Opinion
Civil Action 2:23-cv-20647-WJM
07-02-2024
ANGELA COLE and BEATRICE ROCHE, individually and on behalf of all others similarly situated, Plaintiffs, v. QUEST DIAGNOSTICS, INC., Defendant.
OPINION
WILLIAM J. MARTINI, U.S.D.J.
This matter comes before the Court upon Quest Diagnostics, Inc.'s, ("Quest" or "Defendant") Motion to Dismiss plaintiffs Angela Cola and Beatrice Roche's ("Plaintiffs") putative class action complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). ECF Nos. 23, 51, The Court decides the matters without oral argument. See Fed. R. Civ. P. 78(b). After careful consideration of the parties' submissions, and for the reasons set forth below, Defendant's Motion to Dismiss is GRANTED IN PART and DENIED IN PART.
Quest notes it was erroneously sued as Quest Diagnostics, Inc. See ECF No. 51, at 1.
The Court has jurisdiction over this matter pursuant to 28 U.S.C. § 1332(d)(2)(A) because at least one member of the putative class is a citizen of a different state than Defendant, there are more than 100 members of the class, and the aggregate amount in controversy exceeds $5,000,000 exclusive of interests and costs. See Am, Compl. at ¶ 7.
The following allegations are taken from Plaintiffs' Amended Complaint and are accepted as true. See Malleus v. George, 641 F.3d 560, 563 (3d Cir. 2011).
Plaintiffs are California residents who ordered and accessed medical diagnostic tests from Quest by navigating two of its websites: www.questdiagnostics.com ("General Website") and myquest.diagnostics.com ("MyQuest"). See Am. Compl., ECF No. 23 at ¶¶ 1, 4-5. Quest is one of the "leading providers of diagnostic information services" and provides clinical lab results. Id. at ¶ 2. The General Website is available to all internet users and is used to browse articles, read publications, and access Quest's other services and products. See Id. at ¶ 20. MyQuest is a password-protected platform that allows patients to review test results, schedule appointments, or pay bills. See Id. at ¶ 21. Users must create an account to access MyQuest, but not for the General Website, See Id. at ¶ 5. Plaintiffs navigated to the General Website and were redirected to MyQuest to access their test results, which required them to create accounts to gain access. See Id. at ¶¶ 4-5. Plaintiffs claim that without their consent, Quest assisted Facebook, a third party, in intercepting their internet communications and medical information while they navigated the websites. See id, at ¶¶ 59, 68. Specifically, Plaintiffs allege that Quest integrated the "Facebook Tracking Pixel" into their websites to track the data of users. The Facebook Tracking Pixel is a business tool Facebook offers to advertisers like Quest. See Id. at ¶ 16. When users access a website hosting the Facebook Tracking Pixel, Facebook's software script directs the user's browser to send a separate message to Facebook's servers. Id. This second transmission contains the original request sent to the host website, along with additional data the Pixel is configured to collect. Id. This transmission is initiated by Facebook code and concurrent with the communications with the host website. Id. Two sets of code are automatically run as part of the browser's attempt to load and read Defendant's websites: Defendant's own code and Facebook's embedded code. Id. Facebook then processes the data, analyzes it, and assimilates it into sets for advertising purposes. Id. at ¶ 18.
Plaintiff Cole made a Facebook account in 2012 and ordered a diagnostic test from Quest in 2019, where she was required to make an account and accessed both of Quest's websites. Plaintiff Roche similarly made a Facebook account in 2015 and ordered a diagnostic test from Quest in 2022. Am. Compl. at ¶ 4-5.
For both websites in this case, Plaintiffs allege Defendant's Facebook Tracking Pixel intercepts and transmits PageView information, which includes the title of the page, keywords associated with the page, and a description of the page. Id. at ¶¶ 24, 28. With respect to MyQuest, Facebook can learn that a patient has received and is accessing test results. Id. at ¶ 26. On the General Website, along with PageView information, Defendant's Pixel also "intercepts and transmits ButtonClick and Microdata information," which tracks what a user is clicking on a given page. Id. at ¶ 27. Plaintiffs also allege that users who access either website while logged into Facebook will transmit a cookie that contains the user's unencrypted Facebook Id. Id. at ¶ 31. If a user recently logged out of their Facebook account, an unencrypted value that uniquely identifies their browser is transmitted. Id. at ¶ 32. If a user never created a Facebook account, an encrypted value that identifies the browser is transmitted. Id. at ¶¶ 34-35. Plaintiffs allege Quest uses these cookies to pair event data with personally identifiable information so it can later retarget patients on Facebook. Id. at ¶ 40. Plaintiffs also allege that Quest expressly warranted that it "will never conspire with a third-party to intercept usage data paired with personally identifiable information." Id. at ¶ 41.
