UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
L.C., individually and on behalf of all ) others similarly situated, ) ) Plaintiff, ) ) No. 25 C 2049 v. ) ) Judge Rebecca R. Pallmeyer FERTILITY CENTERS OF ILLINOIS, PLLC, ) ) Defendant. ) )
MEMORANDUM OPINION AND ORDER
Plaintiff L.C. is a former patient of Defendant Fertility Centers of Illinois, PLLC (“FCI” or “Defendant”). In this proposed class action, she alleges that FCI, a fertility treatment medical provider, embedded code within its website that allows Meta, Google, and other third party advertisers to “collect and disclose the private and confidential information of its patients to unauthorized third parties for its own pecuniary gain.” (Compl. [1] at ¶ 8.) Plaintiff L.C. argues that FCI’s use of these technologies exposed her private information and that of similarly situated proposed class members in violation of the Federal Electronic Communications Privacy Act (“ECPA”), the Illinois Eavesdropping Statute (“IES”), and Illinois contract and tort law.1 She seeks to represent a class and pursue damages and injunctive relief. FCI has moved to dismiss pursuant to FED. R. CIV. P. 12(b)(1) and 12(b)(6), for lack of Article III standing and failure to state a claim. For the reasons discussed below, the motion is denied.
1 Plaintiff invokes two statutory bases for federal jurisdiction: federal question jurisdiction under 28 U.S.C. § 1331, and jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d). (Compl. [1] ¶¶ 35–38.) Both statutes appear to apply here. Because Plaintiff brings claims under the ECPA, a federal statute, jurisdiction is proper under § 1332, and the court has supplemental jurisdiction over the related state law claims. See 28 U.S.C. § 1367. Alternatively, because this proposed class action includes more than one hundred class members and seeks damages in excess of $5 million, federal jurisdiction is proper under § 1332(d). BACKGROUND I. Factual Background The facts laid out below are taken from Plaintiff’s Complaint [1], which the court accepts as true at the pleading stage. See Bible v. United Student Aid Funds, Inc., 799 F.3d 633, 639 (7th Cir. 2015). Plaintiff L.C. brings this suit individually and on behalf of all others similarly situated against FCI. (Compl. [1] at 1.) FCI is an Illinois company that operates fertility clinics providing treatments “such as artificial insemination, in vitro fertilization, and genetic testing.” (Id. ¶ 4.) FCI operates a website that patients can use to search for treatments, schedule appointments, communicate personal health information (“PHI”) and personal identifiable information (“PII”), pay medical bills, and more.2 (Id. ¶ 67.) Plaintiff alleges that Defendant encouraged patients to use its website for these purposes. (Id.) On November 11, 2022, Plaintiff L.C., a resident of Chicago, scheduled an appointment on FCI’s Website to receive fertility treatment. (Id. ¶ 28.) At her appointment, L.C. received treatment from a medical practitioner associated with FCI. (Id. ¶ 29.) L.C. alleges that unbeknownst to her and to proposed Class Members, FCI “purposely installed Tracking Technologies on its Website and programmed specific webpage(s) to surreptitiously share its patients’ private and protected communications . . . [with] Facebook and Google.” (Id. ¶ 68.) According to the Complaint, digital advertising companies (such as Meta and Google) develop tracking technologies and analytics tools, including Meta’s “Business Tools” or Google’s “Google Analytics,” for use by businesses. (Id. ¶¶ 41–44.) These tools are “bits of code” that, when integrated into a webpage by a website owner, passively collect various forms of information on visitors to that website. (Id. ¶ 41.) This data includes technical information such as IP addresses, device information, operating system, browser, and screen resolution, as well as
