Opinion
2:23-cv-01548-JHC
11-14-2024
JESUS CASTILLO, MARK KNOWLES, ALEX RODRIGUEZ, NICHOLAS JAMES THROLSON, R.S., KIMBERLY SCOTT, ROBIN WARBEY, DANIEL SMITH, MATT GROVES, VERN DEOCHOA, TYRONE WASHINGTON, individually, and on behalf of those similarly situated, Plaintiffs, v. COSTCO WHOLESALE CORPORATION, a Washington corporation, Defendant.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
John H.Chun United States District Judge
I Introduction
This matter comes before the Court on Defendant Costco Wholesale Corporation's Motion to Dismiss Under Rule 12(b)(6). Dkt. # 45. Plaintiffs Jesus Castillo, Mark Knowles, Alex Rodriguez, Nicholas James Throlson, R.S., Kimberly Scott, Robin Warbey, Daniel Smith, Matt Groves, Vern DeOchoa, and Tyrone Washington, individually and on behalf of all others similarly situated, filed a consolidated complaint alleging that Costco installed third-party tracking technologies such as the Meta Pixel (Pixel) to use and disclose personal health data collected from Plaintiffs' interactions with Costco's pharmacy website. Dkt. # 29 (redacted) at 1-4, ¶¶ 1-8. Costco seeks dismissal under Federal Rule of Civil Procedure 12(b)(6), contending that Plaintiffs fail to state a claim upon which relief can be granted. Dkt. # 45. The Court has reviewed the materials filed in support of and in opposition to the motion, the rest of the case file, and the governing law. Being fully advised, the Court GRANTS in part and DENIES in part the motion. And the Court GRANTS Plaintiffs leave to file an amended complaint.
II Background
The Court takes as true the facts alleged in the consolidated complaint. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); Dkt. # 29. Costco is a multinational company that operates, among other services, a pharmacy. Id. at 2-3, ¶ 2. Costco encourages customers to use its pharmacy website to search for prescriptions and immunizations, order prescriptions, request refills of prescriptions, and search for health insurance. Id. Costco ensures customers that their interactions with its pharmacy website are secure and that it safeguards customers' personal health data. Id. But Plaintiffs allege that Costco does not disclose that it uses third-party tracking technologies to record and share customers' personal health data. Id. Costco installed the Pixel, among other tracking technologies, on its pharmacy website. Id. at 3, ¶ 3.
The Pixel tracks customers' interactions with Costco's pharmacy website. Id. at 3-4, ¶¶ 3-4. The Pixel can, for example, track what search terms a customer inputs or what options a customer selects by recording detailed URLs that are triggered each time a customer enters information. Id. at 26-34, ¶¶ 89-103. The data collected by the Pixel can be linked to a customer's identity through their personal Facebook account. Id. at 23-24, ¶¶ 78-81. If the customer does not have a personal Facebook account, their data can be stored and connected with the customer if they later decide to create an account. Id. The data of customers' interactions with Costco's pharmacy website are then transmitted to Meta Platforms Inc. (Meta), which aggregates the data and synthesizes it for advertising purposes. Id. at 26, ¶¶ 88-90. Costco installed the Pixel to increase profitability by leveraging Meta's targeted advertising services. Id. at 18, ¶¶ 57-59.
Plaintiffs searched for, ordered, or refilled prescriptions on Costco's website and, while doing so, generally remained logged into their personal Facebook accounts. Id. at 6-10, ¶¶ 1525. Some Plaintiffs later received targeted advertisements for specific prescriptions. Id. at 9-10, ¶ 25. Because Plaintiffs never consented to Costco's use of third-party tracking technologies to use or disclose their personal health data, id. at 5, ¶ 11, they claim, individually and on behalf of a putative nationwide class and California and Florida subclasses, that Costco violated these federal and state statutes: (1) the federal Wiretap Act, 18 U.S.C. § 2511(1); (2) the Washington Privacy Act (WPA), RCW Chapter 9.73.030 et seq.; (3) the Washington Consumer Protection Act (WCPA), RCW Chapter 19.86 et seq.; (4) the Washington Uniform Health Care Information Act (WUHCIA), RCW Chapter 70.02 et seq.; (5) the California Invasion of Privacy Act (CIPA), Cal. Pen. Code § 630, et seq. (on behalf of California subclass); (6) the California Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code § 56, et seq. (on behalf of California subclass); and (7) the Florida Security of Communications Act (FSCA), Fla. Stat. Ann. § 934.10, et seq. (on behalf of Florida subclass). Plaintiffs also bring four common law claims individually and on behalf of the putative nationwide class: (1) invasion of privacy; (2) breach of implied contract; (3) conversion; and (4) unjust enrichment. Dkt. # 29 at 49-72, ¶¶ 153-287.
III Discussion
In reviewing a motion to dismiss under Rule 12(b)(6), the Court takes all well-pleaded factual allegations as true and determines whether the complaint “state[s] a claim to relief that is plausible on its face.” Iqbal, 556 U.S. at 678 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678. Although the Court draws all reasonable inferences in favor of Plaintiffs, the Court is not “required to accept as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). The Court may grant leave to amend a dismissed claim when it is possible that the claim can be cured with additional factual allegations. Ebner v. Fresh, Inc., 838 F.3d 958, 963 (9th Cir. 2016).
A. Choice of Law
Costco contends that the CIPA, CMIA, and FSCA claims should be dismissed because Washington law governs under a choice-of-law provision and Washington's choice-of-law rules. Because Plaintiffs do not explain how discovery would yield specific facts that would meaningfully aid the choice-of-law analysis, the Court declines to defer the choice-of-law analysis of the state statutory claims to the class-certification stage. Dkt. # 49 at 11-12; see Heinz v. Amazon.com Inc., 2024 WL 2091108, at *3 (W.D. Wash. May 8, 2024). For the reasons below, the Court concludes that Washington law does not exclusively govern Plaintiffs' state statutory claims. The Court does not engage with choice of law as to Plaintiffs' common law claims because the parties agree to defer such analysis. See Dkt. ## 45 at 29-30 n.2; 49 at 11 (“[T]he only claims Plaintiffs bring based on non-Washington law are statutory claims.”).
1. Choice-of-Law Provision
Costco says that a choice-of-law provision in Section Q of Costco's website's terms and conditions subjects all claims arising out of use of Costco's website to Washington law. Dkt. ## 45 at 15-17; 46-2 at 8. But Costco conflates a choice-of-law provision with a forumselection clause. Section Q, titled “Applicable Law, Venue and Limitation of Actions,” first provides a choice-of-law provision stating, “These Site Terms shall be governed by and construed in accordance with the laws of the State of Washington applicable to agreements made and entirely to be performed within Washington, without resort to its conflict of law provisions.” Dkt. # 46-2 at 8 (emphasis added). This choice-of-law provision provides only that Washington law governs interpretation of the terms and conditions; it does not provide that Washington law governs all disputes arising out of use of Costco's website. Cf. Garner v. Amazon.com, Inc., 603 F.Supp.3d 985, 994 (W.D. Wash. 2022) (holding that Washington law governed a dispute in which a choice-of-law provision stated that Washington law “will govern these Conditions of Use and any dispute of any sort that might arise between you and Amazon”) (emphasis added). The “arising out of” language in the second part of Section Q pertains to a forum-selection clause that does not bear on what law applies to Plaintiffs' state statutory claims.
The rest of Section Q states: “Regardless of where you access the Sites, you agree that any action at law or in equity arising out of or relating to the Site Terms shall be filed and adjudicated only in the federal or state courts located in Seattle, Washington, and you hereby irrevocably and unconditionally consent and submit to the exclusive jurisdiction and venue of such courts over any suit, action or proceeding arising out of the Site Terms.” Dkt. # 46-2 at 8.
2. Washington's Choice-of-Law Rules
Plaintiffs' CIPA, CMIA, and FSCA claims cannot be dismissed under Washington's choice-of-law rules. Knapke v. PeopleConnect, Inc., 38 F.4th 824, 832 (9th Cir. 2022) (“District courts sitting in diversity apply the choice-of-law rules of the forum state.”). Washington applies the “most significant relationship” test under Restatement (Second) of Conflict of Laws (Restatement) § 145 (1971). FutureSelect Portfolio Mgmt., Inc. v. Tremont Grp. Holdings, Inc., 331 P.3d 29, 36 (Wash. 2014). If there is no actual conflict between the law of Washington and the law of another state, then Washington law applies. See id. If there is an actual conflict, Restatement § 145 requires examining contacts to determine the state that has the “most significant relationship” to the disputed issue.
