Opinion
24-cv-00667-JST
10-01-2024
ADRIENNE ST. AUBIN, Plaintiff, v. CARBON HEALTH TECHNOLOGIES, INC., Defendant.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
JON S. TIGAR UNITED STATES DISTRICT JUDGE
Re: ECF No. 19
Before the Court is Defendant Carbon Health Technologies, Inc.'s (“Carbon Health”) motion to dismiss Plaintiff Adrienne St. Aubin's class action complaint. ECF No. 19. The Court will grant the motion in part and deny it in part.
The facts are taken from the complaint except where otherwise stated. See AE ex rel. Hernandez v. Cnty. of Tulare, 666 F.3d 631, 636 (9th Cir. 2012) (“[W]e accept the factual allegations of the complaint as true and construe them in the light most favorable to the plaintiff.”).
Carbon Health is a health care provider. ECF No. 1 ¶ 11. Patients can book appointments to access medical care and manage their treatment or diagnosis of medical conditions through Carbon Health's website (the “Carbon Website”). Id.
Facebook offers Facebook Pixel-a segment of code-to advertisers to integrate into its website. Id. ¶ 26. “The Facebook Pixel tracks the people and type of actions they take.” Id. (internal quotation omitted). Carbon Health includes Facebook Pixel on the Carbon Website. Id. ¶ 27. When a user accesses a website hosting Facebook Pixel, the embedded code directs the user's browser to contemporaneously send a separate message to Facebook's servers. Id. ¶ 26. This transmission contains data that Facebook Pixel is automatically configured to capture, including a web page's Universal Resource Locator (“URL”). Id. ¶¶ 25-26. The Carbon Website URL contains information about the healthcare page a patient has viewed, including a description of the type of care a patient is seeking. Id. ¶ 55. When a patient books an appointment, Facebook also intercepts information about the type of appointment the patient is booking along with the name of the clinic where the patient will have their appointment. Id. ¶ 56.
Plaintiff refers to Meta as “Facebook” throughout her complaint. Although the entity's legal name is Meta, for consistency in quoting from Plaintiff's complaint, the Court will refer to Meta as Facebook except when quoting other courts.
When a user is logged into Facebook while accessing the Carbon Website, additional cookies are transmitted to Facebook that enable Facebook to link a user to their Facebook ID and corresponding Facebook profile. Id. ¶¶ 58-67. Contemporaneously, Facebook also intercepts a patient's personally identifiable information, including their Facebook Id. Id. ¶ 57.
Facebook processes this information, analyzes it, and assimilates it into relevant internal datasets. Id. ¶ 35. Ultimately, Facebook uses the gathered data to help Carbon Health with advertising to its own patients outside the Carbon Website, and to help other Facebook advertisers with targeted advertising relating to the conditions patients searched for on the Carbon Website. Id. ¶ 31.
Similarly, Google offers Google Analytics Pixel (“Google Pixel”)--a segment of code--to advertisers to install on their website. Id. ¶ 37. Carbon Health chose to include Google Pixel on the Carbon Website. Id. ¶ 100. Google directly receives the electronic communications of website visitors entered on websites via features such as search bars. Id. ¶ 40. Carbon Health shares Carbon users' device identifiers and IP addresses with Google. Id. ¶ 46. Like Facebook, Google intercepts information about: (1) the reason patients booked a medical appointment on Defendant's Carbon Website and the location for those appointments; and (2) patients' IP addresses and device identifiers that could be used to personally identify patients. Id. ¶ 68.
According to Plaintiff, by using Facebook Pixel and Google Analytics, Carbon Health enables Facebook and Google to intercept the identities and online activity of Carbon Health's patients, including information related to the type of medical treatment patients are seeking and the health concerns for which they book appointments. Id. ¶ 52.
Plaintiff has used the Carbon Website since 2021. Id. ¶ 7. She first used the website to o schedule an appointment to obtain a COVID-19 vaccine. Id. Thereafter, she has used the website to schedule additional COVID-19 vaccine appointments and to book an appointment for urgent care. Id. Plaintiff has an active Facebook account which she logged into using the same web browser she used to access the Carbon Website. Id. ¶ 8. Because Facebook and Google intercepted information about the medical appointments Plaintiff scheduled on the Carbon Website-namely, appointments to obtain COVID-19 vaccinations-she received digital advertisements related to the COVID-19 vaccination. Id. ¶ 7.