2 The website is https://www.fcionline.com. (Id. ¶ 5.) detailed data regarding the user’s communications with the host’s website. (Id. ¶ 42, 57.) Meta and Google obtain access to this data, combine it with the wealth of user data they collect from elsewhere on the internet, and then generate a detailed profile of that user. (Id. ¶ 11–12, 23.) At least some of this profile is then forwarded to the website owner. (Id. ¶ 140–44.) The resulting data is valuable both to Google and Meta, who use it for targeted advertising, and to the website owners, who receive detailed information on the demographics, preferences, and activities of website users, and can use that information to craft more effective marketing campaigns. (See id. ¶ 143.) In addition to user data, website owners are “compensated [for providing access to their users’ data] . . . in the form of enhanced advertising services and more cost-efficient marketing” on Meta and Google’s platforms. (Id. ¶ 146.) The Complaint explains, in detail, the technical details of how these tools operate. To take just one example: Meta, via its tracking tools, collects user information, and pairs it with “a patient’s unique and persistent Facebook ID (‘Facebook ID’ or ‘FID’).” (Id. ¶ 11.) Meta then can “personally identify those patients” and link their data “with their Facebook profile” to generate a complete profile of the user. (Id. ¶ 11.) Plaintiff alleges that, “[t]here is no anonymity in the information disclosed to Facebook; that is, the Meta Pixel collects and discloses a substantial ‘data packet’ coupled with the PID so that Defendant can, among other things, send targeted advertisements to patients . . . based on their sensitive and protected PII and PHI.” (Id. ¶ 18.) According to Plaintiff, a similar matching process is used by Google.3 (Id. ¶ 19.) L.C. alleges that FCI “intentionally incorporate[ed]” these “invisible tracking” tools in its website, enabling FCI to collect her sensitive health-related communications with her provider, including “information about medical reproductive and fertility services and treatments,” “patient
3 Google’s technology allows the company “to track the same user across multiple devices through its addition of the User-ID feature.” (Id. ¶ 12.) This User-ID includes information on the “user’s engagement data from one or more sessions initiated from one or more devices.” (Id. (internal quotation marks omitted).) status,” “searches for specific doctors,” “the text of the URLs visited by the patient,” “requests to make an appointment,” and “other information that qualifies as PII and PHI under federal and state laws.” (Id. ¶¶ 15, 21.) She characterizes these tools that collect data and transmit it to a third party as analogous to a “bug” or a “wiretap.” (Id. ¶¶ 22, 82.) L.C. never consented to the collection or sharing of her data—she evidently was informed after the fact, by a separate tool manufactured by Meta, that her data was collected and shared. After she scheduled the appointment with FCI, she noted that her Facebook account’s offsite activity report showed that her interaction with FCI’s website had been “intercepted by Facebook.” (Id. ¶ 30.) According to Meta’s website, a user’s offsite activity report is a “summary of activity that businesses and organizations share with us about your interactions with them, such as visiting their apps or websites.”4 Plaintiff claims she has not seen or signed any written consent form that permitted FCI to disclose information to Meta, Google, or any other company. (Id. ¶ 13.) Instead, Plaintiff asserts, she and Class Members “who visited and used Defendant’s Website reasonably believed that they were communicating only with their trusted healthcare provider.” (Id. ¶ 14.) She also claims that she believed that her information would not be shared by FCI with third parties for commercial reasons. (Id. ¶ 135.) Plaintiff believes that this data-sharing practice violated FCI’s own privacy policy. (Id. ¶ 110.) She alleges that FCI’s privacy policy “represent[ed] to patients and visitors to its Website that it will keep their Personal Information, including their PHI, private and secure and that it will only disclose PHI provided to them under certain circumstances, none of which apply here.”5 (Id.
4 Review Your Activity Off Meta Technologies, Facebook Help Center, https://www.facebook.com/help/2207256696182627/ (last accessed December 2, 2025).