There is an actual conflict between the WPA and the CIPA, CMIA, and FSCA. In contending that there is no conflict, Costco relies solely on Garner, in which the plaintiffs brought claims under various states' wiretap statutes alleging that Amazon's Alexa devices surreptitiously recorded, stored, and transmitted their communications. 603 F.Supp.3d at 991; dkt. ## 45 at 15-17, 50 at 12-13. There, the parties agreed that there is no conflict between the WPA, CIPA, and FSCA. 603 F.Supp.3d at 995. But courts have recognized that there are “material differences” between the wiretap statutes of each state. Doe v. Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *12-13 (N.D. Cal. Apr. 11, 2024) (citation omitted). One court considering a case involving the Pixel granted a motion to dismiss in part as to a WPA claim but denied it in part as to a CIPA claim. See In re Meta Pixel Tax Filing Cases (In re Meta Pixel Tax Filing Cases I), 2024 WL 1251350, at *3-8 (N.D. Cal. Mar. 25, 2024). For textual reasons specific to the WPA discussed infra Section III.C.3, the Court concludes that the WPA does not protect the personal health data here. Because Costco has not shown that the textual issues warranting dismissal of the WPA claim similarly warrant dismissal of the CIPA, CMIA, and FSCA claims, the Court concludes that there is an actual conflict.
When there is an actual conflict, Restatement § 145 requires assessing contacts to determine which state has the “most significant relationship” to the disputed issue. Under Restatement § 145(2), the contacts to be considered include: (a) the place where the injury occurred; (b) the place where the conduct causing the injury occurred; (c) the domiciles of the parties; and (d) the place where the relationship between the parties is centered. Restatement § 145(2) also incorporates consideration of principles set forth in Restatement § 6 such as “the relevant policies of other interested states and the relative interests of those states in the determination of the particular issue.” In Garner, the court held that even assuming there was an actual conflict, Washington had the most significant relationship because
the injury-causing conduct (the design, marketing, and sale of products that unlawfully record conversations) occurred in or was orchestrated from Washington, the place of injury (the location of the millions of devices sold) was fortuitous and widespread, the wiretap laws of the other interested states are similar such that the legislative interests of other states can be protected under Washington law, and application of Washington law is consistent with the expectations of the parties as indicated in their contractual choice-of-law provision.603 F.Supp.3d at 995-96.
Garner is distinguishable. As discussed supra Section III.A.1, there is no choice-of-law provision mandating the application of Washington law for all disputes arising out of use of Costco's website. And because the place of the injury and place of the conduct are “of less significance” when the injury is intangible and occurred in multiple states, the crucial factors are the relevant states' interests. Tilden-Coil Constructors, Inc. v. Landmark Am. Ins. Co., 721 F.Supp.2d 1007, 1016 (W.D. Wash. 2010). In Garner, the court recognized that the WPA “is considered one of the most restrictive [wiretap statutes] in the nation.” 603 F.Supp.3d at 996 (quoting State v. Townsend, 57 P.3d 255, 258 (Wash. 2002)). Because the WPA would match or exceed the protections offered by other wiretap statues, no states' privacy interests were undermined by the court's applying Washington law and denying in part Amazon's motion to dismiss the WPA claim as to unregistered users who had not consented to Amazon's data collection practices. Id. at 995-99. Nor were other states' privacy interests undermined by the court's applying Washington law and granting in part Amazon's motion to dismiss the WPA claim as to registered users who had so consented because consent is a common exception to wiretap claims. Id. By contrast, here, dismissing claims brought under the CIPA and FSCA based on statutory gaps unique to the WPA would not protect California and Florida's privacy interests under their wiretap statutes. Moreover, the domiciles of the parties and places where the relationships between the parties are centered favor applying California and Florida law. All Plaintiffs were either domiciled in California or Florida and entered into relationships with Costco in their respective states. Dkt. # 29 at 6-10, ¶¶ 15-25. “Because wiretapping statutes are designed to protect the privacy interests of individual members, the residences of the individuals are more important to the respective sovereign than the residence of the alleged wrongdoer.” Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *12-13 (assessing states' interests under California's choice-of-law rules). Under Washington's choice-of-law rules, California and Florida have the most significant relationships to their respective Plaintiffs' claims.
The CIPA prohibits wiretapping of communications “without the consent of all parties to the communication.” Cal. Pen. Code § 631(a). Similarly, the FSCA makes it lawful “for a person to intercept a wire, oral, or electronic communication when all of the parties to the communication have given prior consent to such interception.” Fla. Stat. Ann. § 934.03(2)(d).
Thus, Plaintiffs' CIPA, CMIA, and FSCA claims cannot be dismissed on choice-of-law grounds.
B. Wiretap Act Claim (Count I)
Plaintiffs state a claim under the federal Wiretap Act. Subject to certain exceptions, the Wiretap Act (also known as the Electronic Communications Privacy Act) prohibits a person from intentionally using or disclosing to any other person “the contents” of an intercepted electronic communication. 18 U.S.C. § 2511(1)(c)-(d). Costco contends: (1) that Plaintiffs have not alleged that it intercepted “the contents” of an electronic communication; and (2) that it is protected under an exemption for any person who “is a party to the communication.” Dkt. # 45 at 19-21 (citing 18 U.S.C. § 2511(2)(d)).
1. “Contents” of a communication
Plaintiffs plausibly allege that Costco used and disclosed the “contents” of their communications. The Wiretap Act defines “contents” as including “any information concerning the substance, purport, or meaning of [a] communication.” 18 U.S.C. § 2510(8). The Ninth Circuit has distinguished protected “contents” of a communication from unprotected “record” information. In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). Whereas “contents” of a communication are “the intended message conveyed by the communication,” “record” information is “information regarding the characteristics of the message that is generated in the course of the communication.” Id. In In re Zynga Priv. Litig., the Ninth Circuit held that the transmission of a Facebook user's identity and the address of the webpage on which the user clicked a button to view another webpage is not prohibited under the Wiretap Act because such data are merely “record” information rather than “contents” of a communication. Id. at 1106-07; but see In re Vizio, Inc., Consumer Priv. Litig., 2017 WL 11420284, at *6 (C.D. Cal. July 25, 2017) (holding that software that automatically sends information about programming displayed on a TV intercepts “contents” of a communication because the “intended message conveyed by the communication is the program that the consumer is watching.”) (quotation marks and citation omitted). But the Ninth Circuit also observed that an individual's identity and a webpage address are not categorically “record” information. For example, when a user “communicate[s] with [a] website by entering their personal medical information into a form provided by a website,” such information constitutes “contents” of a communication. In re Zynga Priv. Litig., 750 F.3d at 1107 (citing In re Pharmatrak, Inc., 329 F.3d 9, 15, 18-19 (1st Cir. 2003)). Similarly, “a user's request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” Id. at 1108-09. Plaintiffs allege that they searched for information about “patient status, prescriptions, underlying health conditions, and other Sensitive Information.” Dkt. # 29 at 51, ¶ 164. These searches are “contents” of a communication protected under the Wiretap Act. See In re Meta Pixel Healthcare Litig., 647 F.Supp.3d 778, 795-96 (N.D. Cal. 2022) (“descriptive URLs” constitute “contents” of a communication).
That Plaintiffs' do not allege that the Pixel was installed on the webpages customers view when they log into their Costco pharmacy patient portals is immaterial. Costco says that without such an allegation, the connections between Plaintiffs' browsing histories of publicly available webpages and their health conditions are “too tenuous” to be the type of content that the Wiretap Act was intended to protect. Dkt. # 45 at 20 (quoting Smith v. Facebook, Inc. (Smith II), 745 Fed.Appx. 8, 9 (9th Cir. 2018)). Costco relies on cases in which courts have held that data about the browsing history of publicly available webpages are not protected under the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq. Compare Smith II, 745 Fed.Appx. at 9 with Kane v. Univ. of Rochester, 2024 WL 1178340, at *6 (W.D.N.Y. Mar. 19, 2024). But Costco cites no authority suggesting that data must be protected under HIPAA to be “contents” of communications protected under the Wiretap Act. Whether HIPAA protects Plaintiffs' data bears on the applicability of the crime-tort exception discussed infra Section III.B.2, and not on whether Plaintiffs' data constitute “contents” of a communication. See Katz-Lacabe v. Oracle Am., Inc., 668 F.Supp.3d 928, 944-45 (N.D. Cal. 2023) (although there is no “blanket rule that all entries in a web form are content,” entries not pertaining to “personal medical information” can still constitute “contents” of a communication); see also Brown v. Google LLC, 685 F.Supp.3d 909, 935-36 (N.D. Cal. 2023) (URLs revealing general private browsing data constitute “contents” under the Wiretap Act); Heerde v. Learfield Commc'ns, LLC, 2024 WL 3573874, at *6, 11 (C.D. Cal. July 19, 2024) (same).
