Meta Can't Show Providers Consented to Send Patients' Info, Says Judge
U.S. District Judge William Orrick for Northern California in San Francisco denied Meta’s motion to dismiss claims it violated the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA) and of breach of contract and unjust enrichment, and he granted the motion with leave to amend other claims in the John Doe v. Meta privacy class action, said his Thursday order (docket 3:22-cv-03580).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“John Doe” plaintiffs in the case allege Meta uses its Pixel tracking tool to intercept individuals’ personally identifiable medical information, and the content of patient communications from Facebook users, then monetizes it for financial gain. Plaintiffs plausibly alleged several federal and state law claims and others “need more specificity,” Orrick said.
Plaintiffs’ healthcare providers -- MedStar Health System, Rush University System for Health, WakeMed Health & Hospitals, Ohio State University Wexner Medical Center and North Kansas City Hospital -- allegedly installed the Meta Pixel on their patient portals, and when patients logged into their provider’s websites the Pixel transmitted the data to Meta. That information revealed their status as patients, plaintiffs allege, and Meta monetized it in targeted advertising, said the order.
Meta argues plaintiffs failed to plausibly allege it “purposefully and deliberately” intended to intercept their sensitive health information because third-party web developers, not Meta, choose whether to install Pixel and set parameters on the information sent. Meta claims it seeks to avoid receiving such information by forbidding developers from sending it and filtering out potentially sensitive data detected on the back end, the order said. Though Meta tells third parties and Facebook users it intends to prevent receipt of sensitive data, plaintiffs contend “that is not what Meta really intends” and the filters aren't effective.
Meta didn't cite “anything I can judicially notice on this motion to dismiss to show as a matter of law that the healthcare providers did not just presumably but actually consented to the sending of sensitive healthcare information of its customers,” Orrick said. Determination of whether consent was given depends on what Meta disclosed to healthcare providers and how it trained them on the Pixel, he said, denying the motion to dismiss the ECPA claim.
Orrick disagreed with Meta’s assertions that CIPA claims aren’t applicable because none of the named plaintiffs is a California resident. That contention is “premature” before class certification, the order said. Plaintiffs have plausibly alleged the design and marketing of Pixel technology and creation of Meta’s terms of service occurred in California, and its terms of service “specify that California law applies to disputes between Facebook and its users.” That supports allowing non-resident plaintiffs to assert a claim against a California resident under CIPA, he said.
The judge granted Meta’s motion to dismiss a constitutional privacy claim with leave to amend, saying plaintiffs are required to amend to describe the types or categories of sensitive health information they provided to their healthcare providers via their devices, which can be “general enough” to protect their privacy concerns. Orrick also granted Meta’s motion to dismiss the Comprehensive Computer Data Access and Fraud Act claims, with leave to amend, saying plaintiffs didn’t support their argument that an “inability” to use their computer devices to communicate with their healthcare providers in the future is a "cognizable form of loss or damage" actionable under the CDAFA.
Plaintiffs plausibly alleged Meta breached promises in breach of contract and breach of the duty of good faith claims, Orrick said, denying the defendant's motions to dismiss. Meta “ignores plaintiffs’ detailed and plausible allegations regarding how and why the transfer of sensitive or protected information is necessary for Meta’s advertising services to function in the way Meta advertised those services,” plus allegations it knew its filter wasn't effective, he said.
Orrick also denied the motion to dismiss an unjust enrichment claim. Orrick granted Meta’s motion to dismiss a negligence per se claim with leave to amend so plaintiffs can “attempt to identify a state law source of the duty of care.” Other motions to dismiss Orrick granted, with leave to amend, were trespass to chattels, larceny and violations of the Unfair Competition Law and Consumers Legal Remedies Act.