5 Plaintiff cites to the version of FCI’s Privacy Policy available at https://www.fcionline.com/privacy-policy/. (Compl. [1] at 28 n.31.) This webpage, however, includes a policy that was last revised in March 2025, a month after the Complaint in this case was filed (and, from the court’s reading, appears to describe several ways in which FCI clients’ data is shared with third parties). The Complaint does not include the language of the operative policy that was in force at the time the injury occurred, but FCI has not challenged Plaintiff’s characterization of that language, and the court presumes her allegations are accurate. ¶ 109.) She argues that FCI “breached its own privacy policies by unlawfully permitting Facebook and Google and likely other third parties to intercept patients’ PII and PHI without obtaining patients’ consent or authorization.” (Id. ¶ 115.) FCI ultimately benefited from its use of the tracking technologies. (Id. ¶ 140, 153.) According to Plaintiff, Google and Meta shared at least some of the collected information with FCI, enabling FCI to use “this data and analysis for its own commercial purposes that include understanding how patients utilize its Website.” (Id. ¶ 141, 142.) The information shared by Google, for example, included data on traffic acquisition (i.e., “the methods by which users arrive at [a] site or app”), user demographics, and the ways that users interact with the website. (Id. ¶ 59.) This data was then used by FCI “to improve marketing by creating campaigns that maximize conversions and thereby decrease costs to Defendant and boost its revenue.” (Id. ¶ 140.) Plaintiff cites a number of estimates about the financial value of this data. One source claims that a single user’s data was valued between $15 and $40 (id. ¶ 156); another estimates that the value of data can be as high as “$434 per user.” (Id. ¶ 157.) II. Procedural Background Plaintiff brought this action on February 27, 2025, alleging several violations of federal and state law. The Complaint includes four counts: (1) a violation of the federal Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(1), et seq.; (2) a negligence claim; (3) an unjust enrichment claim; and (4) a violation of the Illinois Eavesdropping Statute, 740 ILCS § 5/14-1, et seq. (Compl. [1] ¶¶ 197–267.) On April 21, 2025, FCI moved to dismiss for lack of standing and failure to state a claim pursuant to FED. R. CIV. P. 12(b)(1) and 12(b)(6) [9]. The motion is fully briefed and ready for decision. DISCUSSION I. Jurisdiction FCI first moves to dismiss this case for lack of subject matter jurisdiction pursuant to FED. R. CIV. P. 12(b)(1). As explained below, this motion is denied. Article III “confines” federal jurisdiction “to ‘Cases’ and ‘Controversies.’” FDA v. All. For Hippocratic Med., 602 U.S. 367, 378 (2024). For there to be a “Case” or a “Controversy,” each plaintiff in federal court must demonstrate standing—a “personal stake” in the case and its outcome. TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). The “irreducible constitutional minimum” of standing requires three elements: (1) an injury in fact, (2) caused by the defendant, (3) that would likely be redressed by judicial action. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). “‘As the party invoking federal jurisdiction, [the] plaintiff bears the burden of establishing the elements of Article III standing.’” In re Recalled Abbott Infant Formula Prods. Liab. Litig., 97 F.4th 525, 528 (7th Cir. 2024) (citing Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015)). Because this is a facial attack to standing, the court “must accept as true all material allegations of the complaint, and must construe the complaint in favor of the complaining party.” Id. (citation and internal quotation marks omitted). At issue in this case is the first element: Injury in fact. An injury in fact must be both “‘concrete and particularized’” as well as “‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc., v. Robins, 578 U.S. 330, 339 (2016) (quoting Lujan, 504 U.S. at 560). “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Nowlin v. Pritzker, 34 F.4th 629, 633 (7th Cir. 2022) (citation and internal quotation marks omitted). For it to be concrete, it must be “real, and not abstract.” Spokeo, 578 U.S. at 340 (citations and internal quotation marks omitted). To determine whether a particular harm is concrete, courts consider “both history and Congress’s judgment.” Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 462 (7th Cir. 2020). As the Seventh Circuit has recognized, “intangible harms, such as reputational harms, disclosure of private information, and intrusion upon seclusion” can qualify as concrete. Wood v. Sec. Credit Servs., 126 F.4th 1303, 1309 (7th Cir. 2025) (internal quotation marks omitted). FCI argues that Plaintiff’s alleged harm is neither concrete nor particularized. (See Mot. [9] at 6.) The court disagrees. Plaintiff has alleged that she was a patient of the clinic, booked an appointment on the clinic’s website, and received treatment there. (Compl. [1] ¶¶ 28, 29.) She also alleges that “[d]uring the time Plaintiff scheduled an appointment on the Website she maintained an active social media account with Facebook,” and that her Facebook “offsite activity report . . . confirmed that information related to her use of the Website was intercepted by Facebook.” (Id. ¶ 30.) These allegations suggest that FCI facilitated the interception of Plaintiff’s sensitive personal information by third-party advertising companies without Plaintiff’s knowledge or assent. This constitutes an injury of fact that is both concrete and particularized. First, the injury asserted—the exposure of her personal data to a third party—is concrete because it is closely related to traditional common-law privacy torts. As the Supreme Court has held, a key part of the concreteness inquiry is whether “an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Spokeo, 578 U.S. at 341. Article III requires a “close historical or common-law analogue,” but not an “exact duplicate.” Ewing v. MED-1 Solutions, LLC, 24 F.4th 1146, 1151 (7th Cir. 2022) (citing TransUnion, 594 U.S. at 424–25). Under the common law, invasion of privacy has “traditionally encompassed four distinct torts: intrusion upon seclusion, appropriation of another person’s name or likeness, publicity given to another person’s private life, and publicity that places one in a false light.” Nabonzy v. Optio Solutions, LLC, 84 F.4th 731, 735 (7th Cir. 2023) (citing RESTATEMENT (SECOND) OF TORTS § 652A (A.L.I. 1977)). Two of these—intrusion upon seclusion and publicity given to another’s private life (also called “public disclosure of private facts”)—are relevant here. “Intrusion upon seclusion occurs when a person intrudes upon the solitude or seclusion of another or his private affairs or concerns, and this intrusion would be highly offensive to a reasonable person.” Pucillo v. Nat’l Credit Sys., Inc., 66 F.4th 634, 640 (7th Cir. 2023) (cleaned up). An example of intrusion upon seclusion would be opening someone’s “private and personal mail, searching his safe or his wallet, or examining his private bank account.” Persinger v. Sw. Credit Sys., 20 F.4th 1184, 1192 (7th Cir. 2021) (cleaned up). Likewise, the tort of public disclosure of private facts is committed when a one “‘gives publicity’ to a matter that concerns ‘the private life of another,’ is ‘highly offensive to a reasonable person,’ and is not of legitimate public concern.” Nabonzy, 84 F.4th at 735 (citing RESTATEMENT (SECOND) OF TORTS § 652A (A.L.I. 1977). Both of these torts are designed to vindicate an individual’s right to conceal private information from discovery, collection, and sharing by third parties, and thus bear a close relationship to the harms alleged in this case. Other courts in this District have reached this conclusion on facts similar to those before this court. In A.M., et al. v. Adv. Reprod. Health Ctr., Ltd., No. 24 C 07559 (N.D. Ill. Aug. 8, 2025), for example, the facts are basically identical: A patient at a fertility clinic sued the clinic, alleging that it used tracking technology to unlawfully share user information with Meta and Google. See Tr. [42] in 24 C 07559. Judge Pacold denied the clinic’s motion to dismiss for lack of standing, reasoning that intrusion upon seclusion is a “sufficient analog” to support standing.6 Id. at 16:21. Likewise, in Smith v. Loyola Univ. Med. Ctr., No. 23 C 15828, 2024 WL 3338941 (N.D. Ill. July 9, 2024), a plaintiff alleged that a healthcare provider disclosed information to Meta and Google via the use of trackers on the website. Judge Daniel found that this allegation constituted a concrete harm under Article III. Id. at *3–*4. Other cases from this District are in accord.7 These cases confirm that disclosure of private health information constitutes a concrete harm that is cognizable under Article III. FCI invites this court to reach a different conclusion here;
6 FCI attempts to distinguish this case by arguing that the Adv. Reprod. Health plaintiff, unlike L.C., made specific allegations about her interactions with the clinic’s website. But Plaintiff cites this case for its analysis on standing, not on the merits of the underlying claim. The allegations in the instant Complaint are specific enough to show an injury for standing purposes, and because the injuries in Adv. Reprod. Health are essentially identical to those alleged in the case at bar, its standing analysis is still applicable. FCI’s arguments on the lack of specificity in the complaint are better suited for its 12(b)(6) analysis.
