1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 FOR THE EASTERN DISTRICT OF CALIFORNIA 10 11 JUDITH HARRILL, No. 2:23-cv-01672-DC-CKD 12 Plaintiff, 13 v. ORDER GRANTING DEFENDANTS’ MOTION TO DISMISS 14 EMANUEL MEDICAL CENTER, et al., (Doc. No. 27) 15 Defendants.
16 17 This matter is before the court on Defendants’ motion to dismiss Plaintiff’s class action 18 complaint. (Doc. No. 27.) Pursuant to Local Rule 230(g), the pending motion was taken under 19 submission to be decided on the papers. (Doc. No. 31.) For the reasons explained below, the court 20 will grant Defendants’ motion to dismiss. 21 BACKGROUND 22 On August 10, 2023, Plaintiff Judith Harrill filed a class action complaint against 23 Defendants Emanuel Medical Center (“EMC”) and Tenet Health (“Tenet”) (collectively, 24 “Defendants”) for allegedly intercepting and transmitting her protected health information 25 (“PHI”) and personally identifiable information (“PII”) to Meta Platforms, Inc. (“Meta”), 26 ///// 27 ///// 28 ///// 1 formerly known as Facebook,1 without her knowledge or consent.2 (Doc. No. 1 at 1–5.) Plaintiff 2 alleges Defendants transmitted her PHI and PII to Meta via a hidden tracking tool known as Meta 3 Pixel (“Pixel”), that was installed on Defendant EMC’s website at 4 https://www.emanuelmedicalcenter.org/ (“Website”). (Id. at ¶¶ 1, 6, 15.) 5 Plaintiff brings five causes of action against Defendants: (1) invasion of privacy – 6 intrusion upon seclusion under California common law; (2) invasion of privacy under the 7 California Constitution, Art. I § 1; (3) violation of the California Confidentiality of Medical 8 Information Act (“CMIA”), California Civil Code §§ 56.06 et seq.; (4) violation of the California 9 Invasion of Privacy Act (“CIPA”), California Penal Code §§ 630 et seq.; and (5) breach of 10 implied contract. (Id. at 38–56.) 11 Plaintiff brings this data privacy action against Defendants on behalf of herself, a 12 “nationwide class,” and a “California subclass.” (Id. at ¶ 158.) The “nationwide class” is defined 13 as “[a]ll natural persons in the United States whose PHI was collected through [Meta’s] Pixel 14 through the Website.” (Id.) The “California subclass” is defined as “[a]ll natural persons residing 15 in California whose PHI was collected through [Meta] Pixel through the Website.” (Id.) 16 Plaintiff’s common law claims for invasion of privacy and breach of implied contract are brought 17 on behalf of Plaintiff and the nationwide class. (Id. at 40, 55.) Plaintiff’s remaining claims, which 18 arise under the California Constitution and California statutes, are brought on behalf of Plaintiff 19 and the California subclass. (Id. at 44, 47, 53.) 20 A. Factual Background 21 Plaintiff alleges the following in her complaint. Defendant Tenet is a health system and 22 services platform comprised of three different business units—surgical centers, hospital 23 1 Plaintiff refers to Meta as both “Meta” and “Facebook” throughout her complaint. For clarity in 24 this order, the court uses “Meta” to refer to the corporation and “Facebook” to refer only to Meta’s social media platform. 25
2 Plaintiff also named Meta as a defendant in this action, but on October 12, 2023, the court 26 severed and transferred all claims against Defendant Meta to the Northern District of California 27 so those claims could be related to the pending litigation In re Meta Pixel Healthcare Litig., No. 3:22-cv-3580-WHO (N.D. Cal. 2022). (Doc. No. 23.) Defendant Meta was therefore terminated 28 from this action on October 12, 2023. 1 operations, and healthcare-focused customer service and revenue management. (Doc. No. 1 at 2 ¶ 27.) Defendant EMC provides hospital services in Turlock, California. (Id. at ¶ 26.) Defendant 3 EMC provides the only heart attack receiving center between the California cities of Modesto and 4 Fresno. (Id.) 5 Defendant EMC maintains a public-facing Website where prospective and current patients 6 can “search for information related to their health conditions, hospital locations and doctors.” (Id. 7 at ¶¶ 1, 26.) Specifically, the Website includes a “search bar” that allows users to search for 8 information about medical conditions, such as “cancer,” “diabetes,” or “pregnancy care.” (Id. at 9 ¶¶ 6–7, 13, 100–01.) The Website also includes a “Find a Doctor” webpage that allows users to 10 search for doctors by specialty and location. (Id. at ¶¶ 6–7, 93–96.) 11 1. Defendants’ Use of Meta Pixel 12 Defendants embedded Pixel, a “snippet of computer code,” on the Website. (Id. at ¶¶ 6– 13 7.) When a user accesses a webpage containing Pixel on the Website, Pixel tracks the actions 14 taken by the user (i.e., clicking a button or searching a term) and transmits that data to Meta. (Id. 15 at ¶¶ 13, 71, 87-106.) Pixel was developed by Meta “as an innovative solution for reporting and 16 optimizing conversions (clicks to purchases), audience building, and gaining valuable insights 17 into website usage.” (Id. at ¶ 63.) Pixel enables “Defendants to analyze user experiences and 18 behavior on the Website to assess the Website’s traffic and functionality,” and aids Defendants in 19 targeting Website users with advertisements and “measuring how well those advertisements are 20 working.” (Id. at ¶ 10.) 21 Pixel functions by monitoring for “events” and transmitting data directly to Meta in real- 22 time when an “event” occurs. (Id. at ¶¶ 7, 64, 71, 87.) On the Website, a Pixel “event” is triggered 23 when a user searches for information related to health conditions using the “search bar,” or 24 searches for doctors by specialty and location on the “Find a Doctor” webpage. (Id. at ¶¶ 6–7, 87– 25 106.) The data transmitted to Meta when a Pixel “event” is triggered consists of a “full-string 26 detailed URL, which includes the name of the website, the web pages the [user] viewed, the name 27 of the doctor a [user] is considering, and search terms entered by the [user].” (Id. at ¶ 105.) Meta 28 also receives the Website user’s PII, including their internet protocol (IP) address, name, email, 1 and phone number. (Id. at ¶ 70.) If a Website user is signed into Facebook or has previously 2 signed into Facebook within the past year using the same browser that was used to access the 3 Website, Meta also receives the Website user’s Facebook ID (“FID”). (Id. at ¶¶ 6–8, 83.) Data on 4 the Website user’s activity and FID is sent to Meta as “one data point,” allowing Meta to “link” 5 the user’s interactions with the Website to their Facebook profile. (Id. at ¶¶ 8, 97, 100.) 