Plaintiff alleges that Carbon Health's actions violate: (1) the California Information Privacy Act (“CIPA”), Cal. Penal Code § 630, et seq.; (2) the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56.10(a), 56.36(b), 56.36(c); and (3) her right against invasion of privacy under the California Constitution, Cal. Const. Art. I, § 1.
II. JURISDICTION
The Court has jurisdiction pursuant to 28 U.S.C. § 1332(d)(2)(A).
III. REQUEST FOR JUDICIAL NOTICE
The Court first addresses Carbon Health's request for judicial notice. Carbon Health requests that the Court take judicial notice of: (1) Facebook's Terms of Service available online at: https://www.facebook.com/legal/terms and (2) Google's Privacy Policy, available online at: https://policies.google.com/privacy?hl=en-US. ECF No. 19 at 8 n.1.
“Generally, district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint under Rule 12(b)(6).” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018). Plaintiff opposes the request for judicial notice because the materials are outside the scope of her complaint, and because the information on third party websites is not capable of accurate and ready determination. ECF No. 25 at 8-9.
In support of its request, Carbon Health cites Perkins v. LinkedIn Corp., which held that “[p]roper subjects of judicial notice when ruling on a motion to dismiss include . . . publically [sic] accessible websites.” 53 F.Supp.3d 1190, 1204 (N.D. Cal. 2014). This Court does not agree that all publicly accessible websites are judicially noticeable, as it explained in Rollins v. Dignity Health, 338 F.Supp.3d 1025 (N.D. Cal. 2018):
There are at least a trillion web pages on the Internet, and many of the documents within those pages are unsupported, poorly supported, or even false. Of course, that does not make all of those documents inadmissible for all purposes. But they are not inherently reliable, and courts should be cautious before taking judicial notice of documents simply because they were published on a website. That is particularly so when a party seeks to introduce documents it created and posted on its own website, as Dignity does here. When a non-governmental entity to seek judicial notice of its paper records, the request is properly rejected because such documents are subject to reasonable dispute. See, e.g., Ladore v. Sony Comput. Entm'tAm., LLC, 75 F.Supp.3d 1065, 1074 (N.D. Cal. 2014) (rejecting request to judicially notice corporate terms of service because moving party “cannot establish that these documents' ‘accuracy cannot reasonably be questioned.'”). That the same entity posts them on a “publicly available” website does not change that essential fact and does not make them “public records” for purposes of the judicial notice rules.Id. at 1032-33.
The reasoning of Rollins applies here. The documents in question are the records of a nongovernmental entity, and they are subject to reasonable dispute, or least some degree of discovery. Carbon Health's request for judicial notice is denied.
IV. LEGAL STANDARD
To survive a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), a complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Dismissal “is appropriate only where the complaint lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). “[A] complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Factual allegations need not be detailed, but facts must be “enough to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555.
“A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. While this standard is not “akin to a ‘probability requirement,' . . . it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556). In determining whether a plaintiff has met the plausibility requirement, a court must “accept all factual allegations in the complaint as true and construe the pleadings in the light most favorable” to the plaintiff. Knievel v. ESPN, 393 F.3d 1068, 1072 (9th Cir. 2005). A plaintiff may “plead[] facts alleged upon information and belief where the facts are peculiarly within the possession and control of the defendant or where the belief is based on factual information that makes the inference of culpability plausible.” Soo Park v. Thompson, 851 F.3d 910, 928 (9th Cir. 2017) (quoting Arista Recs., LLC v. Doe 3, 603 F.3d 110, 120 (2d Cir. 2010)).
V. DISCUSSION
Carbon Health argues that Plaintiff fails to state a claim under (1) the CIPA; (2) the CMIA; or (3) the California Constitution. ECF No. 19.
A. CIPA § 631(a)
Section 631(a) of the CIPA creates four avenues for relief:
(1) where a person “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”;
(2) where a person “willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit”;
(3) where a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained”; and
(4) where a person “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above.”Javier v. Assurance IQ, LLC, 649 F.Supp.3d 891, 897 (N.D. Cal. 2023) (citing Cal. Penal Code § 631(a) (internal numbering in original)). Plaintiff alleges that Carbon Health has violated the fourth clause of Section 631(a), i.e., that “Defendant aided, agreed with, and conspired with third parties, including, Facebook and Google, to track and intercept Plaintiff's and Class Members' internet communications while accessing the [Carbon] Website.” ECF No. 1 ¶ 97. Carbon Health A argues that Plaintiff fails to state a Section 631(a) claim. ECF No. 19 at 10-17. Because the fourth clause of Section 631(a) depends on first establishing a violation of the first, second, or third clauses, the Court starts by addressing whether Plaintiff has successfully alleged an underlying violation. Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1137 (E.D. Cal. 2021).
a. Subsection (a)(1)
Defendant argues that the first clause does not apply here because it does not apply to internet communications. ECF No. 19 at 11. The Court agrees.