7 See, e.g., Florence v. Order Exp., Inc., 674 F. Supp. 3d 472, 479–80 (Kendall, J.) (N.D. Ill. 2023) (“Plaintiffs’ alleged loss of privacy resulting from the data breach [that disclosed Social Security, driver’s license, and tax identification numbers] is a concrete injury in fact.”); Dixon v. Washington and Jane Smith Cmty. - Beverly, No. 17 C 8033, 2018 WL 2445292, at *9 (Kennelly, J.) (N.D. Ill. May 31, 2018) (“Obtaining or disclosing a person's biometric identifiers or information without her consent or knowledge necessarily violates that person's right to privacy in her biometric information.”); Roper v. Rise Interactive Media & Analytics, LLC, No. 23 C 1836, 2023 WL 7410641, at *4 (Jenkins, J.) (N.D. Ill. Nov. 9, 2023) (finding the disclosure of “sensitive health information, including medical diagnoses” a cognizable injury under Article III). FCI points out that plaintiffs in those other cases, unlike L.C., alleged “the specific medical diagnosis and treatment they inputted” onto the relevant website. (Reply [18] at 2.) True, a plaintiff must allege specific facts that detail the injury they claim to have suffered—but at the pleading stage, “general factual allegations of injury resulting from the defendant’s conduct may suffice” to show standing. Bazile v. Fin. Sys. of Green Bay, Inc., 983 F.3d 274, 278 (7th Cir. 2020). And there would be no real mystery about the sensitive nature of the information at issue in this case. A reasonable inference from L.C.’s allegations is that she believed she was in some need of fertility treatment, visited FCI’s website to seek this treatment, and subsequently had this sensitive personal information shared with third parties. Even without a specific diagnosis, L.C.’s concerns about infertility and decision to seek treatment is private information similar to that traditionally protected by the common law of torts. For the purposes of standing, this is sufficient to show a concrete harm. In a similar vein, FCI also takes issue with the fact that L.C. “fail[s] to allege that they received any targeted ads based on the disclosure of their information, or fail to point to any other potential connection.” (Mot. [9] at 5.) But the harm alleged here is the disclosure of information, not the targeting of advertisements. Plaintiff need not allege having received targeted advertisements in order to demonstrate Article III standing. Next, the court turns to the issue of particularity. Here, too, FCI argues that “Plaintiffs fail to allege well pleaded facts showing they personally have been put at risk, suffered a privacy threat, or otherwise identify the harm suffered because of Defendant’s conduct alleged in the Complaint.” (Mot. [9] at 6–7.) Again, the court disagrees. “[N]amed plaintiffs who represent a class ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.’” Spokeo, 578 U.S. at 338 n.6 (quoting Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 40 n.20 (1976)). Plaintiff L.C. does allege that she personally visited the website, and that her personal information was shared with a third party. This injury affected her “in a personal and individual way,” see Abbott, 97 F.4th at 529, and was not a “generalized grievance,” see Lujan, 504 U.S. at 575. This is sufficient for Article III standing.8 Neither of the cases cited by Defendant on this issue defeats this conclusion. In Dinerstein v. Google, LLC, 73 F.4th 502, 514 (7th Cir. 2023), the plaintiffs alleged that the University of Chicago Medical Center unlawfully shared anonymous patient records with Google as part of an AI research partnership. Id. at 508–10. The Court of Appeals affirmed this court’s conclusion that plaintiff lacked Article III standing, as the “dissemination of anonymized information”—as opposed to personalized information—was not traditionally a basis for relief in tort law. See id. at 513–14. The plaintiff had speculated that some of the health data shared with Google might have “evaded redaction,” but the panel found speculation about hypothetical harm insufficient to establish standing. Id. at 514. In this case, in contrast to Dinerstein, Plaintiff alleges that specific, non-anonymized information about her was shared with third parties. L.C.’s alleged injury is not hypothetical; she alleges