6 2. Allegations Specific to Plaintiff 7 Plaintiff is a resident of Turlock, California. (Id. at ¶ 25.) Plaintiff began using the 8 Website in or around March 2021 to “search for information related to health conditions or 9 suspected health conditions, and to schedule treatment for actual or potential medical conditions.” 10 (Id.) Specifically, Plaintiff used the “Website’s search function . . . to search for information 11 related to symptoms or conditions she was experiencing, as recently as April 2023.” (Id.) 12 Plaintiff has been a Facebook user since approximately 2006. (Id.) Plaintiff’s Facebook 13 profile contains personal information such as her name, occupation, and place of residence. (Id.) 14 While utilizing the Website, Plaintiff was signed into her Facebook profile or had signed into her 15 Facebook profile in the same browser within the past year of using the Website. (Id.) 16 Plaintiff alleges that when she used the Website, information regarding her interaction 17 with the Website was intercepted and transmitted to Meta via Pixel without her consent, alongside 18 her FID. (Id. at ¶¶ 25, 122–24.) According to Plaintiff, the information transmitted to Meta 19 regarding her interaction with the Website included her PHI and PII. (Id. at ¶¶ 6, 108, 115.) 20 B. Procedural Background 21 On October 3, 2023, the court issued an order relating this action to two other actions 22 pending in this district: (1) Beltran v. Doctors Medical Center of Modesto, et al., No. 2:23-cv- 23 01670-DC-CKD, and (2) Doe v. Tenet Healthcare Corp., et al., No. 1:23-cv-01106-DC-CKD. 24 On October 18, 2023, Defendants filed the pending motion to dismiss Plaintiff’s claims 25 pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief 26 can be granted. (Doc. No. 27.) On June 28, 2024, Defendants filed a notice of supplemental 27 authority in support of their motion to dismiss. (Doc. No. 39.) On July 5, 2024, Plaintiff filed an 28 opposition to the pending motion. (Doc. No. 40.) On July 19, 2024, Defendants filed their reply 1 thereto. (Doc. No. 44.) 2 LEGAL STANDARD 3 A motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6) is a challenge to 4 the sufficiency of the allegations set forth in the complaint. Navarro v. Block, 250 F.3d 729, 732 5 (9th Cir. 2001). “Dismissal under Rule 12(b)(6) is proper when the complaint either (1) lacks a 6 cognizable legal theory or (2) fails to allege sufficient facts to support a cognizable legal theory.” 7 Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013). In determining whether a complaint 8 states a claim upon which relief can be granted, the court accepts as true the allegations in the 9 complaint and construes the allegations in the light most favorable to the plaintiff. Manzarek v. St. 10 Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). However, the court is not 11 required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, 12 or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) 13 (citation omitted). 14 Under Federal Rule of Civil Procedure Rule 8(a), a complaint must include “a short and 15 plain statement of the claim showing that the pleader is entitled to relief,” in order to “give the 16 defendant fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. 17 v. Twombly, 550 U.S. 544, 555 (2007). A complaint must allege enough facts to state a claim to 18 relief that is plausible on its face. Id. at 570. “A claim has facial plausibility when the plaintiff 19 pleads factual content that allows the court to draw the reasonable inference that the defendant is 20 liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “The plausibility 21 standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility 22 that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556). If a claim is 23 dismissed for failure to comply with these requirements, “[l]eave to amend should be granted 24 unless the district court ‘determines that the pleading could not possibly be cured by the 25 allegation of other facts.’” Knappenberger v. City of Phoenix, 566 F.3d 936, 942 (9th Cir. 2009) 26 (quoting Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000)). 27 ANALYSIS 28 Defendants move to dismiss all of Plaintiff’s claims brought against them. (Doc. No. 27.) 1 Defendants contend that Plaintiff’s complaint should be dismissed because it (1) fails to allege 2 facts sufficient to support a cognizable legal theory, (2) is deficient with respect to each claim, 3 and (3) is wholly or partly time-barred by the applicable statute of limitations. (Id.) The court 4 addresses each argument in turn. 5 A. Allegations Regarding the Disclosure of Plaintiff’s Protected Health Information 6 As an initial matter, Defendants move to dismiss Plaintiff’s complaint in its entirety based 7 on Plaintiff’s failure to allege facts sufficient to support a cognizable legal theory. (Doc. No. 27 at 8 12–13.) The overarching theory underlying all of Plaintiff’s claims is that Defendants violated her 9 privacy rights by collecting and transmitting her PHI and PII from the Website to Meta via Pixel, 10 without her knowledge or consent. (Doc. No. 1 at 1–5.) Defendants argue Plaintiff’s theory is 11 conclusory because Plaintiff’s complaint does not indicate “what information [Plaintiff] entered 12 [on the Website] and what information was shared with [Meta].” (Doc. No. 27 at 13.) 13 Specifically, Defendants argue Plaintiff fails to allege “what information regarding her ‘health 14 conditions or suspected health conditions’ she supposedly searched for on the Website, or what 15 symptoms or conditions they were allegedly experiencing.” (Id. at 10.) In Defendants’ view, 16 Plaintiff merely “concludes that [the information she entered] was health information.” (Doc. No. 17 44 at 3.) 18 In her opposition to the pending motion, Plaintiff argues she has alleged facts allowing the 19 court to draw a reasonable inference that Defendants are liable for the alleged misconduct. (Doc. 20 No. 40 at 10.) Namely, “that [Plaintiff used] Defendants’ Website to search for information 21 related to symptoms or conditions she was experiencing and to schedule treatment for those 22 actual or potential medical conditions.” (Id.) (citing Doc. No. 1 at ¶ 25). 