Because Plaintiffs searched for specific prescriptions, the URLs used and disclosed by Costco constitute “contents” of a communication. See M.G. v. Therapymatch, Inc., 2024 WL 4219992, at *3-4 (N.D. Cal. Sept. 16, 2024); In re Grp. Health Plan Litig., 709 F.Supp.3d 707, 718 (D. Minn. 2023); Smith v. Loyola Univ. Med. Ctr., 2024 WL 3338941, at *6 (N.D. Ill. July 9, 2024). Although some of the data that Plaintiffs allege the Pixel transmitted, such as the “buttons they click,” dkt. # 29 at 23, ¶ 77, may be “record” information rather than the “contents” of a communication, Plaintiffs have adequately alleged at this stage that some of the information Costco used and disclosed is protected under the Wiretap Act. R.C. v. Walgreen Co., 2024 WL 2263395, at *16 (C.D. Cal. May 9, 2024).
2. “Party” to the communication and the crime-tort exception
Although Plaintiffs do not dispute that Costco is “a party to the communication,” dkt. # 49 at 14-17, they plausibly allege that Costco is still liable because it “intercepted [their data] for the purpose of committing [a] criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). To invoke this “crime-tort exception,” Plaintiffs must allege that Costco acted with a “criminal or tortious purpose [that is] separate and independent from the act of the recording.” Planned Parenthood Fed'n of Am., Inc. v. Newman, 51 F.4th 1125, 1136 (9th Cir. 2022). Plaintiffs assert that the crime-tort exception applies because Costco intended to violate HIPAA and state tort and criminal laws. Dkt. ## 29 at 51-52, ¶ 166; 49 at 15.
Because the Wiretap Act defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device,” the terms “intercept” and “record” can be used interchangeably in the context of discussing the crime-tort exception. 18 U.S.C. § 2510(4). For consistency, the Court uses the term “intercept.”
a. Criminal or tortious purpose “independent” of intercepting data
Costco says that the crime-tort exception does not apply because Plaintiffs do not allege that Costco acted with a criminal or tortious purpose independent of the purpose of intercepting Plaintiffs' data. Dkt. # 50 at 4. But Plaintiffs allege that Costco not only intercepted their data, but also used their data to generate targeted advertisements for financial gain. Dkt. # 29 at 51, ¶¶ 164-65; B.K. v. Eisenhower Med. Ctr. (Eisenhower Med Ctr. II), 2024 WL 2037404, at *4 (C.D. Cal. Apr. 11, 2024) (acknowledging that a violation of HIPAA can constitute independent conduct such that the crime-tort exception would apply); cf. Nienaber v. Overlake Hosp. Med. Ctr., 2024 WL 2133709, at *15 (W.D. Wash. May 13, 2024) (holding that the crime-tort exception did not apply because the plaintiff “fails to plead a tortious or criminal use of the acquired communications, separate from the recording, interception, or transmission”) (emphasis added). The Court disagrees that use of health information “inheres in the alleged interception.” Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *10. The Wiretap Act expressly provides different subsections prohibiting the intentional interception, use, and disclosure of electronic communications. 18 U.S.C. § 2511(1)(a)-(c). In setting forth the crime-tort exception, the Wiretap Act expressly distinguishes between the interception of communications and a separate criminal or tortious purpose by providing that the communication must be “intercepted for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d) (emphasis added). The Wiretap Act does not distinguish between the use of communications and a separate criminal or tortious purpose. Indeed, the use of intercepted communications is often the criminal or tortious purpose. See Sussman v. Am. Broad. Companies, Inc., 186 F.3d 1200, 1202 (9th Cir. 1999) (“Under section 2511, the focus is not upon whether the interception itself violated another law; it is upon whether the purpose for the interception-its intended use-was criminal or tortious.”) (quotation marks and citation omitted). The Ninth Circuit has favorably cited a Second Circuit decision that states, “if, at the time of the recording, the offender plans to use the recording to harm the other party to the conversation, a civil cause of action exists under the Wiretap Act.” Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010) (cited in Newman, 51 F.4th at 1136). The Court concludes that alleging a defendant intercepted data to use the data in violation of criminal or tort laws suffices to invoke the crime-tort exception. See In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 797 (suggesting that in a motion to dismiss context, “[t]here is a not-insignificant chance . . . that plaintiffs may be able to show that the crime-tort exception applies” where they allege that the defendant uses patient data for advertising); Kurowski v. Rush Sys. for Health (Kurowski III), 2023 WL 8544084, at *3 (N.D. Ill.Dec. 11, 2023); Kane, 2024 WL 1178340, at *7-8; Mekhail v. N. Mem 'I Health Care, 2024 WL 1332260, at *5 (D. Minn. Mar. 28, 2024); Cooper v. Mount Sinai Health Sys., Inc., 2024 WL 3586357, at *8 (S.D.N.Y. July 30, 2024).
Because Plaintiffs' allegation that Costco used their data to generate targeted advertisements for financial gain can satisfy the crime-tort exception, the Court does not consider whether disclosure of data alone (without a further use of the data) can constitute criminal or tortious conduct independent of recording the data. Compare Nienaber, 2024 WL 2133709, at *15 (holding that there is no distinction between “the act of recording and the act of transmitting” information), with Planned Parenthood Fed'n of Am., Inc. v. Ctr. for Med. Progress, 214 F.Supp.3d 808, 828 (N.D. Cal. 2016) (observing that a defendant's “subsequent disclosure of the contents of the intercepted conversations for the alleged purpose of further invading the privacy of plaintiffs' staff” can satisfy the crime-tort exception), and A.D. v. Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *3 (N.D. Ill. Sept. 9, 2024) (“Plaintiffs plausibly allege that Aspen intended to violate HIPAA when it transmitted Plaintiffs' information to third parties, which is distinct from the improper interception at issue in the [Wiretap Act] claim.”), and B.K. v. Desert Care Network, 2024 WL 1343305, at *6 (C.D. Cal. Feb. 1, 2024) (same).
The Court also concludes that the crime-tort exception applies even when a defendant intercepts data for the purpose of financial gain. In In re Meta Pixel Healthcare Litig., the court observed that courts in the Northern District of California have held that the crime-tort exception is “inapplicable where the defendant's primary motivation was to make money, not to injure plaintiffs tortiously.” 647 F.Supp.3d at 797 (citing Rodriguez v. Google LLC, 2021 WL 2026726, at *6 n.8 (N.D. Cal. May 21, 2021) and In re Google Inc. Gmail Litig., 2014 WL 1102660, at *18 n.13 (N.D. Cal. Mar. 18, 2014)). But the court also held that “the authority in this district finding that liability does not lie where a defendant's primary motivator was to make money” supported concluding that the plaintiffs had not shown the law and facts clearly favored their position for granting a preliminary injunction. Id. The court expressly observed that the plaintiffs' “claim will present differently in,” as here, “a motion to dismiss context.” Id.