that it actually happened. In Doe 1 v. Nat’l Collegiate Athletic Ass’n, No. 23-cv-00542, 2024 WL 3293591, at *4 (S.D. Ind. July 2, 2024), a group of college athletes, victims of sexual harassment by their coaches, alleged that the NCAA was negligent in failing to prevent and respond to their concerns. The District Court found that the plaintiffs did not have standing to pursue injunctive or declaratory relief under a “increased risk of injury theory” because, although they suffered harms in the past, they did not allege an intention to return to an environment where future harassment is likely. The case before this court differs. True, because Plaintiff seeks injunctive relief, she must show that “threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Swanigan v. City of Chicago, 881 F.3d 577, 583 (7th Cir. 2018) (citation and internal quotation marks omitted). But L.C. can meet this burden. She alleges that she is a current patient of the
8 While FCI’s argument on this point appears to potentially be relevant to class certification, the parties do not raise class certification in their briefing, so the court does not address it here. clinic, and that FCI has collected her personal information and shared it with Meta and Google. It is reasonable to infer that there is a substantial likelihood that she will visit the website again in the future, and that her data will continue to be shared with other third parties. The court concludes that Plaintiff has Article III standing. II. 12(b)(6) Motion to Dismiss FCI also brings a motion to dismiss for failure to state a claim. Under the Federal Rules, a 12(b)(6) motion to dismiss challenges the “sufficiency of the complaint itself” rather than the merits of the case. Bell v. City of Country Club Hills, 841 F.3d 713, 716 (7th Cir. 2016). “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Plausibility is established when the plaintiff has pleaded enough facts for the court to reasonably infer that the Defendant is liable for the alleged misconduct. Id. at 678. A complaint does not require “detailed factual allegations” to survive a motion to dismiss, but “labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555. The factual allegations in a complaint “must be enough to raise a right to relief above the speculative level . . . on the assumption that all of the complaint’s allegations are true.” Id (cleaned up). A. Illinois Eavesdropping Statute Defendant contends that Plaintiff has failed to state a claim under the Illinois Eavesdropping Statute (“IES”), 720 ILCS 5/14-1, et seq., due to the statute’s so-called “party exception.” The IES provides as follows: (a) A person commits eavesdropping when he or she knowingly and intentionally: . . . (3) Intercepts, records, or transcribes, in a surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication; (4) Manufacturers, assembles, distributes, or possesses any electronic, mechanical, eavesdropping, or other device knowing that or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious overhearing, transmitting, or recording of private conversations or the interception, or transcription of private electronic communications . . .
(5) Uses or discloses any information which he or she knows or reasonably should know was obtained from a private conversation or private electronic communication in violation of this Article, unless he or she does so with the consent of all of the parties.
720 ILCS 5/14-2. Liability under the statute extends both to the “eavesdropper”—the one who records the conversation—and the “principal”—one who directs someone else to eavesdrop on their behalf. The statute defines both as follows: An eavesdropper is any person, including any law enforcement officer and any party to a private conversation, who operates or participates in the operation of any eavesdropping device contrary to the provisions of this Article or who acts as a principal, as defined in this Article.
A principal is any person who: (1) Knowingly employs another who illegally uses an eavesdropping device in the course of such employment; or (2) Knowingly derives any benefit or information from the illegal use of an eavesdropping device by another; or (3) Directs another to use an eavesdropping device illegally on his behalf.