23 The court finds the allegations in Plaintiff’s complaint deficient. Plaintiff does not identify 24 with specificity what information she provided to Defendants via her browsing activity on the 25 Website and thus what information was subsequently transmitted to Meta. Although Plaintiff’s 26 complaint spans over fifty pages, only one paragraph is dedicated to detailing Plaintiff’s 27 interactions with Defendants’ Website. (Doc. No. 1 at ¶ 25.) Plaintiff vaguely alleges that she 28 used the Website to search for information related to “actual or potential” health conditions. (Id.) 1 In her allegations, Plaintiff does not describe the types of searches she conducted or the webpages 2 she viewed, even though her browsing activity forms the basis for her assertion that her 3 information was purportedly shared with Meta. (See id. at ¶¶ 6-7, 100.) 4 For instance, Plaintiff’s complaint provides examples of health conditions Website users 5 may search for, such as “diabetes,” and searches for doctors based on specialty, such as 6 “psychiatry,” but Plaintiff does not specify the types of health conditions and doctors Plaintiff 7 actually searched for on the Website. (Id. at ¶¶ 94, 100–01.) Similarly, Plaintiff’s complaint 8 describes how Pixel transmits information to Meta when Website users visit the “Find a Doctor” 9 webpage, but Plaintiff does not allege that she visited the “Find a Doctor” webpage. (Id. at ¶¶ 93– 10 96.) Thus, Plaintiff’s allegations of examples are insufficient to support her theory that 11 Defendants violated her privacy rights by collecting and transmitting her PHI to Meta. See Cousin 12 v. Sharp Healthcare, 681 F. Supp. 3d 1117, 1123 (S.D. Cal. 2023) (“Cousin I”) (finding the 13 plaintiffs’ complaint lacked sufficient factual support because it only provided hypothetical 14 examples and failed to specify what information plaintiffs provided defendants through their 15 browsing history). 16 Further, Plaintiff has not alleged that her browsing history on the Website related to the 17 provision of healthcare or patient status, such that the disclosure of her browsing history to Meta 18 constituted the disclosure of her PHI. The “disclosure of browsing activity on a publicly available 19 website that does not relate to ‘the past, present, or future physical or mental health or condition 20 of an individual is not actionable.’” Nienaber v. Overlake Hosp. Med. Ctr., 733 F. Supp. 3d 1072, 21 1084 (W.D. Wash. 2024). Indeed, “[a]n internet user might research medical information for 22 reasons unrelated to the user’s own health conditions.” R.C. v. Walgreen Co., 733 F. Supp. 3d 23 876, 893 (C.D. Cal. 2024) (noting courts have precluded “claims for public browsing activities 24 that do not reveal personal medical information”); see also Smith v. Facebook, Inc., 262 F. Supp. 25 3d 943, 954–55 (N.D. Cal. 2017), aff’d, 745 F. App’x 8 (9th Cir. 2018) (“search results related to 26 the phrase ‘intestine transplant’” constituted “general health information . . . accessible to the 27 public at large,” not “protected health information”). Thus, the collection and transmission of 28 information from “unauthenticated webpages (i.e., pages that do not require a user to log in to 1 access the website)” is “only actionable where the information disclosed either (1) ‘demonstrates 2 that the plaintiff's interactions plausibly relate to the provision of healthcare,’ or (2) ‘connects a 3 particular user to a particular healthcare provider’ or otherwise identifies patient status, which is 4 protected health information.” Nienaber v. Overlake Hosp. Med. Ctr., No. 2:23-cv-01159-TL, 5 2025 WL 692097 (W.D. Wash. Mar. 4, 2025) (citing Cousin v. Sharp Healthcare, 702 F. Supp. 6 3d 967 (S.D. Cal. 2023) (“Cousin II”)). 7 Cousin I is instructive on this point. In Cousin I, plaintiffs alleged that they used 8 defendant’s public website to “research . . . doctors,” “look for providers,” and “search for 9 medical specialists.” Cousin I, 681 F. Supp. 3d at 1123. Plaintiffs claimed that by sharing this 10 data with Meta through Pixel, defendant allowed Meta to collect their sensitive medical 11 information in violation of their privacy rights. Id. The district court determined that the 12 collection of data regarding the plaintiffs’ browsing activity was “not considered ‘[p]rotected 13 [h]ealth [i]nformation’ because ‘nothing about [the] information relate[d] specifically to 14 [p]laintiffs’ health.’” Id. (citing Smith v. Facebook, Inc., 262 F. Supp. 3d 943, 954–55 (N.D. Cal. 15 2017), aff’d, 745 F. App’x 8 (9th Cir. 2018)). The court in Cousin I therefore found the plaintiffs 16 could not maintain their privacy claims “based upon the theory that [d]efendant’s sharing of their 17 browsing activity, collected on its publicly facing website, [was] a disclosure of their sensitive 18 medical information.” Id. at 1124. As in Cousin I, here Plaintiff has not alleged sufficient facts to 19 demonstrate that her browsing activity on the Website was related to the provision of healthcare, 20 as opposed to “general health information [regarding conditions, symptoms, and doctors] 21 accessible to the public at large.” Smith, 262 F. Supp. 3d at 954–55.3 22
23 3 In her opposition to the pending motion, Plaintiff argues her allegations are more analogous to the facts alleged in Cousin II, rather than Cousin I. (Doc. No. 40 at 10–11.) The court disagrees. 24 In Cousin II, the plaintiffs’ claims survived dismissal because the plaintiffs alleged that they searched for a primary care physician by filtering physician search results based on specialty, 25 identified their particular medical conditions, and booked an appointment to obtain treatment. Cousin II, 702 F. Supp. 3d at 973. The court in Cousin II therefore found that the plaintiffs’ 26 allegations “relat[ed] to the provision of health care,” “convey[ed] information about a present 27 medical condition,” and involved “the provision of medical care covered by [the Health Insurance Portability and Accountability Act (‘HIPAA’)].” Id. Here, in contrast, Plaintiff fails to specify at a 28 minimum, the types of doctors or medical conditions she searched for on the Website. 