 Cousin I is instructive on this point. In Cousin I, plaintiffs alleged that they used 17 defendant’s public website to “research . . . doctors,” “look for providers,” and “search for 18 medical specialists.” Cousin I, 681 F. Supp. 3d at 1123. Plaintiffs claimed that by sharing this 19 data with Meta through Pixel, defendant allowed Meta to collect their sensitive medical 20 information in violation of their privacy rights. Id. The district court determined that the 21 collection of data regarding the plaintiffs’ browsing activity was “not considered ‘[p]rotected 22 [h]ealth [i]nformation’ because ‘nothing about [the] information relate[d] specifically to 23 [p]laintiffs’ health.’” Id. (citing Smith v. Facebook, Inc., 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 24 2017), aff’d, 745 F. App’x 8 (9th Cir. 2018)). The court in Cousin I therefore found the plaintiffs 25 could not maintain their privacy claims “based upon the theory that [d]efendant’s sharing of their 26 browsing activity, collected on its publicly facing website, [was] a disclosure of their sensitive 27 medical information.” Id. at 1124. As in Cousin I, here Plaintiffs have not alleged sufficient facts 28 to demonstrate that their browsing activity on the Website was related to the provision of 1 healthcare, as opposed to “general health information [regarding conditions, symptoms, and 2 doctors] accessible to the public at large.” Smith, 262 F. Supp. 3d at 954–55.3 3 Finally, besides generally browsing for information on health conditions, symptoms, and 4 doctors on Defendants’ Website, Plaintiffs do not allege that they engaged in any other activity 5 from which an inference could be drawn that their PHI was disclosed. Indeed, Plaintiffs do not 6 allege using Defendants’ Website to schedule an appointment, call a doctor’s office, refill a 7 prescription, view test results, review notes from an appointment, or access a patient portal— 8 types of activity that courts have found to be sufficient to demonstrate disclosure of PHI. See e.g., 9 R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 893 (C.D. Cal. 2024) (noting that plaintiffs alleged 10 “more than merely viewing generic medical content on a publicly facing website” where they 11 alleged purchasing “specific products to treat specific health conditions”); B.K. v. Desert Care 12 Network, No. 2:23-cv-05021-SPG-PD, 2024 WL 1343305, at *5 (C.D. Cal. Feb. 1, 2024) (finding 13 the plaintiffs’ privacy claims based on the disclosure of personal medical information to be 14 sufficiently stated where plaintiffs alleged they used defendants’ website and patient portal to 15 schedule appointments, refill prescriptions, and view test results and appointment notes). 16 For these reasons, and because all of Plaintiffs’ claims are predicated on their theory that 17 Defendants violated Plaintiffs’ privacy rights by collecting and transmitting their PHI to Meta via 18 Pixel, the court will grant Defendants’ motion to dismiss Plaintiffs’ complaint in its entirety. 19 However, because allegations of additional facts could cure this pleading deficiency as to 20 Plaintiffs’ legal theory, the court will grant Plaintiffs leave to amend. 21 Recognizing that providing guidance as to other pleading deficiencies will enable 22
23 3 In their opposition to the pending motion, Plaintiffs argue their allegations are more analogous to the facts alleged in Cousin II, rather than Cousin I. (Doc. No. 42 at 10–11.) The court 24 disagrees. In Cousin II, the plaintiffs’ claims survived dismissal because the plaintiffs alleged that they searched for a primary care physician by filtering physician search results based on specialty, 25 identified their particular medical conditions, and booked an appointment to obtain treatment. Cousin II, 702 F. Supp. 3d at 973. The court in Cousin II therefore found that the plaintiffs’ 26 allegations “relat[ed] to the provision of health care,” “convey[ed] information about a present 27 medical condition,” and involved “the provision of medical care covered by [the Health Insurance Portability and Accountability Act (‘HIPAA’)].” Id. Here, in contrast, Plaintiffs fail to specify at a 28 minimum, the types of doctors or medical conditions they searched for on the Website. 1 Plaintiffs to address those deficiencies as well in an amended complaint, the court proceeds to 2 addresses the sufficiency of Plaintiffs’ allegations as to each claim below, followed by a 3 discussion of the statutes of limitations applicable to Plaintiffs’ claims. 