B. Procedural Background
Plaintiffs filed their two-count Complaint on July 19, 2022, in the District Court for the Eastern District of California. See ECF No. 1. Quest filed a motion to change venue and a motion to dismiss on November 22, 2022. ECF Nos. 15,16. Plaintiffs filed their First Amended Complaint on January 6, 2023. ECF Nos. 23. On September 22, 2023, Judge Thurston in the District Court for the Eastern District of California granted Quest's motion to transfer venue to this Court and declined to consider Quest's motion to dismiss in light of the transfer decision. Cole v. Quest Diagnostics, Inc., No. 1:22-cv-00892 JLT SKO, 2023 U.S. Dist. LEXIS 169351, at *13 (E.D. Cal. Sep. 22, 2023). On January 4, 2024, this Court gave the parties an opportunity to update their briefs on the motion to dismiss. ECF No. 50. Quest filed its Motion to Dismiss on February 5, 2024, Plaintiffs filed their opposition on March 11, 2024, and Quest filed its reply on March 25, 2024. Count One of' Plaintiffs' Amended Complaint alleges Quest violated the California Invasion of Privacy Act ("OPA"), Cal Penal Code §§ 630-638, by aiding, agreeing with, and conspiring with Facebook to track and intercept Plaintiffs' and class members' internet communications while accessing the General Website and MyQuest and aiding and assisting Facebook's eavesdropping with the intent to help Facebook learn some meaning of the content in the URLs and the content the visitor requested. See Am. Compl. at ¶¶ 54-63. Count Two alleges Quest violated the Confidentiality of Medical Information Act "(CMIA"), Cal. Civ. Code § 56.06(a), by disclosing individually identifiable information regarding a patient's medical history, mental or physical condition, or treatment to Facebook via a patient's Facebook ID and other Facebook identifiers. Id., at ¶¶ 64-73.
II. LEGAL STANDARD
In assessing whether a complaint states a cause of action sufficient to survive dismissal under Rule 12(b)(6), the Court accepts "all well-pleaded allegations as true and draw[s] all reasonable inferences in favor of the plaintiff." City of Cambridge Ret. Sys. v. Altisowce Asset Mgmt Corp., 908 F.3d 872, 878 (3d Cir. 2018). "[T]hreadbare recitals of the elements of a cause of action, legal conclusions, and conclusory statements" are all disregarded. Id. at 878-79 (quoting James v. City of Wilkes-Barre, 700 F.3d 675, 681 (3d Cir. 2012)). The complaint must "contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face," and a claim is facially plausible when the plaintiff "pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Zuber v. Boscov's, 871 F.3d 255, 258 (3d Cir. 2017) (first quoting Santiago v. Warminster Twp., 629 F.3d 121, 128 (3d Cir. 2010); and then quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)).
While the Court generally "may not consider matters extraneous to the pleadings" when deciding a Rule 12(b)(6) motion, In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1426 (3d Cir. 1997), an exception to this general rule provides that the Court may also consider "exhibits attached to the complaint, matters of public record, as well as undisputedly authentic documents if the complainant's claims are based upon these documents." Mayer v. Belichick, 605 F.3d 223, 230 (3d Cir. 2010).
III. DISCUSSION
A. Defendant's Request for Judicial Notice
Quest requests that the Court take judicial notice of, or deem incorporated into the Amended Complaint by reference, (1) Quest's Account Terms & Conditions, (2) Quest's Cookie Notice, (3) Quest's Privacy Notice, (4) Facebook's Terms of Service, (5) Facebook's Privacy Policy, and (6) Facebook's Cookie Policy. Judicial notice of a fact is proper where the fact is "not subject to reasonable dispute because it: (1) is generally known within the trial court's territorial jurisdiction; or (2) can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed.R.Evid. 201(b). The Court will only take judicial notice of Quest's Cookie Notice, as the basis of Plaintiffs' allegations center around Defendant's cookie policy. The Court declines to extend judicial notice of Quest's Account Terms & Conditions, Quest's Privacy Policy, Facebook's Terms of Service, Facebook's Privacy Policy, and Facebook's Cookie Policy as they are not generally known within the trial court's territorial jurisdiction and cannot be accurately and readily determined from sources whose accuracy cannot be questioned.
B. Counts One and Two
Section 631(a) of the California Penal Code, CIPA, makes punishable anyone who, "by means of any machine, instrument, or contrivance, or in any other manner," does any of four things:
(1) "intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument...";
(2) "willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state";
(3) "uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained"; or
(4) "aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section."