1 Finally, besides browsing for information on health conditions, symptoms, and doctors on 2 Defendants’ Website, Plaintiff does not allege that she engaged in any other activity from which 3 an inference could be drawn that her PHI was disclosed. Indeed, Plaintiff does not allege using 4 Defendants’ Website to access a patient portal, schedule an appointment, call a doctor’s office, 5 refill a prescription, view test results, and review notes from an appointment—types of activity 6 that courts have found to be sufficient to demonstrate disclosure of PHI. See e.g., R.C. v. 7 Walgreen Co., 733 F. Supp. 3d 876, 893 (C.D. Cal. 2024) (noting that plaintiffs alleged “more 8 than merely viewing generic medical content on a publicly facing website” where they alleged 9 purchasing “specific products to treat specific health conditions”); B.K. v. Desert Care Network, 10 No. 2:23-cv-05021-SPG-PD, 2024 WL 1343305, at *5 (C.D. Cal. Feb. 1, 2024) (finding the 11 plaintiffs’ privacy claims based on the disclosure of personal medical information to be 12 sufficiently stated where plaintiffs alleged they used defendants’ website and patient portal to 13 schedule appointments, refill prescriptions, and view test results and appointment notes). 14 For these reasons, and because all of Plaintiff’s claims are predicated on her theory that 15 Defendants violated her privacy rights by collecting and transmitting her PHI to Meta via Pixel, 16 the court will grant Defendants’ motion to dismiss Plaintiff’s complaint in its entirety. However, 17 because allegations of additional facts could cure this pleading deficiency as to Plaintiff’s legal 18 theory, the court will grant Plaintiff leave to amend. 19 Recognizing that providing guidance as to other pleading deficiencies will enable Plaintiff 20 to address those deficiencies in an amended complaint, the court proceeds to addresses the 21 sufficiency of Plaintiff’s allegations as to each claim below, followed by a discussion of the 22 statutes of limitations applicable to Plaintiff’s claims. 23 B. Invasion of Privacy Under Common Law and the California Constitution 24 Plaintiff brings claims for invasion of privacy on behalf of herself, the nationwide class, 25 and the California subclass. (Doc. No. 1 at 40–42, 44–47.) To state a claim for invasion of 26 privacy under California common law, Plaintiff must show “(1) intrusion into a private place, 27 conversation or matter, (2) in a manner highly offensive to a reasonable person.” Shulman v. Grp. 28 W Prods., Inc., 18 Cal. 4th 200, 231 (1998), as modified on denial of reh’g (July 29, 1998). A 1 claim for invasion of privacy under the California Constitution involves similar elements. 2 Plaintiff must plead that (1) they “possess a legally protected privacy interest,” (2) they maintain 3 a reasonable expectation of privacy, and (3) “the intrusion is so serious in ‘nature, scope, and 4 actual or potential impact as to constitute an egregious breach of the social norms.’” Hernandez v. 5 Hillsides, 47 Cal. 4th 272, 287 (2009). “Because of the similarity of [these] tests, courts consider 6 [these] claims together and ask whether: (1) there exists a reasonable expectation of privacy, and 7 (2) the intrusion was highly offensive.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 8 589, 601 (9th Cir. 2020). 9 “The existence of a reasonable expectation of privacy, given the circumstances of each 10 case, is a mixed question of law and fact.” Id. at 601. “[C]ourts consider a variety of factors” in 11 determining whether a reasonable expectation of privacy exists, “including the customs, practices, 12 and circumstances surrounding a defendant’s particular activities.” Id. (citation omitted). 13 “Determining whether a defendant’s actions were ‘highly offensive to a reasonable person’ 14 requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the 15 degree and setting of the intrusion, the intruder’s motives and objectives, and whether 16 countervailing interests or social norms render the intrusion inoffensive.” Id. at 606. “While 17 analysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion, 18 the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a 19 matter of public policy.” Id. 20 Defendants move to dismiss Plaintiff’s invasion of privacy claims on the grounds that 21 Plaintiff fails to plead both a reasonable expectation of privacy and a highly offensive intrusion. 22 (Doc. No. 27 at 14–16.) In her complaint, Plaintiff alleges that she had a reasonable expectation 23 of privacy in her communications with Defendant on the Website because “medical data is 24 sensitive information that must be protected from unauthorized disclosure.” (Doc. No. 1 at 25 ¶¶ 183–84, 208–11.) Plaintiff further alleges that Defendants’ disclosure of her information “is 26 highly offensive to a reasonable person” because there was no legitimate objective for Defendants 27 to invade Plaintiff’s privacy rights, Defendants did not allow Plaintiff the ability to control the 28 dissemination of her PHI, the context of the communication “between Plaintiff . . . and [her] 1 healthcare providers is highly sensitive,” and public policy dictates that “Defendants’ actions 2 undermine the relationship between Plaintiff . . . and her healthcare providers.” (Id. at ¶¶ 187, 3 212.) 4 The court finds Defendants arguments to be persuasive. Notably, Plaintiff alleges in a 5 conclusory manner that she has a reasonable expectation of privacy in her communications with 6 Defendants on the Website because such communications contain “medical data.” (Doc. No. 1 at 7 ¶¶ 183–84, 208–11.) However, Plaintiff’s complaint does not allege facts describing any such 8 “medical data.” As discussed above, Plaintiff’s allegations regarding her browsing activity are 9 vague. Plaintiff does not specifically allege that her searches related to the provision of 10 healthcare, patient status, or otherwise included PHI. Thus, the court finds Plaintiff has not 11 sufficiently alleged a reasonable expectation of privacy in her browsing activity on the Website. 12 See Desert Care Network, 2024 WL 1343305, at *9 (noting that invasion of privacy claims 13 centered on “plaintiffs’ browsing histories on defendants’ public-facing websites” were 14 “dubious”). 