4 B. Invasion of Privacy Under Common Law and the California Constitution 5 Plaintiffs bring claims for invasion of privacy on behalf of themselves and the nationwide 6 class. (Doc. No. 1 at 43–47.) To state a claim for invasion of privacy under California common 7 law, Plaintiffs must show “(1) intrusion into a private place, conversation or matter, (2) in a 8 manner highly offensive to a reasonable person.” Shulman v. Grp. W Prods., Inc., 18 Cal. 4th 9 200, 231 (1998), as modified on denial of reh’g (July 29, 1998). A claim for invasion of privacy 10 under the California Constitution involves similar elements. Plaintiffs must plead that (1) they 11 “possess a legally protected privacy interest,” (2) they maintain a reasonable expectation of 12 privacy, and (3) “the intrusion is so serious in ‘nature, scope, and actual or potential impact as to 13 constitute an egregious breach of the social norms.’” Hernandez v. Hillsides, 47 Cal. 4th 272, 287 14 (2009). “Because of the similarity of [these] tests, courts consider [these] claims together and ask 15 whether: (1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly 16 offensive.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020). 17 “The existence of a reasonable expectation of privacy, given the circumstances of each 18 case, is a mixed question of law and fact.” Id. at 601. “[C]ourts consider a variety of factors” in 19 determining whether a reasonable expectation of privacy exists, “including the customs, practices, 20 and circumstances surrounding a defendant’s particular activities.” Id. (citation omitted). 21 “Determining whether a defendant’s actions were ‘highly offensive to a reasonable person’ 22 requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the 23 degree and setting of the intrusion, the intruder’s motives and objectives, and whether 24 countervailing interests or social norms render the intrusion inoffensive.” Id. at 606. “While 25 analysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion, 26 the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a 27 matter of public policy.” Id. 28 Defendants move to dismiss Plaintiffs’ invasion of privacy claims on the grounds that 1 Plaintiffs fail to plead both a reasonable expectation of privacy and a highly offensive intrusion. 2 (Doc. No. 29 at 13–14.) In their complaint, Plaintiffs allege that they had a reasonable expectation 3 of privacy in their communications with Defendants on the Website because “medical data is 4 sensitive information that must be protected from unauthorized disclosure.” (Doc. No. 1 at 5 ¶¶ 187–88, 200–01.) Plaintiffs further allege that Defendants’ disclosure of their information “is 6 highly offensive to a reasonable person” because there was no legitimate objective for Defendants 7 to invade Plaintiffs’ privacy rights, Defendants did not allow Plaintiffs the ability to control the 8 dissemination of their PHI, the context of the communication “between Plaintiffs . . . and their 9 healthcare providers is highly sensitive,” and public policy dictates that “Defendants’ actions 10 undermine the relationship between Plaintiffs . . . and their healthcare providers.” (Id. at ¶¶ 204, 11 216.) 12 The court finds Defendants arguments to be persuasive. Notably, Plaintiffs allege in a 13 conclusory manner that they have a reasonable expectation of privacy in their communications 14 with Defendants on the Website because such communications contain “medical data.” (Doc. No. 15 1 at ¶¶ 187–88, 200–01.) However, Plaintiffs’ complaint does not allege facts describing any such 16 “medical data.” As discussed above, Plaintiffs’ allegations regarding their browsing activity are 17 vague. Plaintiffs do not specifically allege that their searches related to the provision of 18 healthcare, patient status, or otherwise included PHI. Thus, the court finds Plaintiffs have not 19 sufficiently alleged a reasonable expectation of privacy in their browsing activity on the Website. 20 See Desert Care Network, 2024 WL 1343305, at *9 (noting that invasion of privacy claims 21 centered on “plaintiffs’ browsing histories on defendants’ public-facing websites” were 22 “dubious”). 