Section 631(a)'s first clause prohibits “any person who by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system.” Cal. Penal Code § 631 (emphasis added). “Thus, by its plain terms, the statute prohibits unauthorized connection with transmissions related to ‘telegraph or telephone' technologies.” Swarts v. Home Depot, Inc., 689 F.Supp.3d 732, 743 (N.D. Cal. 2023).
This Court previously rejected the application of Section 631(a)'s first clause to internet transmissions. Id.; see also Cody v. Ring LLC, No. 23-CV-00562-AMO, 2024 WL 735667, at *3 (N.D. Cal. Feb. 22, 2024) (finding that “[c]lause one of Section 631(a) prohibits telephonic wiretapping, which does not apply to the internet ....”). The Court adopts its earlier holding and dismisses Plaintiff's claim under Section 631(a)'s first clause.
b. Subsection (a)(2)
In moving to dismiss Plaintiff's claims based on the second clause of Section 631(a), Carbon Health argues that Plaintiff has failed to allege that (1) the “contents” of a communication; (2) were intercepted while in transit. ECF No. 19 at 12-15.
i. Contents of a Communication
Carbon Health argues that Plaintiff has not pleaded any facts supporting that she “communicated” anything to the Carbon Website, and that the URL information she transmitted does not constitute “contents” under the CIPA. ECF No. 19 at 12-13. Plaintiff responds that “URLs that could divulge a user's personal interests, queries, and habits are sufficient to constitute A communications under the CIPA.” ECF No. 25 at 10.
“[W]hen users enter URL addresses into their web browser using the ‘http' web address format, or click on hyperlinks, they are actually telling their web browsers [] which resources to request and where to find them.” In re Zynga Privacy Litig., 750 F.3d 1098, 1101 (9th Cir. 2014). In determining whether URLs constitute “contents” under the CIPA, courts have distinguished between URLs that contain basic identification and address information, and those that contain a search term or similar information communicated by the user. In re Facebook, Inc. Internet Tracking Litig. (“Facebook Tracking”), 956 F.3d 589, 605 (9th Cir. 2020) (full-string, detailed URLs can divulge a user's personal interests, queries, and habits on third-party websites).Descriptive URLs that reveal specific information about a user's queries reflect the “contents” of a communication. See In re Google RTB Consumer Priv. Litig., 606 F.Supp.3d 935, 949 (N.D. Cal. June 13, 2022) (finding under the Electronic Communications Privacy Act (ECPA), that “referrer URL that caused navigation to the current page”; “details about the publisher object of the site or app”; and “details about the content within the site or app” all constituted “content”); Brown v. Google LLC, 685 F.Supp.3d 909, 936 (N.D. Cal. 2023) (“full-string detailed URL[s]” containing “users' actions on a website, and their search queries” can constitute content). The complaint's allegation that Carbon Health transmitted descriptive URLs suffices to allege a violation of the CIPA. See, e.g., ECF No. 1 ¶ 55 (“This information includes the description of the type of care patient is seeking, which is included in the URL.”)
The Ninth Circuit's holding that a descriptive URL was the “contents” of a “communication” was decided in regards to a a claim for an invasion of privacy under the California Constitution. 956 F.3d at 601. The Court nonetheless finds instructive the distinction made there between descriptive URLs and merely record or informational URLs.
Carbon Health argues that “Plaintiff's examples of hypothetical searches on Carbon Health's website are wholly insufficient.” ECF No. 26 at 15 (emphasis omitted). But Plaintiff's complaint contains examples of actual searches, including screenshots. See, e.g., ECF No. 1 at 16.
In re Zynga Priv. Litig., 750 F.3d 1098, and Brodsky v. Apple Inc., 445 F.Supp.3d 110 (N.D. Cal. 2020), cited by Carbon Health, are not the contrary. First, the Zynga court observed that “[u]nder some circumstances, a user's request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” In re Zynga Priv. Litig., 750 F.3d at 1108-09 (emphasis added). However, in Zynga, ultimately the “information at issue . . . include[d] only basic identification and address information, not a search term or similar communication made by the user, and therefore [did] not constitute the contents of a communication.” Id. Similarly, in Brodsky, the court found that Apple's interception of plaintiffs' usernames and passwords was only record information that did not constitute the contents of a communication. 445 F.Supp.3d at 127. Neither Zynga nor Brodsky assist Carbon Health.