15 To be clear, Plaintiff has a reasonable expectation of privacy in her medical information. 16 Id. (“Patients’ right to privacy in their medical records is ‘well-settled.’”) (citation omitted). But 17 given the limited factual allegations in Plaintiff’s operative complaint, the court does not find 18 Plaintiff has sufficiently alleged that her browsing activity pertains to her own medical 19 information. See B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1064, 1067 (C.D. Cal. 20 2024) (dismissing privacy claims where plaintiffs “fail[ed] to allege what, if any medical 21 information or medical records were transmitted or disclosed” when they used defendant’s 22 website, such that the court could “only interpret that [p]laintiffs used [d]efendants’ [w]ebsite for 23 routine medical searches and inquiries”). In order to sufficiently state her invasion of privacy 24 claims, Plaintiff must “describe the types or categories of sensitive health information that they 25 provided” to Defendants through the Website. Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 26 1081 (N.D. Cal. 2023). As other courts have explained when dismissing invasion of privacy 27 claims brought against Meta with leave to amend, Plaintiff may amend to better describe the 28 health information provided to the defendants, and “[t]hat basic amendment (which can be 1 general enough to protect [Plaintiff’s] specific privacy interests) will allow these privacy claims 2 to go forward.”4 Id. 3 Finally, Plaintiff does not allege facts sufficient to establish an “egregious breach of the 4 social norms” that is “highly offensive” because Plaintiff does not “plead that [her] medical 5 information was disclosed.” See Eisenhower, 721 F. Supp. 3d at 1067. “Disclosing a user’s 6 browsing history [unrelated to the provision of healthcare or patient status] does not plausibly 7 reach the level of ‘highly offensive’ conduct [required] under either common law or the 8 California Constitution.” Cousin I, 681 F. Supp. 3d at 1126 (citing cases); cf. Walgreen Co., 733 9 F. Supp. 3d at 893–94 (finding the allegations that the defendants’ disclosure of plaintiffs’ private 10 health information included the purchasing of “sensitive health products” related to “specific 11 health conditions” were sufficient to survive a motion to dismiss based on the “highly offensive” 12 element). 13 For these reasons, the court finds Plaintiff fails to state a cognizable invasion of privacy 14 claim because Plaintiff has not pleaded a reasonable expectation of privacy or a highly offensive 15 intrusion. 16 Therefore, the court will grant Defendants’ motion to dismiss Plaintiff’s invasion of 17 privacy claims brought under common law and the California Constitution. Because Plaintiff may 18 be able to allege additional facts to support this claim, the court will grant Plaintiff leave to 19 amend.5 20 4 To the extent Plaintiff’s disclosure of her activity on the Website could reveal sensitive or 21 private information related to her health conditions, symptoms, and doctors, Plaintiff may file a request to redact/seal such details, as appropriate. See e.g., In re Meta Pixel Healthcare Litig., No. 22 3:22-cv-3580-WHO (N.D. Cal. 2022) (Doc. No. 185) (redacted consolidated class action 23 complaint alleging privacy claims based on defendants’ use of Pixel); Castillo v. Costco Wholesale Corp., No. 2:23-cv-01548-JHC (W.D. Wash. 2024) (Doc. No. 29) (redacted complaint 24 alleging the defendant installed Pixel to disclose personal health data collected from plaintiffs’ interactions with the defendant’s website). 25
5 Defendants also move to dismiss Plaintiff’s common law claims for invasion of privacy and 26 breach of implied contract to the extent they are brought on behalf of the nationwide class 27 because Plaintiff’s complaint does not specify which states’ laws apply to the nationwide class. (Doc. Nos. 27 at 21–23; 44 at 9.) Plaintiff does not respond to this argument in her opposition to 28 the pending motion. Instead, Plaintiff argues that that to the extent her failure to identify which 1 C. California Confidentiality of Medical Information Act 2 Plaintiff asserts a claim for violation of California’s CMIA against Defendants on behalf 3 of herself and the California subclass. (Doc. No. 1 at 47–48.) Under California’s CMIA, “[a] 4 provider of health care . . . shall not disclose medical information regarding a patient of the 5 provider of health care . . . without first obtaining an authorization.” Cal. Civ. Code § 56.10(a)– 6 (c). If a health care provider “creates, maintains, preserves, stores, abandons, destroys, or disposes 7 of medical information,” they “shall do so in a manner that preserves the confidentiality of the 8 information contained therein.” Cal. Civ. Code § 56.101(a). A health care provider “who 9 negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical 10 information” is subject to liability under the CMIA. Id. 11 The CMIA defines medical information as “any individually identifiable information, in 12 electronic or physical form, in possession of or derived from a provider of health care, health care 13 service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental 14 health application information, reproductive or sexual health application information, mental or 15 physical condition, or treatment.” Cal. Civ. Code § 56.05(i). “‘Individually identifiable’ means 16 that the medical information includes or contains any element of personal identifying information 17 sufficient to allow identification of the individual, such as the patient’s name, address, electronic 18 mail address, telephone number, or social security number, or other information that, alone or in 19 combination with other publicly available information, reveals the identity of the individual.” Id. 20 “This definition does not encompass demographic or numeric information that does not reveal 21 medical history, diagnosis, or care.” Eisenhower Med. Ctr. v. Superior Ct., 226 Cal. App. 4th 430, 22