23 To be clear, Plaintiffs have a reasonable expectation of privacy in their medical 24 information. Id. (“Patients’ right to privacy in their medical records is ‘well-settled.’”) (citation 25 omitted). But given the limited factual allegations in Plaintiffs’ operative complaint, the court 26 does not find Plaintiffs have sufficiently alleged that their browsing activity on the Website 27 pertained to their own medical information. See B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 28 1056, 1064, 1067 (C.D. Cal. 2024) (dismissing privacy claims where plaintiffs “fail[ed] to allege 1 what, if any medical information or medical records were transmitted or disclosed” when they 2 used defendant’s website, such that the court could “only interpret that [p]laintiffs used 3 [d]efendants’ [w]ebsite for routine medical searches and inquiries”). In order to sufficiently state 4 their invasion of privacy claim, Plaintiffs must “describe the types or categories of sensitive 5 health information that they provided” to Defendants through the Website. Doe v. Meta 6 Platforms, Inc., 690 F. Supp. 3d 1064, 1081 (N.D. Cal. 2023). As other courts have explained 7 when dismissing invasion of privacy claims brought against Meta with leave to amend, the 8 plaintiffs may amend to better describe the health information provided to the defendants, and 9 “[t]hat basic amendment (which can be general enough to protect plaintiffs’ specific privacy 10 interests) will allow these privacy claims to go forward.”4 Id. 11 Finally, Plaintiffs do not allege facts sufficient to establish an “egregious breach of the 12 social norms” that is “highly offensive” because Plaintiffs do not “plead that their medical 13 information was disclosed.” See Eisenhower, 721 F. Supp. 3d at 1067. “Disclosing a user’s 14 browsing history [unrelated to the provision of healthcare or patient status] does not plausibly 15 reach the level of ‘highly offensive’ conduct [required] under either common law or the 16 California Constitution.” Cousin I, 681 F. Supp. 3d at 1126 (citing cases); cf. Walgreen Co., 733 17 F. Supp. 3d at 893–94 (finding the allegations that the defendants’ disclosure of plaintiffs’ private 18 health information included the purchasing of “sensitive health products” related to “specific 19 health conditions” were sufficient to survive a motion to dismiss based on the “highly offensive” 20 element). 21 For these reasons, the court finds Plaintiffs fail to state a cognizable invasion of privacy 22 claim because Plaintiffs have not pleaded a reasonable expectation of privacy or a highly 23
24 4 To the extent Plaintiffs’ disclosure of their activity on the Website could reveal sensitive or private information related to their health conditions, symptoms, and doctors, Plaintiff may file a 25 request to redact/seal such details, as appropriate. See e.g., In re Meta Pixel Healthcare Litig., No. 3:22-cv-3580-WHO (N.D. Cal. 2022) (Doc. No. 185) (redacted consolidated class action 26 complaint alleging privacy claims based on defendants’ use of Pixel); Castillo v. Costco 27 Wholesale Corp., No. 2:23-cv-01548-JHC (W.D. Wash. 2024) (Doc. No. 29) (redacted complaint alleging the defendant installed Pixel to disclose personal health data collected from plaintiffs’ 28 interactions with the defendant’s website). 1 offensive intrusion. 2 Therefore, the court will grant Defendants’ motion to dismiss Plaintiffs’ invasion of 3 privacy claims brought under common law and the California Constitution. Because Plaintiffs 4 may be able to allege additional facts to support this claim, the court will grant Plaintiffs leave to 5 amend.5 6 C. California Confidentiality of Medical Information Act 7 Plaintiffs assert a claim for violation of California’s CMIA against Defendants on behalf 8 of themselves and the California subclass. (Doc. No. 1 at 50–51.) Under California’s CMIA, “[a] 9 provider of health care . . . shall not disclose medical information regarding a patient of the 10 provider of health care . . . without first obtaining an authorization.” Cal. Civ. Code § 56.10(a)– 11 (c). If a health care provider “creates, maintains, preserves, stores, abandons, destroys, or disposes 12 of medical information,” they “shall do so in a manner that preserves the confidentiality of the 13 information contained therein.” Cal. Civ. Code § 56.101(a). A health care provider “who 14 negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical 15 information” is subject to liability under the CMIA. Id. 16 The CMIA defines medical information as “any individually identifiable information, in 17 electronic or physical form, in possession of or derived from a provider of health care, health care 18 service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental 19