Id. at 5/14-1 (b)–(c). Plaintiff alleges that FCI violated subsections (3), (4), and (5) of this statute by using Google and Meta’s tracking technologies. (Compl. [1] ¶¶ 253, 267, 269.) Defendant moves to dismiss the alleged violation of subsection (3) of the IES, which creates liability for interception by someone who is not a party to the communications. This provision does not reach FCI, it argues, because the company is a “party” to communications on its website. (See Mot. [9] at 11.) FCI’s status as a party to communications between the website and its users may shield it from liability as an eavesdropper under subsection (3). But the statute imposes liability, as well, on one who “acts as a principal”—defined to include a person who benefits from illegal use of an eavesdropping device. FCI can fairly be held liable as a principal to the eavesdropping of Meta and Google, who are not parties, because FCI “derive[d] a benefit” by receiving detailed engagement analytics, user data, and other valuable information from Google and Meta. See 720 ILCS 5/14(c)(1)–(3); see also Kurowski v. Rush Sys. for Health, 683 F. Supp. 3d 836, 852–53 (N.D. Ill. 2023) (Kennelly, J.) (finding that a healthcare system “can plausibly be considered the principal” under the IES for enabling third-party trackers to collect user data). For its part, FCI does not dispute that it is a “principal” for the purposes of the IES. Instead, the company circles back, arguing that subsection (3) is “definitionally not applicable” to FCI because it is a party to communications—or, in other words, that a “party” to a communication can per se never be a principal. (Reply [18] at 4.) The court does not read the statute this way. Section 5/14-1(c)(3) creates an exception for parties recording their own conversations, but the statute does not extend the same treatment to parties that solicit a third party to record conversations for their benefit. If FCI “knowingly derives” a benefit from Meta and Google’s “illegal use of an eavesdropping device,” it can be held liable as a principal under the plain meaning of the IES. FCI cites no statutory authorities in support of the exception that it believes exists, and the court declines to substitute its judgment for that of the Illinois General Assembly. See Seaman v. Thompson Elecs. Co., 325 Ill. App. 3d 560, 563, 758 N.E. 2d 454, 457 (3d Dist. 2001) (“It is not our province to inject provisions not found in a statute.”).9 FCI has one final objection to the Eavesdropping Act: It argues that the Eavesdropping Act violation should be dismissed because “Plaintiffs fail to establish the knowing and willful aspect of the law.” (Mot. [9] at 12.) The court disagrees. The Complaint alleges that FCI installed at least three third-party trackers (Meta Pixel, Google Analytics, and Google Ads) on its website to “collect and disclose [users’] private and confidential information . . . to unauthorized third parties for its own pecuniary gain.” (Compl. [1] ¶ 8–9.) It is reasonable to infer that FCI installed
9 FCI cites to Stein v. Edward-Elmhurst Health, 23-cv-14515, 2025 WL 580556 (Seeger, J.) (N.D. Ill. Feb. 21, 2025), in support of its reading of § 5/14-1(c)(3). While that opinion does apply the IES’s party exception, it does not analyze nor discuss the exception’s interaction with the “principal” provision of § 5/14-1(c). The parties never raised the argument in their briefs, so the issue was not before the court. (See generally Mem. [39], Opp’n [41], and Reply [43] in 23 C 14515.) In contrast, in Kurowski v. Rush Sys. for Health, 683 F. Supp. 3d 836, 853 (N.D. Ill. 2023), the parties did raise the issue, and Judge Kennelly found that a party to a communication can be held liable as a principal. (See Opp’n [51] in 22 C 5380, at 23–25.) the trackers with the intention of receiving, in exchange, valuable user data that could then be used to craft more cost-effective marketing campaigns. The motion to dismiss claims under the Illinois Eavesdropping Statute is denied. B. Negligence FCI next moves to dismiss the negligence claim. Under Illinois law, the elements of negligence are (1) a duty owed to the plaintiff; (2) a breach of that duty; (3) proximate and actual causation; and (4) an injury. Scott v. Wendy’s Props., 131 F.4th 815, 819 (7th Cir. 2025). FCI does not contest duty, focusing instead on breach and causation.10 (Mot. [9] at 9.) First, as to breach—FCI avers that “Plaintiff[] fail[s] to allege that their reasonable expectations of privacy were violated when they visited the Website or that they had a contractual relationship with the Defendant.” (Id.) FCI cites no authorities in support of this argument, and its reading of Plaintiff’s allegations is overly narrow. Plaintiff does allege that (1) she had a reasonable expectation of privacy, and that (2) FCI