23 states’ laws apply warrants dismissal of this class claim, any such dismissal should be without prejudice. (Doc. No. 40 at 25.) Due to variances among state laws, some courts within the Ninth 24 Circuit have required a plaintiff to plead which state’s common law applies to their class claims, although other courts have noted that there does not appear to be a statutory basis for such a 25 pleading requirement. Desert Care Network, 2024 WL 1343305, at *3 n.2 (citing Romero v. Flowers Bakeries, LLC, No. 5:14-cv-05189-BLF, 2016 WL 469370, at *12 (N.D. Cal. Feb. 8, 26 2016); Harris v. LSP Prod. Grp., Inc., No. 2:18-cv-02973-TLN-KJN, 2021 WL 2682045, at *14– 27 15 (E.D. Cal. June 30, 2021)). However, the court notes that by default, a district court sitting in diversity jurisdiction is “required to apply the substantive law of the state in which it sits, 28 including choice-of-law rules.” Harmsen v. Smith, 693 F.2d 932, 946–47 (9th Cir. 1982). 1 435 (2014). 2 Defendants argue Plaintiff’s CMIA claim should be dismissed because Plaintiff does not 3 allege that Defendants were her “providers of healthcare.” (Doc. No. 27 at 16.) Defendants 4 further argue that Plaintiff alleges in conclusory fashion that Defendants transmitted Plaintiff’s 5 “medical information” to Meta using Pixel without any factual support. (Id.) In her opposition, 6 Plaintiff asserts she “was a patient of Defendants, as evidenced by her scheduling treatments for 7 actual or potential medical conditions.” (Doc. No. 40 at 16 n. 5) (citing Doc. No. 1 at ¶ 25). 8 Plaintiff also argues her searches on the Website for information relating to health conditions, 9 suspected health conditions, and scheduled testing constitutes “medical information” under the 10 CMIA. (Id. at 17.) 11 Here too, the court finds Defendants’ arguments to be persuasive. Plaintiff’s complaint is 12 devoid of any allegation that Plaintiff was Defendants’ patient when she used the Website, or at 13 any time. Moreover, Plaintiff’s use of the Website alone does not support the inference that 14 Plaintiff was Defendants’ patient because the Website is not exclusively available to Defendants’ 15 patients. Indeed, Plaintiff alleges in her complaint that the Website is available to “all persons, 16 users, prospective patients and current patients.” (Doc. No. 1 at ¶ 1.) Thus, the court finds that 17 Plaintiff fails to sufficiently allege that Defendants were her “providers of healthcare,” as required 18 for a CMIA claim. 19 In addition, as previously discussed, Plaintiff’s complaint fails to specify what “medical 20 information” Defendants’ transmitted to Meta. Plaintiff alleges that she searched for information 21 concerning health conditions and symptoms on the Website (Doc. No. 1 at ¶ 25) but does not 22 plead facts sufficient to show that her searches revealed her personal “medical history, diagnosis, 23 or care.” See Eisenhower, 226 Cal. App. 4th at 435. For this reason, the court finds that Plaintiff 24 has failed to sufficiently allege that Defendants transmitted her “medical information” to Meta. 25 See B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1064 (C.D. Cal. 2024) (dismissing a 26 CMIA claim where plaintiffs “fail[ed] to allege what, if any medical information or medical 27 records were transmitted or disclosed” to Meta when plaintiffs used a website embedded with 28 Pixel); Cousin I, 681 F. Supp. 3d at 1123, 1128 (dismissing a CMIA claim because plaintiffs’ 1 research for doctors on a website embedded with Pixel was “general health information [] 2 accessible to the public at large,” unrelated to plaintiffs’ health). 3 Accordingly, the court will grant Defendants’ motion to dismiss Plaintiff’s CMIA claim. 4 Because Plaintiff may be able to allege additional facts to state this claim, the court will grant 5 Plaintiff leave to amend. 6 D. California Invasion of Privacy Act 7 Plaintiff brings a claim for a violation of the CIPA against Defendants on behalf of herself 8 and the California subclass. (Doc. No. 1 at 57–59.) The CIPA “broadly prohibits the interception 9 of wire communications and disclosure of the contents of such intercepted communications.” 10 Tavernetti v. Superior Ct. of San Diego Cnty., 22 Cal. 3d 187 (1978). Section 631(a) of CIPA 11 creates four avenues for relief: 12 (1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any 13 unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”; 14 (2) where a person “willfully and without consent of all parties to the 15 communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or 16 communication while the same is in transit”; 17 (3) where a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so 18 obtained”; and 19 (4) where a person “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done 20 any of the acts or things mentioned above.” 21 Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 897 (N.D. Cal. 2023). 22 Plaintiff invokes the fourth avenue of relief, alleging Defendants violated Section 631(a) 23 of the CIPA because they “aided, agreed with, conspired with, and employed [Meta] to 24 implement the Pixel and to accomplish the wrongful conduct at issue.” (Doc. No. 1 at ¶ 272.) 25 Defendants contend that Plaintiff’s CIPA claim should be dismissed because Plaintiff (1) 26 fails to allege Defendants transmitted the “contents” of her communications; (2) fails to allege 27 Defendants “intercepted” her communications; and (3) fails to plead “aiding and abetting” with 28 specificity. (Doc. No. 27 at 19.) Because the court finds dismissal of Plaintiff’s CIPA claim is 1 warranted due to her failure to allege Defendants transmitted the “contents” of her 2 communications, the court will not address Defendants’ remaining arguments. 3 A violation of CIPA is analyzed under the same standards applied to a violation of the 4 federal wiretap act, Electronic Communications Privacy Act (“ECPA”), 18 U.S.C § 2510 et seq. 5 Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1092 (N.D. Cal. 2022). The ECPA defines 6 the term “contents” as “any information concerning the substance, purport, or meaning of that 7 communication.” 18 U.S.C. § 2510. “Contents” means “the intended message conveyed by the 8 communication” as opposed to “record information regarding the characteristics of the message 9 that is generated in the course of the communication.” In re Zynga Privacy Litig., 750 F.3d 1098, 10 1106 (9th Cir. 2014). While a URL that includes “basic identification and address information” is 11 not “content,” a website “user’s request to a search engine for specific information could 12 constitute a communication such that divulging a URL containing that search term to a third party 13 could amount to disclosure of the contents of a communication.” Id. at 1108–09; see also St. 14 Aubin v. Carbon Health Techs., Inc., No. 4:24-cv-00667-JST, 2024 WL 4369675, at *4 (N.D. 15 Cal. Oct. 1, 2024) (“Descriptive URLs that reveal specific information about a user’s queries 16 reflect the ‘contents’ of a communication.”). 