A federal judge has determined Facebook’s corporate parent Meta can’t completely escape class actions rooted in allegations of violating privacy laws through “tracking pixels” that allowed surveillance of private health care information.
U.S. District Judge William Orrick issued an opinion Sept. 7 in a case brought by “five Facebook users who are proceeding anonymously due to the sensitive nature of this litigation.” The users say their health care providers — MedStar Health System, Rush University System for Health, WakeMed Health & Hospitals, Ohio State University Wexner Medical Center and North Kansas City Hospital — installed what the company calls the “Metal Pixel” on patient portal websites.
According to the complaint, the pixel redirects information to Meta in a manner that reveals their patient status and allowed Meta to make money selling targeted advertising. Orrick said he denied the plaintiffs’ motion for a preliminary injunction because their proposed solutions presented a challenge of technical feasibility “and the balance of equities and public interest factors” didn’t support a court order.
In February 2023, the interim class counsel filed a 13-count consolidated class action, which included allegations of violating the Electronic Communications Privacy Act and the California Invasion of Privacy Act, Unfair Competition Law, Consumer Legal Remedies Act and Comprehensive Computer Data Access and Fraud Act.
Meta moved to dismiss the entire complaint. Regarding the ECPA, it argued the complaint acknowledged it was third-party web developers that chose whether to deploy and how to configure the Pixel while also acknowledging “Meta seeks to avoid receiving sensitive information by contractually forbidding developers from sending it and filtering out any potentially sensitive data it detects on the back end,” according to Orrick, who noted the complaint alleged what Meta promises third parties and Facebook users is different from how it operates.
“What Meta’s true intent is, what steps it actually took to prevent receipt of health information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of health information, all turn on disputed questions of fact that need development on a full evidentiary record,” Orrick wrote.
Orrick also agreed the plaintiffs adequately alleged the Pixel transfers data is protected and said the full scope of that dispute also requires additional evidence. The same was true regarding the laws exemption for information intercepted as a result of one party’s consent, which Meta argued was triggered when the health care systems decided to install the pixel.
“Determination of whether actual consent was given depends on what Meta disclosed to health care providers, how it described and trained health care providers on the Pixel, and how the health care providers understood the Pixel worked and the information that then could or would be collected by Meta,” Orrick wrote. “These evidence-bound determinations are inappropriate to reach on this motion.”
On the state law claims, Meta argued for dismissal because none of the plaintiffs are Californians. Orrick again rejected that reasoning. First, the judge noted the “contention is arguably premature.” Then the judge agreed the plausible allegation the design and marketing of the technology central to the allegations happened in California. And third, the judge cited Facebook’s service terms, which stated “California law applies to disputes between Facebook and its users.”
Orrick did agree to dismiss the plaintiffs’ invasion of privacy claims, but gave leave to amend the complaint to include allegations about what specific personal and private information Meta accessed through its Pixel. He also agreed to dismiss a claim for compensatory damages under the CDAFA unless the plaintiffs can strengthen their claims of being precluded from communicating with medical providers or seeing value of their private data diminished.
Although Orrick said Facebook’s service terms don’t bar breach of contract claims, despite a liability limitation clause, he did agree Meta has room to request a limit on potential damages, such as during motions for summary judgment. He also agreed the plaintiffs plausibly alleged the company breached contractual promises and said the unjust enrichment claim also should survive because the plaintiffs alleged they have no other potential legal remedies.
Orrick dismissed the complaint’s negligence claim, writing the plaintiffs can only advance that theory if they show which state law established the standard of care they allege Meta violated. He said the plaintiffs relied only on the federal Health Insurance Portability and Accountability Act, but said federal district and appellate courts have rejected that law as a basis for negligence claims. He also said the plaintiffs failed to allege “any functionality inherent in their computing devices has been impacted by Meta’s conduct,” undercutting their claim under the state’s “trespass to chattels” protections.
The plaintiffs larceny claim failed absent a showing Meta used false pretenses to knowingly obtain private information and that the plaintiffs transferred their personal data through a reliance on the false representation.
Finally, regarding claims of violating the UCL, Orrick agreed the plaintiffs never alleged they were in the market of deriving economic value from their personal health data, which means they can’t show any loss of money or property interest deriving from the value of that information. As to the CLRA, Orrick said, Meta successfully argued the plaintiffs never claimed to see or rely on the misrepresentations centering the allegation. As with every other dismissed claim, he granted them leave to amend.
Any amended complaint is due by Sept. 27, the judge said.
Plaintiffs are represented in the case by attorneys Jason ‘Jay’ Barnes, of Simmons Hanly Conroy, of New York; Geoffrey Graber, of Cohen Milstein Sellers & Toll, of Washington, D.C.; Jeffrey A. Koncius, of Kiesel Law, of Beverly Hills; Beth E. Terrell, of Terrell Marshall Law Group, of Seattle; and Andre M. Mura, of Gibbs Law Group, of Oakland.
Meta is represented by attorneys Lauren P. Goldman, Darcy C. Harris, Elizabeth K. McCloskey, Abigail A. Barrera and Andrew M. Kasabian, of Gibson Dunn & Crutcher, of San Francisco and Irvine; and Michael G. Rhodes, Kyle C. Wong and Caroline A. Lebel, of Cooley LLP, of San Francisco.