The two cases cited in In re Meta Pixel Healthcare Litig. are unpersuasive. Neither case involved health data that could implicate HIPAA. See Sweat v. Houston Methodist Hosp., 2024 WL 3070184, at *4 (S.D. Tex. June 20, 2024) (distinguishing In re Google Inc. Gmail Litig. because it did not involve allegations that defendants violated HIPAA). Both cases also rely on a single case from the Southern District of New York. See In re Google Inc. Gmail Litig., 2014 WL 1102660, at *18 n.13 (citing In re DoubleClick Inc. Priv. Litig., 154 F.Supp.2d 497, 518 (S.D.N.Y. 2001)); Rodriguez, 2021 WL 2026726, at *6 n.8 (same). In re DoubleClick Inc. Priv. Litig. is distinguishable because there, the plaintiffs did not allege a HIPAA violation and the court held that there was an “utter lack of evidence that [defendant's] intent has been tortious” and that defendant's “purpose has plainly not been to perpetuate torts on millions of Internet users.” 154 F.Supp.2d at 519 (emphasis added). A more recent decision from the Southern District of New York involving the use of the Pixel to intercept health data joined other district courts in rejecting the proposition that the crime-tort exception is inapplicable when a defendant's purpose is financial gain. Gay v. Garnet Health, 2024 WL 4203263, at *3-4 (S.D.N.Y. Sept. 16, 2024) (collecting cases). The Court agrees that there is no bright-line rule insulating financial motives from the crime-tort exception. See Mekhail, 2024 WL 1332260, at *5 n.4; see also Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *3.
b. HIPAA violation
Plaintiffs plausibly allege that Costco intercepted data to violate HIPAA. HIPAA makes it a crime for covered entities to knowingly disclose private individually identifiable health information “with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.” Cooper, 2024 WL 3586357, at *7 (quoting 42 U.S.C. § 1320d-6). “Individually identifiable health information” (IIHI) is defined as any identifiable information created or received by the covered entity that “relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” 42 U.S.C. § 1320d(6). Such information need not directly identify the individual; all that is required is that “there is a reasonable basis to believe that the information can be used to identify the individual.” Id. Plaintiffs say that they used Costco's website not only to search for the availability and pricing of drugs, but also to buy and refill prescriptions, to transfer prescription medications from another pharmacy to Costco's pharmacy, and to review co-pay information. Dkt. # 29 at 6-10, ¶¶ 15-25. Plaintiffs allege that Costco used and disclosed data including “patient status; prescription information (including specific drugs and pricing information); immunization information; treatments; patient location; and health insurance coverage” that could be linked to them through their personal Facebook accounts. Id. at 26, 51, ¶¶ 89, 164. The use and disclosure of such information plausibly violates HIPAA because such information can be used to identify individuals and “relates to . . . the provision of health care.” 42 U.S.C. § 1320d(6); 45 C.F.R. § 160.103 (defining “health care” to include “[s]ale or dispensing of a drug . . . in accordance with a prescription”).
Plaintiffs' failure to allege that Costco installed the Pixel on webpages viewed after an individual logs into their patient portal is again immaterial. Contrary to Costco's assertions, Smith v. Facebook, Inc. (Smith I), 262 F.Supp.3d 943 (N.D. Cal. 2017), aff'd, Smith II, 745 Fed.Appx. 8, is distinguishable. In Smith I, the plaintiffs alleged that defendants disclosed private information about the plaintiffs' web browsing activity on websites that publish information about medical conditions and treatments (e.g., http://www.cancer.net/). Id. at 947. The plaintiffs alleged that the defendants collected IIHI in the form of URLs “containing information about treatment options for melanoma, information about a specific doctor, search results related to the phrase ‘intestine transplant,' a wife's blog post about her husband's cancer diagnosis, and other publicly available medical information.” Id. at 954-55 (footnotes omitted). The court held that because the pages contained “general health information that is accessible to the public at large,” the information in the URLs did not relate to the “health or condition of an individual.” Id. at 955 (quoting 45 C.F.R. § 160.103). The Ninth Circuit affirmed in an unpublished decision, holding that “[i]nformation available on publicly accessible websites stands in stark contrast to . . . information that unequivocally provides a window into an individual's personal medical history.” Smith II, 745 Fed.Appx. at 9.
But here, Plaintiffs do not merely allege that Costco collected information about their searches for general medical treatment options. Plaintiffs allege that Costco collected information about their searches for specific prescription drugs, health insurance coverage, and location. Dkt. # 29 at 6-10, 26, ¶¶ 15-25, 89; cf. Nienaber, 2024 WL 2133709, at *4-6 (acknowledging that information collected from publicly available webpages can constitute IIHI but dismissing the plaintiff's claims because she did not plead “what information she entered” on defendant's website). Plaintiffs also allege that they refilled prescriptions through Costco's website and that Costco can collect information about when an individual clicks a “Refill Prescription” button that prompts a “Sign In” page. Dkt. # 29 at 6-10, 32, ¶¶ 15-25, 100; see In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 793 (“The act of navigating to a patient portal on a healthcare provider's website is not the general internet browsing contemplated in Smith.”). As the court in Walgreen Co., recognized, “An internet user might research medical information for reasons unrelated to the user's own health conditions. But an internet user is very unlikely to purchase [specific prescriptions] for reasons unrelated to the user's own health conditions.” 2024 WL 2263395, at *8. Thus, Costco may have collected data that “relates to” Plaintiffs' individualized health conditions even though they do not allege that their data were collected while they were logged into their patient portals. 42 U.S.C. § 1320d(6); Cousin v. Sharp Healthcare (Cousin II), 702 F.Supp.3d 967, 972-73 (S.D. Cal. 2023); see also St. Aubin v. Carbon Health Techs., Inc., 2024 WL 4369675, at *12 (N.D. Cal. Oct. 1, 2024) (distinguishing Smith I). Plaintiffs plausibly allege that the crime-tort exception applies because Costco violated HIPAA.
The crime-tort exception could also apply based on Plaintiffs' various state-law claims. See In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 797. But Plaintiffs do not specifically identify which state-law claims are criminal and tortious in their response. Dkt. # 49 at 14-17. Because the Court concludes that Plaintiffs have plausibly alleged the crime-tort exception under HIPAA, the Court does not reach whether Plaintiffs also adequately plead the crime-tort exception under their state-law claims.
The Court denies Costco's motion to dismiss the Wiretap Act claim.
C. Washington Privacy Act Claim (Count II)
Plaintiffs do not state a claim under the WPA. Subject to exceptions, the WPA prohibits a corporation from intercepting or recording a private communication or conversation without first obtaining the consent of all persons engaged in the conversation. RCW Chapter 9.73.030. Costco contends (1) Plaintiffs do not allege an injury under the WPA; (2) Plaintiffs sued the wrong defendant because it is Meta, not Costco, that intercepted the communications; and (3) browsing history data is not a “communication” protected by the WPA. Dkt. # 45 at 17-19. Although Plaintiffs allege an injury and properly sued Costco, they fail to allege that browsing history data is a “communication” protected by the WPA.
1. Injury
Plaintiffs plausibly allege injury under the WPA. Standing under the WPA requires injury to a business, person, or reputation. RCW Chapter 9.73.060. As discussed infra Section III.F.1, Plaintiffs have adequately pleaded injury under the WCPA by alleging that the economic value of their personal health data was diminished. For the same reasons, Plaintiffs state an injury under the WPA. See Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *36 (deprivation of the “right to monetize [] personal health information” can establish injury under the WPA).
Contrary to Costco's contention, Jones v. Ford Motor Co. (Jones I), 2022 WL 1423646 (W.D. Wash. May 5, 2022), aff'd Jones v. Ford Motor Co. (Jones II), 85 F.4th 570 (9th Cir. 2023), is not on point. In Jones I, the plaintiffs alleged that when they connected their cellphones to infotainment systems installed in cars manufactured by Ford Motor Company, the systems stored their call logs and text messages without their consent. Id. at *1-2. The court dismissed the plaintiffs' WPA claim because it was the infotainment system-not Ford-that intercepted and recorded the communications. Id. at *3. Central to the court's reasoning was that Ford merely manufactured the infotainment systems and did not use or even have access to the data stored on the infotainment systems. Id. at *3-4 (“Plaintiffs make no allegations of any conduct by Ford itself after a vehicle is purchased by an owner.”). In contrast, Plaintiffs here allege that Costco records customers' interactions with Costco's pharmacy website and that Costco used and disclosed their personal health data for financial gain. Dkt. # 29 at 55, ¶¶ 182-83. Unlike the plaintiffs in Jones II, Plaintiffs here have alleged more than “an invasion of privacy.” 85 F.4th at 575.