20 5 Defendants also move to dismiss Plaintiffs’ common law claims for invasion of privacy and breach of implied contract to the extent they are brought on behalf of the nationwide class 21 because Plaintiffs’ complaint does not specify which states’ laws apply to the nationwide class. (Doc. Nos. 29 at 20–22; 46 at 9.) Plaintiffs do respond to this argument in their opposition to the 22 pending motion. Instead, Plaintiffs argue that that to the extent their failure to identify which 23 states’ laws apply warrants dismissal of this class claim, any such dismissal should be without prejudice. (Doc. No. 42 at 25.) Due to variances among state laws, some courts within the Ninth 24 Circuit have required a plaintiff to plead which state’s common law applies to their class claims, although other courts have noted that there does not appear to be a statutory basis for such a 25 pleading requirement. Desert Care Network, 2024 WL 1343305, at *3 n.2 (citing Romero v. Flowers Bakeries, LLC, No. 5:14-cv-05189-BLF, 2016 WL 469370, at *12 (N.D. Cal. Feb. 8, 26 2016); Harris v. LSP Prod. Grp., Inc., No. 2:18-cv-02973-TLN-KJN, 2021 WL 2682045, at *14– 27 15 (E.D. Cal. June 30, 2021)). However, the court notes that by default, a district court sitting in diversity jurisdiction is “required to apply the substantive law of the state in which it sits, 28 including choice-of-law rules.” Harmsen v. Smith, 693 F.2d 932, 946–47 (9th Cir. 1982). 1 health application information, reproductive or sexual health application information, mental or 2 physical condition, or treatment.” Cal. Civ. Code § 56.05(i). “‘Individually identifiable’ means 3 that the medical information includes or contains any element of personal identifying information 4 sufficient to allow identification of the individual, such as the patient’s name, address, electronic 5 mail address, telephone number, or social security number, or other information that, alone or in 6 combination with other publicly available information, reveals the identity of the individual.” Id. 7 “This definition does not encompass demographic or numeric information that does not reveal 8 medical history, diagnosis, or care.” Eisenhower Med. Ctr. v. Superior Ct., 226 Cal. App. 4th 430, 9 435 (2014). 10 Defendants argue Plaintiffs’ CMIA claim should be dismissed because Plaintiffs do not 11 allege that Defendants were their “providers of healthcare.” (Doc. No. 29 at 15.) Defendants 12 further argue that Plaintiffs allege in conclusory fashion that Defendants transmitted Plaintiffs’ 13 “medical information” to Meta using Pixel without any factual support. (Id.) In their opposition, 14 Plaintiffs assert they “were patients of Defendants as evidenced by their usage of the Website.” 15 (Doc. No. 42 at 16 n. 3) (citing Doc. No. 1 at ¶¶ 25–29). Plaintiffs also argue their searches on the 16 Website for information relating to health conditions, suspected health conditions, and scheduled 17 testing constitutes “medical information” under the CMIA. (Id. at 17.) 18 Here too, the court finds Defendants’ arguments to be persuasive. Plaintiffs’ complaint is 19 devoid of any allegation that Plaintiffs were Defendants’ patients when they used the Website, or 20 at any time. Moreover, Plaintiffs’ use of the Website alone does not support the inference that 21 Plaintiffs were Defendants’ patients because the Website is not exclusively available to 22 Defendants’ patients. Indeed, Plaintiffs allege in their complaint that the Website is available to 23 “all persons, users, prospective patients and current patients.” (Doc. No. 1 at ¶ 1.) Thus, the court 24 finds that Plaintiffs fail to sufficiently allege that Defendants were their “providers of healthcare,” 25 as required for a CMIA claim. 