Defendant's attempt to distinguish In re Meta Pixel Healthcare Litig., 647 F.Supp.3d 778, 795 (N.D. Cal. 2022) also fails. Defendant contends that In re Meta Pixel is easily distinguishable because there is a difference between Facebook Pixel being present “inside patient portals,” as it was in that case, versus on the appointment page, as alleged here. ECF No. 26 at 9. The Court finds this to be a distinction without a difference. Ultimately, the question for the Court is whether Plaintiff has alleged that the URLs transmitted to Facebook and Google through their respective embedded Pixel codes contains a search term or similar communication made by the user. In re Zynga Priv. Litig., 750 F.3d at 1108-09; see also In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 795-796. The Court finds that Plaintiff has done so.
Here, Plaintiff provides examples of how her searches and appointment bookings create descriptive URLs. “For example, if a patient searches for ‘pap smear,' they will be taken to the [Carbon] Website page with the URL: carbonhealth.com/get-care/pap-smear.” ECF No. 1 ¶ 55. When a patient books an appointment for cold and flu symptoms, the URL contains: “(1) the ‘appointment-reason' ‘cold-flu-symptoms'”; and the location of the appointment--”location=alameda-ca.” Id. ¶ 56. These are the URLs that are collected by Facebook and Google, Id. ¶¶ 56, 68, and they contain communication content. Because Plaintiff has sufficiently pleaded that the URLs transmitted to Facebook and Google include a patient's symptoms or the reason for her medical appointment, she sufficiently alleges the contents of a communication. See In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 795-796 (finding that descriptive URLs such as “hardfordhospital.org/services/digestive-health/conditions-we-treat/colorectal-small-bowel- disorders/ulcerative-colitis” with a “path” and “query string” are contents of a communication.)
ii. In Transit
Next, Carbon Health argues that Plaintiff fails to allege with specificity that the alleged interception occurred while the communications were in transit. ECF No. 19 at 14-15. Plaintiff responds with two arguments. First, Plaintiff argues that “even if Plaintiff's communications were not intercepted ‘in transit' . . . her communications were ‘sent from, or received at, a place within this state.'” ECF No. 25 at 12. Second, she contends that she has alleged detailed facts showing that communications were intercepted in transit. Id. at 13. Clause two of Section 631(a) has three requirements “(1) the absence of consent; (2) the party exception; and (3) the ‘while . . . in transit' requirement.” Valenzuela v. Keurig Green Mountain, Inc., 674 F.Supp.3d 751, 756 (N.D. Cal. 2023).
For her first argument, Plaintiff reads Section 631(a) in the disjunctive, arguing that it imposes liability for eavesdropping on a communication “while [it] is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state.” ECF No. 25 at 12 (quoting Cal. Penal Code § 631(a) (emphasis added by Plaintiff). Plaintiff misreads the statute. With regard to the third requirement of the second clause, “‘[w]hile' is the key word,” Valenzuela v. Keurig Green Mountain, Inc., 674 F.Supp.3d 751, 758 (N.D. Cal. 2023), and it applies to all of the sentence that follows. “‘[W]hile' implies [that] the interception must occur contemporaneous[ly] with the sending or receipt of the message.” Id. at 759. Plaintiff cannot avoid the simultaneity requirement merely because she sends or receives a message in California. Id.
Thus, the only remaining question is whether Plaintiff has plausibly alleged interception. The Court finds that she had.
At the motion to dismiss stage, a plaintiff is not required to allege how and when their communications are captured. In re Vizio, Inc. Consumer Priv. Litig., 238 F.Supp.3d 1204, 1228 (C.D. Cal. 2017). “A pleading standard to the contrary would require the CIPA plaintiff to engage in a one-sided guessing game because the relevant information about data capture typically resides uniquely in the custody and control of the CIPA defendant and its third-party recorder. Still, a Q CIPA plaintiff ‘must provide fair notice to [d]efendant' of how and when she ‘believe[s]' the defendant or the conspiring third party intercepts her communications.” D'Angelo v. Penny OpCo, LLC, No. 23-CV-0981-BAS-DDL, 2023 WL 7006793, at *8 (S.D. Cal. Oct. 24, 2023).