Section 631 is a criminal statute, but Section 637.2 provides a civil cause of action to anyone "injured by a violation of this chapter ... against the person who committed the violation." Under the CMIA, health care providers "shall not disclose medical information regarding a patient of the provider of health care. . . without first obtaining an authorization," subject to several enumerated exceptions. Cal. Civ. Code § 56.10(a)-(c). Furthermore, "[e]xcept to the extent expressly authorized by a patient, . . a provider of health care... shall not intentionally share, sell, use for marketing, or otherwise use medical information for a purpose not necessary to provide health care services to the patient." Id. at § 56.10(d). The CMIA defines medical information as "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental health application information, reproductive or sexual health application information, mental, or physical condition, or treatment." Cal. Civ. Code § 56.05.
i. Consent
Quest first argues that Plaintiffs fail to plausibly allege a lack of consent to its data collection practices because both the General Website and MyQuest include broad cookie disclosure language that cover the alleged improper data sharing. Plaintiffs, in response, argue establishing consent is Quest's burden, which it fails to meet. Specifically, consent is an affirmative defense not properly raised on a motion to dismiss and even if it were properly raised, Quest's use of the Facebook Pixel to link Facebook IDs paired with event data for the purposes of retargeting patients on Facebook is not covered under their disclosure policies. Furthermore, with respect to their CMIA claims, Plaintiffs any generalized cookie disclosure is insufficient to establish consent regarding medical information. In its reply, Quest argues lack of consent is an element of Plaintiffs' claims, not a defense, and Quest's cookie notice discloses the practices Plaintiffs challenge as Judge Thurston already found.
In the Amended Complaint, Plaintiff clearly states that "[b]y warranting [Quest will never conspire with a third-party to intercept usage data paired with personally identifiable information], Defendant has failed to receive consent from visitors to intercept their communications." Am. Compl at ¶¶ 41-42. This is sufficient to meet their burden to plead that Plaintiffs did not provide prior consent. See Kaaffman v. Papa John's Int'l, Inc., No. 22-cv-1492-L-MSB, 2024 U.S. Dist. LEXIS 7873, at *17 (S.D. Cal. Jan. 12,2024) (holding that the plaintiff met his pleading burden by alleging he did not provide express consent); see also Javier v. Assitr. IQ, LLC, No. 21-16351, 2022 U.S. App. LEXIS 14951, at *5 (9th Cir. May 31, 2022) (same). Moreover, the factual disputes regarding whether Quest's privacy policy covers the challenged practice or whether Plaintiffs consented to it are not suitable for resolution at this stage in the proceeding, See In re Tracht Gat, LLC, 836 F.3d 1146, 1150 (9th Cir. 2016). Therefore, the Court declines to dismiss Plaintiffs' CIPA and CMIA claims on consent grounds.
ii. Facebook as a Party to the Communication
Quest next argues that Plaintiffs' CIPA claim must fail because Facebook was a party to the communications at issue and therefore could not have eavesdropped. Def. Mot. at 24-25, ECF No. 51. Plaintiffs' allegations "make clear that the technological communications they take issue with are 'a separate message' between Plaintiffs and Facebook, not Plaintiffs and Quest" because a second parallel message is transmitted to Facebook. Id., at 25, Plaintiffs, in opposition, argue Facebook is not a party to the intercepted communications because: (1) Facebook was not the intended recipient of the communication; and (2) any parallel communications occurred after the initiation by Plaintiffs' click. PI. Opp. at 12-13, ECF No. 54. The Court agrees. The reasoning in Revitch v. New Moosejaw, LLC,No. 18-cv-06827-VC, 2019 U.S. Dist. LEXIS 186955, at *6 (N.D. Cal. Oct. 23, 2019) is instructive. There, the court held that plaintiff sufficiently alleged that defendant NaviStone acted as a third party by intercepting his communications with defendant Moosejaw, despite NaviStone arguing it was a direct recipient. The court found that eavesdropping under section 631 includes situations where a third-party intercepts communications without the parties' consent, regardless of whether the intercepting entity receives the communication directly. Adopting defendant NaviStone's interpretation would undermine the protections intended by the statute by allowing entities to evade liability simply by structuring their technology to receive communications directly. Here, Quest similarly argues that Plaintiffs had sent a separate and parallel GET request to both Quest and Facebook and therefore Facebook could not have eavesdropped. However, like the plaintiff in Revitch, Plaintiffs here did not consent to sending a separate message to Facebook, was generally unaware of doing so, and had no control over that process. As a result, the Court declines to dismiss Plaintiffs' CIPA claim on these grounds.