26 In addition, as previously discussed, Plaintiffs’ complaint fails to specify what “medical 27 information” Defendants’ transmitted to Meta. Plaintiffs allege that they searched for information 28 concerning health conditions and symptoms on the Website (Doc. No. 1 at ¶¶ 25–29), but do not 1 plead facts sufficient to show that their searches revealed their personal “medical history, 2 diagnosis, or care.” See Eisenhower, 226 Cal. App. 4th at 435. For this reason, the court finds that 3 Plaintiffs fail to sufficiently allege that Defendants transmitted Plaintiffs’ “medical information” 4 to Meta. See Eisenhower Med. Ctr., 721 F. Supp. 3d at 1064 (dismissing a CMIA claim where 5 plaintiffs “fail[ed] to allege what, if any medical information or medical records were transmitted 6 or disclosed” to Meta when plaintiffs used a website embedded with Pixel); Cousin I, 681 F. 7 Supp. 3d at 1123, 1128 (dismissing a CMIA claim because plaintiffs’ research for doctors on a 8 website embedded with Pixel was “general health information [] accessible to the public at large,” 9 unrelated to plaintiffs’ health). 10 Accordingly, the court will grant Defendants’ motion to dismiss Plaintiffs’ CMIA claim. 11 Because Plaintiffs may be able to allege additional facts to state this claim, the court will grant 12 Plaintiffs leave to amend. 13 D. California Invasion of Privacy Act 14 Plaintiffs bring a claim for a violation of the CIPA against Defendants on behalf of 15 themselves and the California subclass. (Doc. No. 1 at 57–59.) The CIPA “broadly prohibits the 16 interception of wire communications and disclosure of the contents of such intercepted 17 communications.” Tavernetti v. Superior Ct. of San Diego Cnty., 22 Cal. 3d 187 (1978). Section 18 631(a) of CIPA creates four avenues for relief: 19 (1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any 20 unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”; 21 (2) where a person “willfully and without consent of all parties to the 22 communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or 23 communication while the same is in transit”; 24 (3) where a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so 25 obtained”; and 26 (4) where a person “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done 27 any of the acts or things mentioned above.” 28 Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 897 (N.D. Cal. 2023). 1 Plaintiffs invoke the fourth avenue of relief, alleging Defendants violated Section 631(a) 2 of the CIPA because they “aided, agreed with, conspired with, and employed [Meta] to 3 implement the Pixel and to accomplish the wrongful conduct at issue.” (Doc. No. 1 at ¶ 267.) 4 Defendants contend that Plaintiffs’ CIPA claim should be dismissed because Plaintiffs (1) 5 fail to allege the “contents” of their communications that were allegedly intercepted; (2) fail to 6 allege their communications were intercepted in transit; and (3) fail to plead “aiding and abetting” 7 with specificity. (Doc. No. 29 at 18.) Because the court finds dismissal of Plaintiffs’ CIPA claim 8 is warranted due to their failure to allege Defendants transmitted the “contents” of their 9 communications, the court will not address Defendants’ remaining arguments. 10 A violation of CIPA is analyzed under the same standards applied to a violation of the 11 federal wiretap act, Electronic Communications Privacy Act (“ECPA”), 18 U.S.C § 2510 et seq. 12 Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1092 (N.D. Cal. 2022). The ECPA defines 13 the term “contents” as “any information concerning the substance, purport, or meaning of that 14 communication.” 18 U.S.C. § 2510. “Contents” means “the intended message conveyed by the 15 communication” as opposed to “record information regarding the characteristics of the message 16 that is generated in the course of the communication.” In re Zynga Privacy Litig., 750 F.3d 1098, 17 1106 (9th Cir. 2014). While a URL that includes “basic identification and address information” is 18 not “content,” a website “user’s request to a search engine for specific information could 19 constitute a communication such that divulging a URL containing that search term to a third party 20 could amount to disclosure of the contents of a communication.” Id. at 1108–09; see also St. 21 Aubin v. Carbon Health Techs., Inc., No. 4:24-cv-00667-JST, 2024 WL 4369675, at *4 (N.D. 22 Cal. Oct. 1, 2024) (“Descriptive URLs that reveal specific information about a user’s queries 23 reflect the ‘contents’ of a communication.”). 