Under this standard, and with respect to Facebook Pixel, Plaintiff's allegations are more than “threadbare recitals of a cause of action's elements, supported by mere conclusory statements.” Iqbal, 556 U.S. at 663. She alleges that:
When a user accesses a website hosting the Facebook Pixel, Facebook's software script surreptitiously directs the user's browser to contemporaneously send a separate message to Facebook's servers. This second, secret transmission contains the original GET request sent to the host website, along with additional data that the Facebook Pixel is configured to collect. This transmission is initiated by Facebook code and concurrent with the communications with the host website. At relevant times, two sets of code are thus automatically run as part of the browser's attempt to load and read Defendant's [Carbon] Website-Defendant's own code, and Facebook's embedded code.ECF No. 1 ¶ 26.
Facebook's embedded code, written in JavaScript, sends secret instructions back to the individual's browser, without alerting the individual that this is happening. Facebook causes the browser to secretly duplicate the communication with Carbon Health, transmitting it to Facebook's servers, alongside additional information that transcribes the communication's content and the individual's identity.ECF No. 1 ¶ 34.
Carbon Health's cited authority does not say otherwise. See Smith v. Facebook, Inc., 262 F.Supp.3d 943, 951, aff'd, 745 Fed.Appx. 8 (9th Cir. 2018); Barbour v. John Muir Health, No. C22- 01693, 2023 WL 2618967, at *5 (Cal. Super. Ct. 2023) (“Barbour I”), and Order Sustaining Defendant's Demurrer on the First Amended Complaint, Isaac v. Northbay Healthcare Corp., No. FCS059353 (Cal. Super. Ct. Solano Cnty. June 7, 2024) (“Isaac Dismissal Order”).
First, the Smith court held that “embedding third-party code cannot confer personal jurisdiction over a website operator in the forum where the third party resides” because “[b]esides triggering a second GET request in the user's browser, the Healthcare Defendants play no part in the exchange of data between Facebook and [p]laintiffs.” Smith, 262 F.Supp.3d at 952 (N.D. Cal. 2017). The court did not discuss the “in transit” requirement of Section 631(a) or the related i n requirement that the transmission should be contemporaneous; instead, it discussed the transmissions in the context of personal jurisdiction.
Second, both Barbour and Isaac stand for the proposition that the key to the interception analysis is whether the plaintiff alleges that transmission was simultaneous. See ECF No. 25-1 at 7 (Minute Entry Adopting Tentative Ruling, Barbour v. John Muir Health, No. C22-01693 (Cal. Super. Ct. Contra Costa Cnty. May 18, 2023) (“Barbour II” clarifying Barbour I) (“the key to the Court's prior analysis was not the multiplicity of electronic messages involved, but their sequentiality or non-simultaneity”); see also Isaac Dismissal Order (finding that plaintiff failed to allege simultaneous transmission). But here, Plaintiff does allege simultaneity. ECF No. 1 ¶ 26 (stating “[t]his transmission is initiated by Facebook code and concurrent with the communications with the host website” (emphasis added)). Plaintiff has therefore alleged sufficient facts to defeat a motion to dismiss with respect to Facebook Pixel.
With respect to Google Pixel, however, Plaintiff alleges that “Defendant's integration of the Google Analytics Pixel similarly allows Google to intercept information,” but does not allege how such interception occurs. ECF No. 1 ¶¶ 40, 68. Conclusory allegations that “do not indicate when the interception occurs” fail to support a claim under § 631(a). Swarts, 689 F.Supp.3d at 746 (N.D. Cal. 2023) (emphasis in original).
Carbon Health's motion to dismiss Plaintiff's Section 631(a) claim based on the second clause is therefore granted with respect to Google Pixel and denied with respect to Facebook Pixel.
c. Subsection (a)(3)
A violation under the third clause of § 631(a) is contingent upon a finding of a violation of the first or second clause of Section 631(a). Mastel, 549 F.Supp.3d at 1137 (E.D. Cal. 2021).
Defendant argues that because Plaintiff failed to make a showing under the first or second clause, Plaintiff's claim under the third clause also fails. ECF No. 19 at 15-16.
Because the Court dismissed Plaintiff's claim under the first clause and dismissed Plaintiff's claim under the second clause in part, the Court finds that only Plaintiff's clause two claim with respect to Facebook Pixel can survive under clause three of Section 631(a).
d. Subsection (a)(4)
A party may be held vicariously liable under the fourth clause of Section 631 where it “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things” prohibited in the first three clauses. Mastel, 549 F.Supp.3d at 1137; see also Cal. Penal Code § 631(a). As with clause three, because the Court dismissed Plaintiff's claim under the first clause, and dismissed Plaintiff's claim under the second clause in part, the Court analyzes only whether Plaintiff has sufficiently stated a claim with respect to Facebook Pixel.