17 In her opposition to the pending motion, Plaintiff argues her queries on the Website 18 constitute “contents” of communications under CIPA. (Doc. No. 40 at 20–21.) Specifically, 19 Plaintiff alleges the “contents” of her communications to Defendants are the “search terms” she 20 typed in the “search bar” and “Find a Doctor” webpage monitored by Pixel. (Id.) However, as 21 previously discussed, Plaintiff’s complaint does not specify or describe the searches Plaintiff 22 conducted on the Website. Nor does the complaint allege that Plaintiff visited the “Find a Doctor” 23 webpage. Thus, the court does not find Plaintiff’s allegations sufficient to plead the “contents” of 24 her communications that were purportedly intercepted by Defendants within the meaning of 25 CIPA. Cf. St. Aubin, 2024 WL 4369675, at *4 n.4 (plaintiff’s allegation that defendant 26 transmitted descriptive URLs was sufficient to allege a CIPA claim where plaintiff’s “complaint 27 contain[ed] examples of actual searches, including screenshots”). Consequently, the court finds 28 that Plaintiff has not stated a cognizable CIPA claim. 1 Thus, the court will grant Defendants’ motion to dismiss Plaintiff’s CIPA claim, with 2 leave to amend, because Plaintiff may be able to allege additional facts to support this claim. 3 E. Breach of Implied Contract 4 Plaintiff brings a claim for breach of implied contract against Defendants on behalf of 5 herself and the nationwide class. (Doc. No. 1 at 60.) In California, the elements of a claim for 6 breach of an express or implied contract are the same. Terpin v. AT&T Mobility, LLC, No. 2:18- 7 cv-06975-ODW-KS, 2020 WL 883221, at *6 (C.D. Cal. Feb. 24, 2020) (citing Gomez v. Lincare, 8 Inc., 173 Cal. App. 4th 508, 525 (2009)). These elements include: “(1) the existence of the 9 contract, (2) plaintiff’s performance or excuse for nonperformance, (3) defendant’s breach, and 10 (4) the resulting damages to the plaintiff.” Oasis W. Realty, LLC v. Goldman, 51 Cal. 4th 811, 11 821 (2011). “An implied contract requires that both parties agree to its terms and have a ‘meeting 12 of the minds,’ but the creation of an implied contract can be manifested by conduct rather than 13 words.” Castillo v. Seagate Tech., LLC, No. 3:16-cv-01958-RS, 2016 WL 9280242, at *8 (N.D. 14 Cal. Sept. 14, 2016). 15 In her complaint, Plaintiff alleges she “entered into an implied contract with [] Defendants 16 when [she] provided [her] PHI to [] Defendants in exchange for services, pursuant to which [] 17 Defendants agreed to safeguard [her] PHI and not disclose such information without consent.” 18 (Doc. No. 1 at ¶ 276.) Plaintiff alleges Defendants made “promises to Website users . . . through 19 their [p]rivacy [n]otice,” which emphasized the “importance of keeping [Website users’] 20 confidential personal health information safe from unauthorized disclosure.” (Doc. Nos. 40 at 18; 21 1 at ¶ 3.) Defendants’ “[n]otice of [p]rivacy [p]ractices” describes how Defendants “may use and 22 disclose [PHI] . . . to others . . . ‘for purposes of treatment, payment and/or health care 23 operations,’” but does not indicate Defendants will disclose PHI to Meta. (Doc. No. 1 at ¶ 3.) 24 Finally, Plaintiff alleges Defendants breached their implied contract by disclosing her PHI to 25 Meta. (Id. at ¶ 279.) 26 Defendants argue Plaintiff’s claim for breach of implied contract should be dismissed 27 because Plaintiff has failed to allege the essential elements of a breach of contract claim. (Doc. 28 No. 27 at 17–19.) Specifically, Defendants argue that Plaintiff has not pled the existence of an 1 implied contract because “she does not allege any facts showing any mutual assent (offer and 2 acceptance) on the material points of the alleged implied contract.” (Id. at 17.) Defendants further 3 argue that Plaintiff does not allege facts showing Defendants breached the terms of any implied 4 contract, such as what information Defendants obtained and shared without Plaintiff’s consent. 5 (Id. at 18.) Finally, Defendants assert that Plaintiff does not allege any damages resulted from 6 Defendants’ purported breach of implied contract. (Id. at 18.) Because the court finds Plaintiff 7 fails to allege the existence of an implied contract, the court will not address Defendants’ 8 remaining arguments. 9 Plaintiff’s assertion that an implied contract exists because Plaintiff provided her PHI to 10 Defendants in exchange for services is not supported by the pleadings. As the court has already 11 determined, Plaintiff’s complaint does not allege facts sufficient to support the conclusion that 12 Plaintiff provided her PHI to Defendants. In any event, Plaintiff’s reliance on Defendants’ privacy 13 policy as the basis for an implied contract is misplaced. Plaintiff does not allege they reviewed 14 Defendants’ privacy policies prior to using the Website. See e.g., K.L. v. Legacy Health, No. 15 3:23-cv-1886-SI, 2024 WL 4794657, at *8 (D. Or. Nov. 14, 2024) (plaintiff’s reference to 16 defendant’s notice of privacy practices “as the source upon which she understood there to be 17 mutual assent” was misplaced for breach of implied contract claim where “she never allege[d] 18 that she relied upon or even read the [notice of privacy practices] before engaging [d]efendant’s 19 services”). Moreover, privacy policies “may form the terms of an implied contract, [but] they do 20 not alone serve as an enforceable contract without a separate ‘meeting of the minds’ between the 21 parties.” Nienaber, 733 F. Supp. 3d at 1092 (citing Doe v. Regents of Univ. of Cal., 672 F. Supp. 22 3d 813, 821 (2023)). In other words, privacy policies are “not contractual in nature” because they 23 serve to inform patients regarding their rights and the duties imposed on healthcare providers by 24 law. Id. 25 Finally, Plaintiff has not made any allegations regarding consideration received by 26 Defendants for their purported