24 In their opposition to the pending motion, Plaintiffs argue their queries on the Website 25 constitute “contents” of communications under CIPA. (Doc. No. 42 at 20–21.) Specifically, 26 Plaintiffs allege the “contents” of their communications to Defendants are the “search terms” they 27 typed in the “search bar” and “Find a Doctor” webpage monitored by Pixel, which were sent to 28 Meta as part of a detailed URL. (Id.) However, as previously discussed, Plaintiffs’ complaint does 1 not specify or describe the searches Plaintiffs conducted on the Website. Nor does the complaint 2 allege that Plaintiffs visited the “Find a Doctor” webpage. Thus, the court does not find Plaintiffs’ 3 allegations sufficient to plead the “contents” of their communications that were purportedly 4 intercepted by Defendants within the meaning of CIPA. Cf. St. Aubin, 2024 WL 4369675, at *4 5 n.4 (plaintiff’s allegation that defendant transmitted descriptive URLs was sufficient to allege a 6 CIPA claim where plaintiff’s “complaint contain[ed] examples of actual searches, including 7 screenshots”). Consequently, the court finds that Plaintiffs have not stated a cognizable CIPA 8 claim. 9 Thus, the court will grant Defendants’ motion to dismiss Plaintiffs’ CIPA claim, with 10 leave to amend, because Plaintiffs may be able to allege additional facts to support this claim. 11 E. Breach of Implied Contract 12 Plaintiffs bring a claim for breach of implied contract against Defendants on behalf of 13 themselves and the nationwide class. (Doc. No. 1 at 60.) In California, the elements of a claim for 14 breach of an express or implied contract are the same. Terpin v. AT&T Mobility, LLC, No. 2:18- 15 cv-06975-ODW-KS, 2020 WL 883221, at *6 (C.D. Cal. Feb. 24, 2020) (citing Gomez v. Lincare, 16 Inc., 173 Cal. App. 4th 508, 525 (2009)). These elements include: “(1) the existence of the 17 contract, (2) plaintiff’s performance or excuse for nonperformance, (3) defendant’s breach, and 18 (4) the resulting damages to the plaintiff.” Oasis W. Realty, LLC v. Goldman, 51 Cal. 4th 811, 19 821 (2011). “An implied contract requires that both parties agree to its terms and have a ‘meeting 20 of the minds,’ but the creation of an implied contract can be manifested by conduct rather than 21 words.” Castillo v. Seagate Tech., LLC, No. 3:16-cv-01958-RS, 2016 WL 9280242, at *8 (N.D. 22 Cal. Sept. 14, 2016). 23 In their complaint, Plaintiffs allege they “entered into an implied contract with [] 24 Defendants when they provided their PHI to [] Defendants in exchange for services, pursuant to 25 which [] Defendants agreed to safeguard their PHI and not disclose such information without 26 consent.” (Doc. No. 1 at ¶ 280.) Plaintiffs allege Defendants made “promises to Website users . . . 27 through their [p]rivacy [n]otice,” which emphasized the “importance of keeping [Website users’] 28 confidential personal health information safe from unauthorized disclosure.” (Doc. Nos. 42 at 17; 1 1 at ¶ 3.) Defendants’ “[n]otice of [p]rivacy [p]ractices” describes how Defendants “may use and 2 disclose [PHI] . . . to others . . . ‘for purposes of treatment, payment and/or health care 3 operations,’” but does not indicate Defendants will disclose PHI to Meta. (Doc. No. 1 at ¶ 3.) 4 Finally, Plaintiffs allege Defendants breached their implied contract by disclosing their PHI to 5 Meta. (Id. at ¶ 282.) 6 Defendants argue Plaintiffs’ claim for breach of implied contract should be dismissed 7 because Plaintiffs have failed to allege the essential elements of a breach of contract claim. (Doc. 8 No. 29 at 15–17.) Specifically, Defendants argue that Plaintiffs have not pled the existence of an 9 implied contract because they “do not allege any facts showing any mutual assent (offer and 10 acceptance) on the material points of the alleged implied contract.” (Id. at 15.) Defendants further 11 argue that Plaintiffs do not allege facts showing Defendants breached the terms of any implied 12 contract, such as what information Defendants obtained and shared without Plaintiffs’ consent. 13 (Id. at 16.) Finally, Defendants assert that Plaintiffs do not allege any damages resulted from 14 Defendants’ purported breach of implied contract. (Id. at 17.) Because the court finds Plaintiffs 15 fail to allege the existence of an implied contract, the court will not address Defendants’ 16 remaining arguments. 