Carbon Health argues that Plaintiff's claims must be dismissed because she fails to allege that Carbon Health had any intent to aid or abet a violation of the CIPA, and because Plaintiff consented to the collection of her health information. ECF No. 19 at 16-17.
i. Intent to Aid
Carbon Health argues that Plaintiff's clause four claim is deficient because she fails to allege that “Carbon Health had the requisite intent to have aided and abetted any such violation.” ECF No. 19 at 16. Plaintiff responds that Carbon Health improperly inserts a “criminal intent standard to this civil case.” ECF No. 25 at 15. She argues that the use of the word “aid” in clause four simply means that a defendant enables another's wrongdoing. Id. at 16.
The plain text of the statute imposes liability on any person “who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned” in clauses one through three. Cal. Penal Code § 631(a). The statute as worded does not include an intent standard.
Some courts have adopted the common law civil tort definition of aiding and abetting in construing section 631 claims. Rodriguez v. Ford Motor Co., No. 23-cv-00598-RBM-JLB, 2024 WL 1223485, at *15 (S.D. Cal. Mar. 21, 2024); see also Esparza v. UAG Escondido A1 Inc., No. 23-cv-0102-DMS(KSC), 2024 WL 559241, at *6 (S.D. Cal. Feb. 12, 2024). Under the common law civil tort definition, a person may be held liable for aiding and abetting if they:
(a) know[] the other's conduct constitute[s] a breach of duty and give[] substantial assistance or encouragement to the other to so act;
or
(b) give[] substantial assistance to the other in accomplishing a tortious result and the person's own conduct, separately considered, constitutes a breach of duty to the third person.Esparza, 2024 WL 559241, at *6.
Other courts have taken a different approach. In Cousin v. Sharp Healthcare, for example, defendants contended-as Defendant does here-that “aids” should be construed to impose the intent requirement for a finding of “aiding and abetting.” 681 F.Supp.3d 1117 (S.D. Cal. 2023) (“Cousin I”). The Cousin I court rejected that argument, as follows:
Defendant's contention that “aids” means “aiding and abetting” ignores the “agrees with, employs, or conspires with” language of the clause. Defendant provides no case law requiring the Court to analyze “aids, agrees with, employs, or conspires with” as solely “aiding and abetting.”Id. at 1130. The Court finds the approach in Cousin more persuasive because it more closely follows the language of the statute. Accordingly, the Court examines whether Plaintiff here has sufficiently alleged that Defendant aided, agreed with, employed, or conspired with Facebook.
Plaintiff alleges as follows in that regard:
• Carbon Health chose to include Facebook Pixel on its [Carbon] Website.
ECF No. 1 ¶ 27.
• The Facebook Pixel code enables Facebook to help Carbon Health with advertising to its own patients outside the [Carbon] Website, but also includes individual patients among groups targeted by other Facebook advertisers relating to the conditions about which patients communicated on Defendant's Carbon
Website. Id. ¶ 31.
• By installing and enabling Facebook Pixel, Carbon Health assisted
Facebook with intercepting the identities and online activity of patients, including information related to the type of medical treatment patients were seeking and for which they booked appointments. Id. ¶ 52.
• Carbon Health assisted these interceptions without Plaintiff St. Aubin's knowledge, consent, or express written authorization. Id. ¶ 9.
These allegations are sufficient to show that Carbon Health aided, agreed with, employed, or conspired with Facebook. Carbon Health's motion to dismiss on that ground is denied.
ii. Consent
Next, Carbon Health argues that Carbon Website users “consented to those entities' data tracking and collection practices pursuant to their terms and policies when they signed up for their accounts.” ECF No. 19 at 16. Because the Court has declined to take judicial notice of the documents on which this argument depends, the Court rejects the argument.
Even if the Court were to consider the proffered documents, however, it would probably not rule in Defendant's favor. User consent must be actual-that is, “the disclosures must ‘explicitly notify' users of the conduct at issue.” Calhoun v. Google, LLC, No. 22-16993, 2024 WL 3869446, at *5 (9th Cir. Aug. 20, 2024) (internal citations omitted). “Consent is only effective if the person alleging harm consented ‘to the particular conduct, or to substantially the same conduct' and if the alleged tortfeasor did not exceed the scope of that consent.” Id. (quoting Tsao v. Desert Palace, Inc., 698 F.3d 1128, 1149 (9th Cir. 2012)). Defendant bears the burden of establishing that Plaintiff consented to the transmissions. Id. The governing standard is what a “reasonable user” of a service would understand they were consenting to, not what a technical expert would. Id. at *7.