iii. Content
Quest argues that the Plaintiffs' CIPA claim fail because they do not plausibly allege that the "contents" of their communications were intercepted since ButtonClick, Microdata, and PageView information does not constitute content. In opposition, Plaintiffs argue that with respect to the General Website, Quest "transmitted PageView, Microdata, and ButtonClick data" which sent "the URL of the page requested, along with the title of the page, keywords associated with the page, and a description of the page." Am. Compl. at ¶¶ 28-29. With respect to MyQuest, Quest transmitted PageView information, which sent the URL accessed, allowing Facebook to know "that a patient had received and was accessing test results." Id. at ¶ 26. Plaintiffs argue the full-string URLs described in the Amended Complaint contain user-entered and user-specific information that constitutes content, "particularly when coupled with microdata that includes the text, titles, headers, images, image captions, links, and other information located on the webpage,"Pl. Opp. at 15, Federal courts have routinely analogized the definition of "content" under CIPA with the definition under the Wiretap Act-that is: contents of an online communication "refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication." In re Zynga Priv. Litig, 750 F.3d 1098, 1106 (9th Cir. 2014); see Yoon v. Lululemon United States, 549 F.Supp.3d 1073, 1082 (CD. Cal. 2021); see also Brodsky v. Apple Inc., 445 F.Supp.3d 110, 127 (N.D. Cal. 2020). The information allegedly intercepted constitutes content under CIPA. Descriptive URLs generated with user-specific and user-entered information concern the substance of a communication. See In re Meta Pixel Healthcare Litig., 647F.Supp.3d 778, 795 (N.D. Cal. 2022); see also In re Carrier IQ, Inc., 78 F.Supp.3d 1051, 1083 (N.D. Cal. 2015). Therefore, the Court declines to dismiss Plaintiffs' CIPA claim on content grounds. Quest's Motion to Dismiss Count One is DENIED.
C. Medical Information
Quest argues Plaintiffs' CMIA claim must fail because none of the information allegedly disclosed or used constitutes "medical information." Def. Mot. at 31. Plaintiffs, in opposition, argue that the information transmitted includes, "at a minimum, that a patient has received and is accessing test results." PI. Opp. at 19. The CMIA defines medical information as "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental health application information, reproductive or sexual health application information, mental, or physical condition, or treatment." Cal, Civ. Code § 56.05. The Amended Complaint contains conclusory allegations that accessing MyQuest discloses information regarding a patient's medical history, mental or physical condition, or treatment. Am. Compl. at ¶ 26. However, the only factual allegation in support of that conclusory allegation is that the information reveals a patient has received and is accessing test results. Information regarding what kind of medical test was done or what the results were is not alleged to have been disclosed. Courts have held that under the CMIA, medical information must be "substantive." Eisenhower Med. Ctr. v. Sup. Ct, 172 Cal.Rptr.3d 165, 170 (Cal.Ct.App. 2014); see also Tamraz v. Bakotic Pathology Assocs., LLC, No. 22-cv-0725-BAS~WVG, 2022 U.S. Dist. LEXIS 208345, at *9 (S.D. Cal. Nov. 16, 2022). Plaintiffs' reliance on Tamraz for the proposition that "specimen or test information" is "medical information" under the CMIA is misplaced. In Tamraz, under footnote four the court "inferred] that the results of test and the types of specimens are included in the 'specimen or test information."' Tamraz, 2022 U.S. Dist. LEXIS 208345, at *10 n.4. Here, Plaintiffs have not alleged that the type or results of tests were disclosed. Therefore, the Court will GRANT Defendant's Motion to Dismiss Plaintiffs' CMIA claim. Count Two of Plaintiffs' Amended Complaint is DISMISSED WITHOUT PREJDUICE. Plaintiffs' Request for Leave to Amend is GRANTED.
The Court need not reach Defendant's argument that Plaintiffs' CMIA claim fails because they do not allege that Quest was the party that disclosed or used the information at issue as Plaintiffs' CMIA claim is dismissed on other grounds. Def. Mot. at 35-37.
D. NJ Choice of Law
Lastly, Defendant argues that Plaintiffs' California claims fail because New Jersey Law applies. Defendant refers to its Account Terms & Conditions' choice of law provisions requiring "resolution of any and all disputes related to this Agreement" be construed in accordance with the laws of the State of New Jersey. Def. Mot. at 37. The Court declines to consider these provisions as at the motion to dismiss stage, the Court must only consider the four corners of the Complaint, which contains no reference to the Account Terms & Conditions.
IV. CONCLUSION
For the reasons set forth above, Defendant's Motion to Dismiss Count One of Plaintiffs' Amended Complaint is DENIED. Defendant's Motion to Dismiss Count Two of Plaintiffs' Amended Complaint is GRANTED and Count Two is DISMISSED WITHOUT PREJUDICE. Plaintiffs shall have leave to amend An appropriate order