17 Plaintiffs’ assertion that an implied contract exists because Plaintiffs provided their PHI to 18 Defendants in exchange for services is not supported by the pleadings. As the court has already 19 determined, Plaintiffs’ complaint does not allege facts sufficient to support the conclusion that 20 Plaintiffs’ provided their PHI to Defendants. In any event, Plaintiffs’ reliance on Defendants’ 21 privacy policy as the basis for an implied contract is misplaced. Plaintiffs do not allege they 22 reviewed Defendants’ privacy policies prior to using the Website. See e.g., K.L. v. Legacy Health, 23 No. 3:23-cv-1886-SI, 2024 WL 4794657, at *8 (D. Or. Nov. 14, 2024) (plaintiff’s reference to 24 defendant’s notice of privacy practices “as the source upon which she understood there to be 25 mutual assent” was misplaced for breach of implied contract claim where “she never allege[d] 26 that she relied upon or even read the [notice of privacy practices] before engaging [d]efendant’s 27 services”). Moreover, privacy policies “may form the terms of an implied contract, [but] they do 28 not alone serve as an enforceable contract without a separate ‘meeting of the minds’ between the 1 parties.” Nienaber, 733 F. Supp. 3d at 1092 (citing Doe v. Regents of Univ. of Cal., 672 F. Supp. 2 3d 813, 821 (2023)). In other words, privacy policies are “not contractual in nature” because they 3 serve to inform patients regarding their rights and the duties imposed on healthcare providers by 4 law. Id. 5 Finally, Plaintiffs have not made any allegations regarding consideration received by 6 Defendants for their purported promise to safeguard Plaintiffs’ information. “Several courts have 7 specifically found that consideration is required for an implied contract claim regarding data 8 security.” Ortiz v. Perkins & Co., No. 4:22-cv-03506-KAW, 2022 WL 16637993, at *6 (N.D. 9 Cal. Nov. 2, 2022); see also Huynh v. Quora, Inc., No. 5:18-cv-07597-BLF, 2019 WL 11502875, 10 at *10 (N.D. Cal. Dec. 19, 2019) (finding no breach of contract claim where the plaintiffs “ha[d] 11 not shown that they paid anything for the asserted privacy protections”); C.M. v. MarinHealth 12 Med. Grp., Inc., No. 3:23-cv-04179-WHO, 2024 WL 217841, at *3–4 (N.D. Cal. Jan. 19, 2024) 13 (adequate consideration alleged for breach of implied contract claim where plaintiff alleged he 14 paid for healthcare services and the amount he paid for the services was based in part on 15 defendant’s security promises). Rather than alleging any kind of consideration, Plaintiffs allege 16 that supplying Defendants with user data in exchange for services was sufficient to establish an 17 implied in fact contract. (Doc. No. 1 at ¶ 280.) That allegation is insufficient to support a claim 18 for breach of implied contract. See Nienaber, 733 F. Supp. 3d at 1092 (allegation that “the 19 provision of user data alone to [d]efendant in exchange for services” was insufficient to establish 20 an implied in fact contract). Therefore, the court cannot infer the existence of an implied contract 21 from Plaintiffs’ allegations. 22 For these reasons, the court will grant Defendants’ motion to dismiss Plaintiffs’ breach of 23 implied contract claim. Although the court is skeptical that Plaintiffs will be able to cure the 24 pleading deficiencies identified as to this claim, the court will nevertheless grant Plaintiffs leave 25 to amend this claim. 26 F. Statute of Limitations 27 Defendants contend Plaintiffs’ complaint should be dismissed in its entirety because all 28 claims are wholly or partly time-barred by the applicable statute of limitations. (Doc. No. 29 at 1 22.) “A claim may be dismissed as untimely pursuant to a 12(b)(6) motion only when the running 2 of the statute [of limitations] is apparent on the face of the complaint.” U.S. ex rel. Air Control 3 Techs., Inc. v. Pre Con Indus., Inc., 720 F.3d 1174, 1178 (9th Cir. 2013) (internal quotation marks 4 and citation omitted). “[A] complaint cannot be dismissed unless it appears beyond doubt that the 5 plaintiff can prove no set of facts that would establish the timeliness of the claim.” Von Saher v. 6 Norton Simon Museum of Art at Pasadena, 592 F.3d 954, 969 (9th Cir. 2010) (quoting Supermail 7 Cargo, Inc. v. United States, 68 F.3d 1204, 1206 (9th Cir. 1995)). 8 Each of Plaintiffs’ five claims against Defendants is subject to a statute of limitations, 9 ranging from one to three years. See Cal. Civ. Proc. Code § 340 (statute of limitations for a CIPA 10 claim is one year); Cal. Civ. Proc. Code § 335.1 (statute of limitations for an invasion of privacy 11 claims under the California constitution or common law is two years); Cal. Civ. Proc. Code 12 § 339(1) (statute of limitation for breach of implied contract claim is two years); Ramirez v. Dean 13 Foods Co. of Cal., No. 8:11-cv-01292-DOC-AN, 2012 WL 3239959, at *8 (C.D. Cal. Aug. 6, 14 2012) (“There is some controversy as to whether the statute of limitations for [a CMIA] claim is 15 two or three years.”). 