As another court in this district has already found, “Meta's policies do not . . . specifically indicate that Meta may acquire health data obtained from Facebook users' interactions with their medical providers' websites. Its generalized notice is not sufficient to establish consent.” In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 793. Carbon Health contends that In re Meta Pixel is easily distinguishable because there is a difference between Facebook Pixel being present “inside patient portals,” versus, as alleged here, on the appointment page, ECF No. 26 at 14, but the distinction is irrelevant. Thus, if the issue were properly presented, the Court would be likely to follow In re Meta Pixel.
Carbon Health's motion to dismiss Plaintiff's Section 631(a) claim is denied with respect to Plaintiff's Facebook Pixel claims but granted with respect to Plaintiff's Google Pixel claims.
B. CMIA
The CMIA provides that “[a] provider of health care . . . shall not disclose medical information regarding a patient . . . or an enrollee or subscriber . . . without first obtaining an authorization . . . “ Cal. Civ. Code § 56.10(a). The CMIA also creates a private right of action for violations of the Act. Id. § 56.36(b).
Carbon Health argues that Plaintiff's CMIA claim should be dismissed because she fails to plead (1) disclosure of her medical information; and (2) that any third party improperly viewed the medical information.
1. Medical Information
The CMIA defines “medical information” as “any individually identifiable information, in electronic or physical form . . . regarding a patient's medical history, mental health application information, mental or physical condition, or treatment.” Cal. Civ. Code § 56.05(j).
“[M]edical information cannot mean just any patient-related information held by a health care provider but must be ‘individually identifiable information' and [] include ‘a patient's medical history, mental or physical condition, or treatment.' This definition does not encompass demographic or numeric information that does not reveal medical history, diagnosis, or care.” Eisenhower Med. Ctr. v. Superior Ct., 226 Cal.App.4th 430, 435 (Cal.Ct.App. 2014). The “fact that he or she was a patient is not in itself medical information.” Id. at 436.
In Wilson v. Rater8, LLC, the plaintiff alleged that defendants “disclosed [p]laintiff's name, cellular telephone number, ‘treating physician names, medical treatment appointment information, and medical treatment discharge dates and times' to [defendant].” No. 20-CV-1515-DMS-LL, 2021 WL 4865930, at *5 (S.D. Cal. Oct. 18, 2021). The Wilson court held that “[w]hile some of this information is ‘individually identifiable,' none of it constitutes ‘medical information' within the meaning of the statute.” Id.
Carbon Health moves to dismiss Plaintiff's CMIA claim because she fails to allege the disclosure of any medical information. ECF No. 19 at 19-22. Carbon Health also argues that the complaint contains only hypothetical scenarios regarding the disclosure of medical information. Id.; see also ECF No. 1 ¶ 53-56.
Plaintiff alleges that the URLs transmitted to Facebook and Google include: (1) the reason patients booked a medical appointment and the location for those appointments; and (2) patients' identifiable information including their device IDs, IP addresses, or Facebook IDs that could be used to personally identify patients. Id. ¶¶ 55-72. This constitutes a person's “mental or physical condition” or a course of treatment falling under the CMIA's definition of “medical information.” Barbour, 2023 WL 2618967, at *7 (finding that plaintiff's allegations explaining searches for doctors, doctors' specialties, and doctor's appointments-that reveal plaintiffs' medical conditions, treatments, and medical history adequately pleaded that the information in question was “medical information”; discussing that “it takes little deduction to ascertain that a person who searched for a cardiologist may have a heart condition and may seek treatment for their perceived symptoms.”)
As stated above, Carbon Health's contention that Plaintiff failed to allege that the tracking technologies “were present inside any patient portal on the Carbon Health website” is irrelevant. ECF No. 19 at 18. Regardless of whether the technologies were inside a patient portal, or whether they were on the appointment page, the question is whether the transmission of a URL containing the nature of the appointment constitutes medical information. The Court finds that it does. Nienaber v. Overlake Hosp. Med. Ctr., No. 2:23-CV-01159-TL, 2024 WL 2133709, at *3 (W.D. Wash. May 13, 2024) (“The collection and transmission of information from unauthenticated web pages (i.e., pages that do not require a user to log in to access the website) may be actionable as well if the information disclosed demonstrates that the plaintiff's interactions plausibly relate to the provision of healthcare, or if the information connects a particular user to a particular healthcare provider (i.e., patient status).”).