promise to safeguard Plaintiff’s information. “Several courts have 27 specifically found that consideration is required for an implied contract claim regarding data 28 security.” Ortiz v. Perkins & Co., No. 4:22-cv-03506-KAW, 2022 WL 16637993, at *6 (N.D. 1 Cal. Nov. 2, 2022); see also Huynh v. Quora, Inc., No. 5:18-cv-07597-BLF, 2019 WL 11502875, 2 at *10 (N.D. Cal. Dec. 19, 2019) (finding no breach of contract claim where the plaintiffs “ha[d] 3 not shown that they paid anything for the asserted privacy protections”); C.M. v. MarinHealth 4 Med. Grp., Inc., No. 3:23-cv-04179-WHO, 2024 WL 217841, at *3–4 (N.D. Cal. Jan. 19, 2024) 5 (adequate consideration alleged for breach of implied contract claim where plaintiff alleged he 6 paid for healthcare services and the amount he paid for the services was based in part on 7 defendant’s security promises). Rather than alleging any kind of consideration, Plaintiff alleges 8 that supplying Defendants with user data in exchange for services was sufficient to establish an 9 implied in fact contract. (Doc. No. 1 at ¶ 276.) That allegation is insufficient to support a claim 10 for breach of implied contract. See Nienaber, 733 F. Supp. 3d at 1092 (allegation that “the 11 provision of user data alone to [d]efendant in exchange for services” was insufficient to establish 12 an implied in fact contract). Therefore, the court cannot infer the existence of an implied contract 13 from Plaintiff’s allegations. 14 For these reasons, the court will grant Defendants’ motion to dismiss Plaintiff’s breach of 15 implied contract claim. Although the court is skeptical that Plaintiff will be able to cure the 16 pleading deficiencies identified as to this claim, the court will nevertheless grant Plaintiff leave to 17 amend this claim. 18 F. Statute of Limitations 19 Defendants contend Plaintiff’s complaint should be dismissed in its entirety because all 20 claims are wholly or partly time-barred by the applicable statute of limitations. (Doc. No. 27 at 21 23.) “A claim may be dismissed as untimely pursuant to a 12(b)(6) motion only when the running 22 of the statute [of limitations] is apparent on the face of the complaint.” U.S. ex rel. Air Control 23 Techs., Inc. v. Pre Con Indus., Inc., 720 F.3d 1174, 1178 (9th Cir. 2013) (internal quotation marks 24 and citation omitted). “[A] complaint cannot be dismissed unless it appears beyond doubt that the 25 plaintiff can prove no set of facts that would establish the timeliness of the claim.” Von Saher v. 26 Norton Simon Museum of Art at Pasadena, 592 F.3d 954, 969 (9th Cir. 2010) (quoting Supermail 27 Cargo, Inc. v. United States, 68 F.3d 1204, 1206 (9th Cir. 1995)). 28 Each of Plaintiff’s five claims against Defendants is subject to a statute of limitations, 1 ranging from one to three years. See Cal. Civ. Proc. Code § 340 (statute of limitations for a CIPA 2 claim is one year); Cal. Civ. Proc. Code § 335.1 (statute of limitations for an invasion of privacy 3 claims under the California constitution or common law is two years); Cal. Civ. Proc. Code 4 § 339(1) (statute of limitation for breach of implied contract claim is two years); Ramirez v. Dean 5 Foods Co. of Cal., No. 8:11-cv-1292-DOC-AN, 2012 WL 3239959, at *8 (C.D. Cal. Aug. 6, 6 2012) (“There is some controversy as to whether the statute of limitations for [a CMIA] claim is 7 two or three years.”). 8 In her motion, Defendant argues Plaintiff’s complaint should be dismissed because 9 Plaintiff does not specify when Defendants’ purportedly harmful conduct occurred, making it 10 unclear whether Plaintiff’s claims accrued, in whole or in part, outside the applicable statute of 11 limitations periods. (Doc. No. 27 at 24.) Because Plaintiff’s complaint was filed on August 10, 12 2023, Defendants argue Plaintiff is “time-barred from bringing (1) any CIPA claim that accrued 13 prior to August 10, 2022; (2) any claims subject to a two-year statute of limitations that accrued 14 prior to August 10, 2021; and (3) any claims subject to a three-year statute of limitations that 15 accrued prior to August 10, 2020.” (Id.) In her opposition, Plaintiff argues she has alleged viable 16 claims within each of the applicable statute of limitations periods by specifying the dates she most 17 recently visited the Website. (Doc. No. 40 at 26.) 18 The court finds Plaintiff’s complaint sufficiently alleges claims within the applicable 19 statute of limitations periods. Plaintiff alleges she last visited the Website after August 10, 2022, 20 within the applicable statute of limitations periods for all claims. (Doc. No. 1 at ¶ 25.) 21 Specifically, Plaintiff visited the Website in as recently as April 2023. (Id.) Although Plaintiff’s 22 complaint does not specify the exact date Plaintiff first used the Website, besides the fact that 23 Plaintiff began using the Website in or around March 2021, the complaint “does not indicate on 24 its face that [Plaintiff’s] interactions ceased before the [statutes of limitations expired].” See 25 Desert Care Network, 2024 WL 1343305, at *5. 26 Thus, because Plaintiff’s complaint does not present a statute of limitations issue that is 27 facially apparent, the court will deny Defendants’ motion to dismiss Plaintiff’s claims as time- 28 barred. 1 CONCLUSION 2 For the reasons explained above: 3 1. Defendants’ motion to dismiss (Doc. No. 27) is GRANTED as follows: 4 a. Plaintiffs claim for invasion of privacy under California common law is 5 dismissed with leave to amend; 6 b. Plaintiff’s claim for invasion of privacy under the California Constitution is 7 dismissed with leave to amend; 8 C. Plaintiff's CMIA claim is dismissed with leave to amend; 9 d. Plaintiff's CIPA claim is dismissed with leave to amend; and 10 e. Plaintiff’s claim for breach of implied contract is dismissed with leave to 11 amend; 12 2. Within twenty-one (21) days of the date of entry of this order, Plaintiff shall file a 13 first amended complaint, or alternatively, file a notice of her intent not to file a 14 first amended complaint; and 15 3. Plaintiff is warned that her failure to comply with this order may result in an order 16 dismissing this case due to her failure to prosecute. 17 18 IT IS SO ORDERED. □ 19 | Dated: _June 9, 2025 RUC Dena Coggins 20 United States District Judge 21 22 23 24 25 26 27 28 21