2. Entity Intercepting the Communications
Costco is a proper defendant under the WPA. Costco says that it cannot be liable under the WPA because it is Meta, not Costco, that intercepted Plaintiffs' personal health data. Dkt. # 45 at 17-18. But the WPA “prohibits both the interception or recording of private communications,” and Plaintiffs allege that Costco recorded their data. Dkt. # 29 at 55, ¶ 182; In re Carrier IQ, Inc., 78 F.Supp.3d 1051, 1092 (N.D. Cal. 2015). Costco instead appears to contend that because Plaintiffs consented to Costco's recording of their data, such recording is not actionable under the WPA. Costco cites Hoang v. Amazon.com, Inc., 2012 WL 1088165, at *1 (W.D. Wash. Mar. 30, 2012), in which an actress provided personal information to an internet movie database website's subscription service that would help her obtain acting roles. Dkt. # 45 at 17-18. The actress brought a WPA claim against the website after it used the information she provided to add her age to her public online profile on the website without her consent. Hoang, 2012 WL 1088165, at *1. In dismissing the WPA claim, the court held that the actress had not shown that her information was private and that “the information was not ‘intercepted' or ‘recorded' as required by the [WPA] because Plaintiff sent the information directly to the Defendants, not to someone else.” Id. at *5.
But for the reasons discussed infra Section III.F.2-3 regarding Plaintiffs' WCPA claim, Plaintiffs plausibly allege that they did not consent to the collection of their personal health data. And Hoang cannot be construed to mean that the WPA does not protect individuals from having their communications recorded without their consent in a two-party interaction. See State v. Kipp, 317 P.3d 1029, 1030-31 (Wash. 2014) (holding that the WPA was implicated where defendant's brother-in-law secretly recorded a conversation with defendant).
3. “Communication” under the WPA
Plaintiffs do not adequately allege that their personal health data constitute communications or conversations protected under the WPA. The WPA provides:
(1) Except as otherwise provided in this chapter, it shall be unlawful for any individual, partnership, corporation, association, or the state of Washington, its agencies, and political subdivisions to intercept, or record any:
(a) Private communication transmitted by telephone, telegraph, radio, or other device between two or more individuals . . . by any device . . . without first obtaining the consent of all the participants in the communication;
(b) Private conversation, by any device . . . without first obtaining the consent of all the persons engaged in the conversation.RCW Chapter 9.73.030 (emphasis added).
Plaintiffs do not plausibly allege under subsection (a) that URLs containing search terms for specific prescriptions constitute private communication “between two or more individuals.” In In re Meta Pixel Tax Filing Cases I, the court observed that because section (1) lists “individual” and “corporation” separately, the term “individuals” in subsection (a) must exclude corporations. 2024 WL 1251350, at *8. The court held that the WPA “does not apply to communications between an individual and a business entity's automated system.” Id. Even after the plaintiffs amended their complaint to “identify the individuals at Meta who allegedly received the intercepted communications [that were entered into automated systems],” the court dismissed their WPA claim by holding that the WPA “does not require that communications be intercepted by an individual, but rather that the communication be between two or more individuals.” In re Meta Pixel Tax Filing Cases (In re Meta Pixel Tax Filing Cases II), 2024 WL 3664037, at *1 (N.D. Cal. Aug. 6, 2024). The court concluded that the plaintiffs failed to allege “that the intercepted communications were made between two individuals rather than between individual users and the tax sites' automated systems.” Id.; see also In re Carrier IQ, Inc., 78 F.Supp.3d at 1093. Without clear authority from Washington courts holding to the contrary, the Court concludes that a corporation is not an individual under subsection (a). But because at least one Plaintiff communicated with pharmacists and technicians at Costco, dkt. # 29 at 7, ¶ 17, Plaintiffs are granted leave to amend to more specifically allege how Costco recorded data regarding communications between two or more individuals.
Either party may, if they so desire, move to certify a question to the Washington Supreme Court.
Although subsection (b) does not contain the “between two or more individuals” language, the Washington Supreme Court has construed “conversation” under its “ordinary connotation of oral exchange, discourse, or discussion.” Cousineau v. Microsoft Corp., 992 F.Supp.2d 1116, 1129 (W.D. Wash. 2012) (quoting State v. Smith, 540 P.2d 424, 428 (Wash. 1975)). Federal district courts have held that transmission of geolocation data and data entered into an online form do not constitute “conversations” under subsection (b). Id. at 1129; In re Meta Pixel Tax Filing II, 2024 WL 3664037, at *2. The Court similarly concludes that search terms included in URLs are not “conversations” under subsection (b).
The Court dismisses the WPA claim and grants leave to amend.
D. California Invasion of Privacy Act Claim (Count V)
Costco's sole contention for dismissing the CIPA claim is that Plaintiffs' data do not constitute “contents” of a communication. Dkt. # 45 at 19. Because Costco acknowledges that the standard for determining “contents” of a communication is the same under the Wiretap Act and the CIPA, id. (citing Brodsky v. Apple Inc., 445 F.Supp.3d 110, 127 (N.D. Cal. 2020)), the Court rejects Costco's assertion that the CIPA claim should be dismissed for failure to plead “contents” of a communication were intercepted for the same reasons discussed supra Section III.B.1.
The Court denies Costco's motion to dismiss the CIPA claim.
E. Florida Security of Communications Act (Count VII)
Plaintiffs plausibly allege a FSCA claim. Contrary to Costco's contention, the FSCA does not categorically exempt website tracking technologies. Dkt. # 45 at 21-22. The FSCA provides a civil cause of action for anyone “whose wire, oral, or electronic communication is intercepted, disclosed, or used in violation of [certain Florida statutes].” Fla. Stat. Ann. § 934.10(1). In defining “electronic communication,” the FSCA excludes “[a]ny communication from an electronic or mechanical device which permits the tracking of the movement of a person or an object.” Id. § 934.02(12)(c). Following a Florida state court decision in Jacome v. Spirit Airlines Inc., 2021 WL 3087860 (Fla. Cir. Ct. June 17, 2021), several courts have held that the FSCA does not apply to claims related to “session replay software” that records mouse clicks, keystrokes, search terms, and content viewed by a visitor to a website. See Goldstein v. Costco Wholesale Corp., 559 F.Supp.3d 1318, 1320 (S.D. Fla. 2021) (collecting cases). But the FSCA's exception of movement tracking information from the definition of “electronic communications” appears to be similar to the Ninth Circuit's distinction between “contents” of a communication and “record” information. Indeed, the court in Goldstein relied precisely on this distinction to interpret the FSCA. Id. at 1321-22 (citing In re Zynga Priv. Litig., 750 F.3d at 1106). For the same reasons discussed supra Section III.B.1, Plaintiffs' search terms constitute “contents” of a communication that would be protected under the FSCA. See In re TikTok, Inc. In-App Browser Priv. Litig., 2024 WL 4367849, at *15 (N.D. Ill. Oct. 1, 2024). Underscoring this conclusion is the Jacome court's own observation that the Wiretap Act and FSCA were amended “to protect private personal and business records (like medical records) from interception on computerized recordkeeping systems.” 2021 WL 3087860, at *2.
The Court denies Costco's motion to dismiss the FSCA claim.
F. Washington Consumer Protection Act Claim (Count III)
Plaintiffs state a claim under the WCPA. Under the WCPA, a plaintiff must establish five elements: “(1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; (5) causation.” Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 719 P.2d 531, 533 (Wash. 1986). Costco contends that plaintiffs have not plausibly alleged injury, causation, and an unfair or deceptive act. Dkt. # 45 at 22-25.
1. Injury
Plaintiffs plausibly allege injury under the WCPA. Although “damages for mental distress, embarrassment, and inconvenience are not recoverable under the [WCPA],” Panag v. Farmers Ins. Co. of Washington, 204 P.3d 885, 899 (Wash. 2009), “[i]njury to property or business is broadly construed.” Univ. of Washington v. Gov't Emps. Ins. Co., 404 P.3d 559, 571 (Wash.Ct.App. 2017). Plaintiffs plausibly allege that the disclosure of personal data results in “lost economic value because [the data] is now readily available.” Nienaber, 2024 WL 2133709, at *17 (quoting Guy v. Convergent Outsourcing, Inc., 2023 WL 4637318, at *1 (W.D. Wash. July 20, 2023)). Plaintiffs sufficiently allege that “the personal, health, and financial information of Plaintiffs and the Class Members is valuable and has become a highly desirable commodity,” and cite several secondary sources describing the existing market for and estimating the economic value of personal health data. Dkt. # 29 at 35-39, ¶¶ 107-24; cf. Nienaber, 2024 WL 2133709, at *17-18 (dismissing with leave to amend plaintiff's WCPA claim because plaintiff did not specifically allege the value of her personal data).