breached it by disclosing data to Meta and Google. (See Compl. [1] ¶¶ 25, 134–139 (expectation of privacy); id. ¶¶ 31–33, 132 (breach).) In context, these allegations make it plausible that FCI’s disclosure of personal information breached a duty of care. Further, while FCI criticizes the lack of a “contractual relationship,” FCI does not explain why this relationship is relevant to a claim of negligence. On causation, FCI contends that the Complaint fails “to allege a connection between entering their information into the fields of the Website and the targeted ads they received.” (Mot. [9] at 9.) This misunderstands the injury. Plaintiff does not complain of being shown targeted advertisements—the injury alleged in the complaint is the disclosure of personal information, not
10 FCI also argues that Plaintiff fails on the fourth “injury” prong. (See Reply [18] at 5 (“Simply stated, L.C. has failed to allege how she, specifically, suffered any damages as a result of any breach of duty owed to her.”).) This argument, which was raised for the first time in a reply brief, is forfeited. Bergal v. Roth, 2 F.4th 1059, 1062 n.1 (7th Cir. 2021). In any event, Plaintiff has alleged that FCI disclosed sensitive personal information, which constitutes an injury for the purposes of tort law. the advertisements that resulted from that disclosure. See Adv. Reprod. Health Ctr., No. 24 C 07559, Tr. [42], at 25 (“[T]he injury plaintiffs claim is the disclosure of information about their infertility, not their receipt of advertisements.”). Separately, FCI also argues that the facts do not support Plaintiff’s causation theory, noting that “Plaintiff does not state anywhere in the Complaint that Defendant forced her to do anything on the Website.” (Mot. [9] at 10.) The relevance of this point is not clear. FCI is liable for its own negligence towards users of its website, even if they were not “forced” to use it. Read in the light favorable to Plaintiff, she alleges that she opted to use the website in reliance on FCI’s then-existing Privacy Policy, which provided (apparently misleading) assurances that her data would be kept private and confidential. (Compl. [1] ¶ 109.) Any argument that Plaintiff was somehow contributorily negligent is premature at this stage. The motion to dismiss the negligence count is denied. C. Unjust Enrichment Defendant argues that Plaintiff fails to state a claim for unjust enrichment because Plaintiff has not “alleged sufficient facts regarding the alleged benefit conferred upon (or realized by) Fertility Centers of Illinois.” (Mot. [9] at 10.) Again, the court disagrees. Broadly speaking, unjust enrichment is a doctrine, rooted in contract law, that allows for “liability in restitution” against a party who receives a benefit from the opposing party under circumstances that would make in inequitable for them to retain that benefit. RESTATEMENT (THIRD) OF RESTITUTION AND UNJUST ENRICHMENT § 1 & cmt. A (A.L.I. 2011); see Gagnon v. Schickel, 2012 IL App (1st) 120645, ¶ 25, 983 N.E.2d 1044, 1052. Under Illinois law, to state a claim for unjust enrichment, “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” Hernandez et al. v. Ill. Inst. of Tech., 63 F.4th 661, 671 (7th Cir. 2023) (citation and internal quotation marks omitted). According to FCI, Plaintiff fails to allege that a “benefit” was conferred to FCI because, in its view, the only “compensation paid by Plaintiffs to Defendant would have been for medical services.” (Mot. [9] at 10-11.) This, again, misunderstands Plaintiff's claim. Plaintiff's theory is that FCl was unjustly enriched when it provided third parties with access to private information and received a benefit from those third parties. Personal data profiles amassed by Google and Meta and shared with FCI conferred a benefit on FCI, as described above. FCI does not engage with the substance of this argument; it does not, for example, argue that personal health data cannot constitute a benefit for the purposes of unjust enrichment. Instead, it simply asserts, without citations or argument, that Plaintiff fails to allege any benefit. The motion to dismiss the unjust enrichment claims is denied. D. Electronic Privacy Communications Act For the first time in its Reply Brief, FCl also asks the court to dismiss the claims brought under the Electronic Communications Privacy Act (ECPA). Because the claim was not raised in the opening brief, it is forfeited. See Wonsey v. City of Chicago, 940 F.3d 394, 398 (7th Cir. 2019). FCl is free to raise a similar argument as to the merits of the ECPA claim at an appropriate stage in the proceedings. CONCLUSION The motion to dismiss [9] is denied, and FCI is directed to file its answer within 21 days. ENTER:
Dated: December 8, 2025 Ohler Refaeepe REBECCA R. PALLMEYER United States District Judge