16 In their motion, Defendants argue Plaintiffs’ complaint should be dismissed because 17 Plaintiffs do not specify when Defendants’ purportedly harmful conduct occurred, making it 18 unclear whether Plaintiffs’ claims accrued, in whole or in part, outside the applicable statute of 19 limitations periods. (Doc. No. 29 at 22.) Because Plaintiffs’ complaint was filed on August 10, 20 2023, Defendants argue Plaintiffs are “time-barred from bringing (1) any CIPA claim that 21 accrued prior to August 10, 2022; (2) any claims subject to a two-year statute of limitations that 22 accrued prior to August 10, 2021; and (3) any claims subject to a three-year statute of limitations 23 that accrued prior to August 10, 2020.” (Id. at 22.) In their opposition, Plaintiffs argue they have 24 alleged viable claims within each of the applicable statute of limitations periods by specifying the 25 dates they most recently visited the Website. (Doc. No. 42 at 25–26.) 26 The court finds Plaintiffs’ complaint sufficiently alleges claims within the applicable 27 statute of limitations periods. With the exception of Plaintiff Matus, Plaintiffs allege that they last 28 visited the Website after August 10, 2022, within the applicable statute of limitations periods for 1 all claims.6 (Doc. No. 1 at ¶¶ 25–29.) Specifically, Plaintiff Beltran visited the Website as 2 recently as November 2022, while Plaintiffs Miesner, Blumberg, and Mehring visited the Website 3 as recently as April, May, and July 2023, respectively. (Id. at ¶¶ 25, 27–29.) Although Plaintiffs’ 4 complaint does not specify the exact date Plaintiffs first used the Website, beyond the fact that 5 Plaintiffs Beltran, Matus, Blumberg, and Miesner began using the Website in 2022 and Plaintiff 6 Mehring began using the Website in 2015, the complaint “does not indicate on its face that 7 Plaintiffs’ interactions ceased before the [statutes of limitations expired].” See Desert Care 8 Network, 2024 WL 1343305, at *5; see also Calhoun v. Google LLC, 526 F. Supp. 3d 605, 625 9 (N.D. Cal. 2021) (“The Ninth Circuit and California Supreme Court have held that separate, 10 recurring invasions of the same right each trigger their own separate statute of limitations.”). 11 Thus, because Plaintiffs’ complaint does not present a statute of limitations issue that is 12 facially apparent, the court will deny Defendants’ motion to dismiss Plaintiffs’ claims as time- 13 barred, with the exception of Plaintiff Matus’s CIPA claim, which will be dismissed as time- 14 barred. 15 CONCLUSION 16 For the reasons explained above: 17 1. Defendants’ motion to dismiss (Doc. No. 29) is GRANTED as follows: 18 a. Plaintiffs’ claim for invasion of privacy under California common law is 19 dismissed with leave to amend; 20 b. Plaintiffs’ claim for invasion of privacy under the California Constitution is 21 dismissed with leave to amend; 22 c. Plaintiffs’ CMIA claim is dismissed with leave to amend; 23 d. The CIPA claim brought by Plaintiffs Lori Beltran, Preston Meisner, Paul 24 Blumberg, and Mark Mehring is dismissed with leave to amend;
25 6 Plaintiffs’ complaint alleges Plaintiff Matus visited the Website as recently as November 2022. (Doc. No. 1 at ¶ 26.) In their opposition to the pending motion, Plaintiffs clarify this allegation 26 was a typographical error, and Plaintiff Matus’ most recent visit to the Website occurred in March 27 2022. (Doc. No. 42 at 26 n. 15.) Plaintiffs acknowledge Plaintiff Matus’ CIPA claim is outside the statute of limitations. (Id.) Accordingly, the court will grant Defendants’ motion to dismiss 28 Plaintiff Matus’ CIPA claim as time-barred. 1 e. The CIPA claim brought by Plaintiff Brittany Matus is dismissed, without 2 leave to amend; and 3 f. Plaintiffs’ claim for breach of implied contract is dismissed with leave to 4 amend; 5 2. Within twenty-one (21) days of the date of entry of this order, Plaintiffs shall file a 6 first amended complaint, or alternatively, file a notice of their intent not to file a 7 first amended complaint; and 8 3. Plaintiffs are warned that their failure to comply with this order may result in an 9 order dismissing this case due to their failure to prosecute. 10 IT IS SO ORDERED. □ 12 | Dated: _ June 9, 2025 Qe <—_ Dena Coggins 13 United States District Judge 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 23