Cases reaching a different conclusion are distinguishable. The court in Aspen Dental Mgmt., Inc., held that diminution in the value of personal data does not constitute injury under the WCPA. 2024 WL 4119153, at *8. But there, the court cited an Illinois state court case declining to hold that “diminution in the value of personal information is a specific economic injury under the [Illinois Consumer Fraud and Deceptive Business Practices Act],” that in turn relied on another Illinois case holding that “[a]ctual damages must be calculable.” Id. (quoting Flores v. Aon Corp., 242 N.E.3d 340, 357-58 (Ill.App.Ct. 2023)); Flores, 242 N.E.3d at 35758 (quoting Morris v. Harvey Cycle & Camper, Inc., 911 N.E.2d 1049, 1053 (Ill.App.Ct. 2009)). But the Washington Supreme Court has held that the injury requirement can be met where a property interest “is diminished” even if the amount is “unquantifiable.” See Panag, 204 P.3d at 889-900 (quotation marks and citation omitted). The court in Aspen Dental Mgmt., Inc., 2024 WL 4119153, at *8, also relied on Gragg v. Orange Cab Co., Inc., in which the court held that the plaintiff's receipt of the defendants' text message did not constitute a cognizable injury because invasion of privacy, without more, is not an injury to an individual's property. 942 F.Supp.2d 1111, 1118-19 (W.D. Wash. 2013). But unlike receipt of a text message, disclosure of personal health data can diminish the economic value of an individual's property. See Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *34 (holding that the deprivation of the full value of personal health information constitutes an injury under the WCPA). And in Cousineau, the court dismissed the plaintiff's WCPA claim for failure to allege injury because they argued only that collection of geolocation data diminished the value of her phone or data plan. 992 F.Supp.2d at 1128. The court did not consider whether disclosure of data could diminish the data's economic value. Id.
Costco's reliance on Saeedy v. Microsoft Corp., 2023 WL 8828852 (W.D. Wash. Dec. 21, 2023) is also misplaced. Dkt. # 50 at 7. It quotes Saeedy, 2023 WL 8828852, at *6 for the proposition that Plaintiffs must show that they “personally lost money or property as a result of [Costco's] conduct” to allege injury. Dkt. # 50 at 7. But this quote does not appear in the court's analysis of a WCPA claim. In Saeedy, the plaintiffs brought 13 claims based on various federal and state laws. 2023 WL 8828852, at *1-2. The court divided these claims into “privacy-related claims” and “property-related claims” and examined the categories separately for Article III standing and not statutory standing under the WCPA. Id. at *4. The WCPA claim was categorized as a privacy-related claim, but the quote Costco cites is from the court's analysis of property-related claims. Id. at *2, 4.
To the extent that Costco disputes Article III standing, the Court concludes that Plaintiffs have Article III standing under Saeedy's reasoning for privacy-related claims. In Saeedy, the court dismissed a WCPA claim because it concluded that collecting data regarding generic internet browsing activity was not an intrusion into the plaintiffs' privacy, especially given that they had not alleged that they were logged into personal accounts such that the data could be linked to their names. Id. at *5 & n.6. But here, Plaintiffs allege that Costco collected personal health data that could be linked to their identities through their Facebook accounts. Dkt. # 29 at 23-24, ¶¶ 78-81; see Jones II, 85 F.4th at 574; see also Krefting v. Kaye-Smith Enterprises Inc., 2023 WL 4846850, at *3 (W.D. Wash. July 28, 2023) (“loss of control over [personally identifiable information]” can establish Article III standing). And in any event, Plaintiffs also satisfy Article III standing under Saeedy's reasoning for property-related claims because they allege that they would not have purchased prescriptions from Costco's pharmacy had they known about the company's data collection practices. Dkt. # 29 at 58, ¶ 196; cf. Saeedy, 2023 WL 8828852, at *7 (holding that plaintiffs could not establish standing based on their allegation that would not have used Microsoft Edge had they known about Microsoft's data collection practices because Microsoft Edge could be downloaded at no cost). Because Plaintiffs cite no authority stating that an over-payment theory for Article III standing also suffices to establish statutory standing under the WCPA, the Court does not reach the issue. Dkt. # 49 at 26; see Bowen v. Energizer Holdings, Inc., 118 F.4th 1134, 1145 n.11 (9th Cir. 2024) (distinguishing between Article III standing and statutory standing under California state laws). Plaintiffs have stated injury under Article III and the WCPA.
2. Causation
Plaintiffs plausibly allege that Costco caused their injury by installing the Pixel to use and disclose their personal health data. Costco says that Plaintiffs caused their own injury because: (1) they agreed to Meta's data-collection practices when they created their Facebook accounts; and (2) they remained logged into their Facebook accounts while using Costco's pharmacy website. Dkt. # 45 at 24-25.
Costco does not cite Meta's current terms and conditions for creating Facebook accounts. Instead, Costco relies on Smith I, 262 F.Supp.3d at 953, in which the court held that the plaintiffs consented to then-Facebook's data-collection practices because Facebook's Data Policy provided that Facebook “collect[s] information when you visit or use third-party websites and apps.” Dkt. # 45 at 24-25. But Smith I is distinguishable because, as discussed supra Section III.B.2.b, that case did not involve personal health information protected under HIPAA. Based on the information before it, the Court agrees with the holding in In re Meta Pixel Healthcare Litig. that the “generalized notice” in Meta's data-collection policies is insufficient to establish consent to collect personal health data. 647 F.Supp.3d at 793. And insofar as Costco contends that its own Privacy Policy discloses use of third-party tracking technologies for personal health data, dkt. # 45 at 25, the Court rejects this contention for the reasons discussed infra Section III.F.3.
It is also inappropriate at the pleading stage to consider whether Plaintiffs' remaining logged into their Facebook accounts constitutes implicit consent to collection of their personal health data. In the context of assessing a common law reasonable expectation of privacy claim, the Ninth Circuit has held that whether “users could have taken additional measures to prevent cookies from tracking their browsing” is not relevant at the pleading stage where “[p]laintiffs have alleged that these protections would not have done any good, even if users had employed them.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 605 (9th Cir. 2020). Here, Plaintiffs allege that even if an individual is not logged into or does not have a personal Facebook account, the Pixel records the individual's browsing activity through a “fbp” cookie that can be linked to a Facebook account later logged into or created for the first time. Dkt. # 29 at 24, ¶ 81. Plaintiffs state causation by alleging that Meta could link their personal health data to their identities even if they had logged out of their personal Facebook accounts before using Costco's pharmacy website.
3. Unfair or Deceptive Act
Plaintiffs plausibly allege that Costco engaged in an unfair or deceptive act because they did not consent to Costco's using or disclosing their personal health data for financial gain. Dkt. # 29 at 57-58, ¶ 195. To establish an unfair or deceptive act under the WCPA, a plaintiff must show that the act could “deceive a substantial portion of the public.” Young v. Toyota Motor Sales, U.S.A., 472 P.3d 990, 994 (Wash. 2020) (quotation marks and citation omitted). Costco says that its use of the Pixel cannot be unfair or deceptive because its Privacy Policy expressly discloses the use of tracking technologies. Dkt. # 45 at 24. But Costco cites no language from its Privacy Policy in support of this proposition and, in its reply, only makes a conclusory statement that “Costco clearly disclosed the presence of certain ad trackers on the public-facing portions of its website.” Dkt. ## 45 at 23-24; 50 at 6-7. Plaintiffs, on the other hand, point out that Costco's Health Care Center-specific privacy policies do not mention use of tracking technologies and provide that Costco must obtain “written authorization” before using or disclosing personal health information for marketing purposes. Dkt. ## 29 at 16, ¶ 50; 49 at 24 (quoting “Notice of Privacy Practices: Health Care Centers”). Because Costco does not meaningfully dispute Plaintiffs' contention that Costco's Health Care Center-specific privacy policies govern, the fact that Plaintiffs received notice of their opportunity to opt out of Costco's general use of third-party tracking technologies and disclosure of their data for advertising is irrelevant. Dkt. ## 45 at 24; 46-1 at 3. Plaintiffs could have decided not to opt out of Costco's use of third-party tracking technologies because they did not know that such technologies would be used regarding their personal health data. Costco plausibly deceived the public by installing the Pixel to use and disclose customers' personal health data without their consent. See Krefting, 2023 WL 4846850, at *8 (“failure to take proper measures to secure [personally identifiable information] can constitute an unfair act under the [WCPA].”).
Costco's Privacy Policy states that the “health information that you disclose to us when you visit or use the products and services offered by our pharmacies” is governed by a separate “Notice of Privacy Practices: Health Care Centers.” Dkt. # 46-1 at 10-11. The “Notice of Privacy Practices: Health Care Centers” is accessible through a hyperlink in Costco's Privacy Policy. Id. The parties do not dispute that the Court may take judicial notice of these publicly accessible documents.
The Court denies Costco's motion to dismiss the WCPA.
G. Washington Uniform Health Care Information Act Claim (Count IV)
Plaintiffs have stated a claim under the WUHCIA. Subject to certain exceptions, the WUHCIA prohibits a health care provider from “disclos[ing] health care information about a patient to any other person without the patient's written authorization.” RCW Chapter 70.02.020(1). Costco says that “health care information” under the WUHCIA tracks the definition of IIHI under HIPAA. Dkt. # 45 at 26. Once again relying on Smith I, 262 F.Supp.3d 943, Costco contends that the data it allegedly collected are not “health care information” under the WUHCIA. Dkt. ## 45 at 26; 50 at 7-8. The Court rejects this contention for the same reasons discussed supra Section III.B.2.b.
Costco suggests that Plaintiffs' allegations about Costco's use of Meta's ability to link personal health data to existing or prospective personal Facebook accounts are insufficient to allege the disclosure of health information that, under the WUHCIA, “identifies or can readily be associated with the identity of a patient.” RCW Chapter 70.02.010(17); dkt. ## 29 at 24, 26, ¶¶ 81, 90; 50 at 7-8. Costco relies on language in Kaiser Found. Health Plan, Inc., 2024 WL 1589982, at *21, stating, “The fact that third parties may have assigned unique identifiers to individuals using the Kaiser website and mobile applications (i.e., so that they could be tracked) does not in and of itself mean that those individuals' actual identities could be divined.” Dkt. # 50 at 7-8. But unlike unique identifiers, personal Facebook accounts disclose actual identities.
The Court denies Costco's motion to dismiss the WUHCIA claim.
H. California Confidentiality of Medical Information Act Claim (Count VI)
Plaintiffs have stated a claim under the CMIA. The CMIA prohibits a health care provider from disclosing the medical information of a patient, enrollee, or subscriber of a health care service plan without their consent. Cal. Civ. Code § 56.10(a). Because the CMIA is concerned with preserving the confidentiality of medical information, an unauthorized individual must view the medical information for the statute to be violated. See Sutter Health v. Superior Ct. of Sacramento Cnty., 174 Cal.Rptr.3d 653, 660 (Cal.Ct.App. 2014). Costco contends: (1) that Plaintiffs' data do not constitute “medical information” under the CMIA; and (2) that third parties did not view Plaintiffs' data. Dkt. # 45 at 26-28.
Costco asserts that Plaintiffs did not specifically allege what personal health information was collected. Id. at 27. But “medical information” under the CMIA does not materially differ from the definition of IIHI under HIPAA. The CMIA defines “medical information” as “individually identifiable information” regarding, among other things, a patient's “mental or physical condition, or treatment.” Cal. Civ. Code § 56.05(j). “Individually identifiable” is defined as information that “includes or contains any element of personal identifying information sufficient to allow identification of the individual.” Id. For the same reasons Plaintiffs adequately allege that Costco intercepted IIHI under HIPAA, see supra Section III.B.2.b, they adequately allege that Costco disclosed “medical information” under the CMIA. Plaintiffs allege that Costco collected data about specific prescriptions they ordered and could link such data to Plaintiffs' identities through their personal Facebook accounts. See Barbour v. John Muir Health, 2023 WL 2618967, at *7 (Cal. Super. Ct. Jan. 05, 2023); Desert Care Network, 2024 WL 1343305, at *5 (denying motion to dismiss a CMIA claim where plaintiffs alleged that they used a website to “refill prescriptions”).
As for Costco's second contention, it relies on Cousin v. Sharp Healthcare (Cousin I), 681 F.Supp.3d 1117, 1128-29 (S.D. Cal. 2023), for the proposition that merely alleging Meta could collect and view Plaintiffs' information is insufficient to state a CMIA claim. Dkt. # 45 at 28. But after the plaintiffs in Cousin I amended their complaint to include, as here, information about Meta's business model and how it uses collected data for targeted advertising, the court denied the defendant's motion to dismiss the CMIA claim. Dkt. # 29 at 18-19, ¶¶ 57-62; Cousin II, 702 F.Supp.3d at 975. Disclosure of personal health information to third-party online advertisers is sufficient to allege that medical information was viewed by unauthorized third parties under the CMIA. See St. Aubin., 2024 WL 4369675, at *10-11.
The Court denies Costco's motion to dismiss the CMIA claim.
I. Invasion of Privacy (Count VIII)
Plaintiffs have not plausibly alleged a common law invasion of privacy claim. Costco says that it could not have invaded Plaintiffs' privacy because it was the intended recipient of Plaintiffs' communications, relying on Kurowski v. Rush Sys. for Health (Kurowski II), 683 F.Supp.3d 836 (N.D. Ill. 2023). Dkt. # 45 at 28-29. But Kurowski II does not control because there the court relied on Illinois state law, under which the basis of invasion of privacy “is not publication or publicity.” 683 F.Supp.3d at 848-49 (quoting Dinerstein v. Google, LLC, 484 F.Supp.3d 561, 594 (N.D. Ill. 2020)). Unlike Illinois, Washington, has recognized a common law claim for invasion of privacy by publication that requires a plaintiff to show: (1) that the defendant publicized their “private affairs”; and (2) that “the matter publicized would be highly offensive to a reasonable person.” Fisher, 106 P.3d at 840.
Plaintiffs do not respond to Costco's assertion that there is a state action requirement for an invasion of privacy claim under article I, section 7 of the Washington constitution. Dkt. ## 45 at 28-29 (citing Fisher v. State ex rel. Dep't of Health, 106 P.3d 836, 840 (Wash.Ct.App. 2005)); 49 at 28-29. Plaintiffs' claim of invasion of privacy under the Washington constitution is waived. See Stichting Pensioenfonds ABP v. Countrywide Fin. Corp., 802 F.Supp.2d 1125, 1132 (C.D. Cal. 2011).
Plaintiffs have not adequately alleged that Costco publicized their personal health data. In Fisher, the court observed that publicity generally “means communication to the public at large,” but acknowledged that in some cases, disclosure to only a few individuals can still be actionable if the private information is especially offensive. 106 P.3d at 840-41 (citing Reid v. Pierce Cnty., 961 P.2d 333, 335-36 (Wash. 1998)). As in Nienaber, 2024 WL 2133709, at *10, Plaintiffs only make conclusory assertions that their personal health data have been disclosed to third-parties other than Meta. See Dkt. # 29 at 69, ¶¶ 261-62. Without more specific allegations about the extent to which Plaintiffs' personal health data were disclosed, the Court cannot evaluate whether it is plausible that the degree to which such disclosure could be offensive outweighs the scope of disclosure.
The Court dismisses the invasion of privacy claim with leave to amend.
J. Breach of Implied Contract (Count IX)
Plaintiffs do not state a breach of implied contract claim. To establish the formation of a contract implied in fact under Washington law, a plaintiff must show “mutual assent of the parties” that the court can also infer “based on the acts of the parties involved and in light of the surrounding circumstances.” Nienaber, 2024 WL 2133709, at *11 (quoting Leslie v. Fid. Nat. Title Ins. Co., 598 F.Supp.2d 1176, 1184 (W.D. Wash. 2009)). Plaintiffs adequately allege mutual assent and damages. In Nienaber, the court held that the plaintiff failed to adequately plead mutual assent and damages because she did not allege that she paid for any services in exchange for defendant's securing her data. Id. at *11-13 (distinguishing cases); see also B.K. v. Eisenhower Med. Ctr. (Eisenhower Med. Ctr. I), 2024 WL 878100, at *6-7 (C.D. Cal. Feb. 29, 2024) (dismissing claims because plaintiffs only alleged loss of the value of their personal data). But here, Plaintiffs have alleged that they bought prescriptions from Costco and would not have done so or paid less for them had they known that Costco would disclose their personal health data. Dkt. # 29 at 6-10, 70-71 ¶¶ 15-25, 274. And although Plaintiffs have not pleaded damages with specificity, debate over the amount of damages is a factual dispute “better left for summary judgment or trial.” In re Grp. Health Plan Litig., 709 F.Supp.3d at 715.
But Plaintiffs do not adequately allege consideration. A promise to perform “a preexisting legal obligation is not valid consideration.” Multicare Med. Ctr. v. State, Dep't of Soc. & Health Servs., 790 P.2d 124, 131 (Wash. 1990) (superseded by statute on other grounds). A promise to take precautionary steps beyond those mandated by HIPAA to protect personal health data can constitute consideration. See Attias v. CareFirst, Inc., 2023 WL 5952052, at *7 (statements of “an obligation to take affirmative steps to ‘protect' [personal health information]” were enough to allege an implied contract even where the promise “would substantially overlap with, if not include, HIPAA's requirements”). To the extent that cases can be construed to hold that an assurance to abide by HIPAA, without more, constitutes consideration, the Court disagrees. See In re Grp. Health Plan Litig., 709 F.Supp.3d at 715; Faber v. Ciox Health, LLC, 331 F.Supp.3d 767, 783 (W.D. Tenn. 2018). The Washington Supreme Court has held that for there to be consideration, an offeree must promise to perform “an additional obligation or burden not previously imposed by law.” Multicare Med. Ctr., 790 P.2d at 132.
Plaintiffs allege that Costco breached an implied contract by disclosing their personal health data. Dkt. # 29 at 70, ¶ 273. But disclosing personal health data without consent is precisely what HIPAA prohibits. See supra Section III.B.2.b (citing 42 U.S.C. § 1320d-6). Plaintiffs vaguely allege that Costco “agreed to safeguard and not disclose” their personal health data without their consent, dkt. # 29 at 70, ¶ 269, and cite to various terms in Costco's Privacy Policy and Notice of Privacy Practices. Dkt. # 49 at 29-30 (citing dkt. # 29 at 16, ¶ 47-51). For example, Costco's Privacy Policy states that “Costco collects, uses[,] and shares your personal information in accordance with Your Privacy Rights,” and that Costco takes “reasonable and appropriate steps to help protect personal information from unauthorized access, use, disclosure . . .” Dkt. # 29 at 16, ¶ 47. With more allegations, perhaps “reasonable and appropriate steps” could be interpreted to mean that Costco promised to undertake precautions to protect personal health data from disclosure beyond its obligations under HIPAA. But because Plaintiffs do not specifically allege the terms of the implied contract or how these terms compare to the provisions of HIPAA (or of other laws such as the WUHCIA and CMIA), they do not adequately plead consideration. See Nienaber, 2024 WL 2133709, at *13 (citing Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 52 (D. Ariz. 2021)).
The Court dismisses the breach of implied contract claim with leave to amend.
K. Conversion (Count X)
Plaintiffs do not state a claim for conversion. To prevail on a conversion claim under Washington law, a plaintiff must establish: “(1) willful interference with chattel belonging to the plaintiff, (2) by either taking or unlawful retention, and (3) thereby depriving the owner of possession.” Burton v. City of Spokane, 482 P.3d 968, 773 (Wash.Ct.App. 2021). Plaintiffs cite a trend in cases recognizing a property interest in personal data, but these cases either consider conversion claims under California law or do not involve conversion claims at all. Dkt. # 49 at 30-31 (citing Griffith v. TikTok, Inc., 697 F.Supp.3d 963, 975-76 (C.D. Cal. 2023) (conversion claim under California law); Calhoun v. Google LLC, 526 F.Supp.3d 605, 635 (N.D. Cal. 2021) (statutory larceny claim under California law); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 461-62 (D. Md. 2020) (assessing loss of property value in data breach cases on injury-in-fact for standing)). Conversion under California law is different from conversion under Washington law. “California law defines conversion as ‘any act of dominion wrongfully asserted over another's personal property in denial of or inconsistent with his rights therein.'” Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1030 (N.D. Cal. 2012) (citation omitted). California law defines property as “a broad concept that includes ‘every intangible benefit and prerogative susceptible of possession or disposition.'” Kremen v. Cohen, 337 F.3d 1024, 1030 (9th Cir. 2003) (quoting Downing v. Mun. Court, 198 P.2d 923, 926 (Cal.Ct.App. 1948)). By contrast, Washington requires willful interference with chattel where chattel is defined as “[m]oveable or transferable property” and chattel personal is defined as a “tangible good or an intangible right (such as a patent).” In re Marriage of Langham & Kolde, 106 P.3d 212, 218 (Wash. 2005) (citation omitted).
Plaintiffs do not adequately allege that their personal health data are tangible goods or intangible rights. See Vyas v. Wallach, 2006 WL 8454883, at *3 (W.D. Wash. Nov. 30, 2006) (dismissing a conversion claim where plaintiffs failed to show that intangible property such as “client lists and other proprietary information” are chattel subject to conversion). Without a plausible allegation that personal health data constitute chattel, the Court cannot meaningfully assess whether Plaintiffs have adequately alleged the other elements of conversion.
The Court dismisses the conversion claim with leave to amend.
L. Unjust Enrichment (Count XI)
Plaintiffs state an unjust enrichment claim. In its reply, Costco does not contest Plaintiffs' contention that they may allege an unjust enrichment claim in the alternative of their claims for remedies at law. Dkt. ## 49 at 32 (citing Vernon v. Qwest Commc'ns Int'l, Inc., 643 F.Supp.2d 1256, 1266 (W.D. Wash. 2009)); 50 at 12. Based on the briefing before it, the Court concludes that Plaintiffs may plead their unjust enrichment claim in the alternative. Under Washington law, “[u]njust enrichment is the method of recovery for the value of the benefit retained absent any contractual relationship because notions of fairness and justice require it.” Young v. Young, 191 P.3d 1258, 1262 (Wash. 2008). To prevail on an unjust enrichment claim, Plaintiffs must establish three elements: “(1) the defendant receives a benefit, (2) the received benefit is at the plaintiff's expense, and (3) the circumstances make it unjust for the defendant to retain the benefit without payment.” Id.
Plaintiffs plausibly allege all three elements. Costco received a benefit in the form of Plaintiffs' personal health data and the money Plaintiffs paid for Costco's services that they would not have paid had they known Costco would disclose their data. Dkt. # 29 at 58, ¶ 196; Nienaber, 2024 WL 2133709, at *13. Plaintiffs conferred upon Costco both benefits at their expense. See Mekhail, 2024 WL 1332260, at *13. In Nienaber, the court held that the plaintiff had not pleaded a concrete detriment under the second element of unjust enrichment in part because the plaintiff did not allege “the specific private information she contends that she shared with Defendant and that Defendant, in turn, shared to third parties.” 2024 WL 2133709, at *14. But as discussed supra Section III.B.2.b, Plaintiffs allege Costco collected data about specific prescriptions they bought. And as discussed supra Section III.F.1, Plaintiffs have alleged the existence of a market for personal health data and cited sources estimating the value of such data. Plaintiffs also allege that they paid for Costco's services. Cf. Nienaber, 2024 WL 2133709, at *14. Finally, because Plaintiffs allege that they did not know of or otherwise consent to Costco's data collection practices, it is plausibly unjust for Costco to retain the benefits of Plaintiffs' personal health data and payments for Costco's services. See id. (the monetizing of advertising benefits can be sufficient to state a claim for unjust enrichment) (citing Doe v. Boone Health, Inc., 2023 WL 4996117, at *4 (Mo. Cir. July 20, 2023)); Mekhail, 2024 WL 1332260, at *14 (denying motion to dismiss where plaintiff pleaded that the data collection “was inequitable because it was uncompensated”); In re Grp. Health Plan Litig., 709 F.Supp.3d at 715 (same).
The Court denies Costco's motion to dismiss the unjust enrichment claim.
IV Conclusion
For the foregoing reasons, the Court GRANTS in part and DENIES in part Costco's motion to dismiss. The Court DENIES the motion as to the Wiretap Act, WCPA, WUHCIA, CIPA, CMIA, FSCA, and unjust enrichment claims. The Court GRANTS the motion as to the WPA, invasion of privacy, breach of implied contract, and conversion claims, and DISMISSES these claims without prejudice. The Court GRANTS Plaintiffs leave until December 6, 2024 to file a second amended complaint; such leave is limited to the claims dismissed here.