Defendant's authorities are inapposite because they do not involve information that revealed the nature of a patient's treatment. For example, in B.K. v. Eisenhower Med. Ctr., plaintiffs failed to allege with any specificity what medical information was allegedly disclosed. No. 23-cv-2092-JGB-KKX, 2024 WL 878100, at *4 (C.D. Cal. Feb. 29, 2024), on reconsideration in part, No. 23-cv-2092 JGB (DTBX), 2024 WL 2037404 (C.D. Cal. Apr. 11, 2024). Similarly in Wilson, the court dismissed the CMIA claim because the complaint contained only the conclusory statement that defendants disclosed “plaintiff's name, cellular telephone number, treating physician names, medical treatment appointment information, and medical treatment discharge dates and times.” 2021 WL 4865930, at *5. The Wilson plaintiff did not allege with any specificity any facts about the “medical treatment appointment information” other than “[p]laintiff's contact information and appointment date.” Id.
The Court therefore finds that Plaintiff has adequately alleged the disclosure of information “reveal[ing] medical history, diagnosis, or care” within the meaning of the CMIA.
2. Viewing By Unauthorized Third Party
Defendant argues that Plaintiff's CMIA claim fails because “she does not allege that the information was actually viewed by an unauthorized person-as she must to assert a CMIA claim.” ECF No. 19 at 19 (emphasis omitted). Plaintiff responds that “[m]ultiple courts have held that a health care provider's disclosure of PHI to third-party online advertisers is sufficient to plausibly plead viewing under the CMIA where the complaint includes allegations like the ones Plaintiff has made.” ECF No. 25 at 23.
The Court agrees with Plaintiff. In Doe v. Regents of Univ. of California, defendant UC Regents made the same argument Defendant makes here: “that even if plaintiff has alleged that the information was transferred to Meta, she has not sufficiently alleged that it was viewed by an authorized party.” 672 F.Supp.3d 813, 819 (N.D. Cal. 2023) (emphasis in original). The court rejected this argument, finding that plaintiff's allegation that “Meta acted upon the information transmitted to it by tailoring advertisements to her based on her medical condition” was “sufficient to raise a plausible claim that her medical information was inappropriately accessed.” Id. Similarly, in Cousin v. Sharp Healthcare (“Cousin II”), Defendant argued that plaintiffs failed to allege their information was “viewed” and therefore did not state a claim. 702 F.Supp.3d 967, 975 (S.D. Cal. 2023). The court rejected this argument:
Whether Meta, as an entity and not a human being, can “view” information for CMIA purposes is a question the Court cannot resolve at this stage. Similarly, whether the alleged use by Meta of the information, through perhaps algorithms, amounts to viewing or accessing under CMIA is a question the Court cannot answer on Defendant's motion to dismiss. It is sufficiently plausible at this time
that Plaintiffs' information was “viewed or otherwise accessed” as contemplated by CMIA.Id. The court accordingly denied defendant's motion to dismiss plaintiffs CIMA claim on that basis.
In support of its motion, Defendant cites Barbour v. John Muir Health, an unpublished California superior court case. 2023 WL 2618967 (Cal. Super. Jan. 05, 2023). In Barbour, the court determined that there was no CMIA violation because Facebook may have been able to collect, analyze and use the data at issue “through the use of computers without any human actually laying eyes on it.” Id., at *7. The Court finds Barbour unpersuasive. First, its reasoning that “the information may be collected, analyzed, and used by a third party . . . without any human actually laying eyes on it,” Id. -in other words, that it was possible no human viewed the information-violates the stricture that a complaint's allegations are to be construed in favor of the plaintiff. Knievel, 393 F.3d at 1072; see also Barbour, 2023 WL 2618967, at *1 (“On demurrer the complaint must be liberally construed with a view to substantial justice between the parties.” (citation omitted)). Second, Barbour's holding is unsupported by authority. The case it cites, Sutter Health v. Superior Court 227 Cal.App.4th 1546 (2014), does not address the question of whether the “viewing” of information by software designed for that purpose satisfies the requirements of the CMIA.
Carbon Health also argues that “Plaintiff's conclusion requires making the unsupported (and improbable) inference that online advertisements for COVID-19 vaccination could only result from booking a vaccination appointment on Carbon Health's website.” ECF No. 19 at 20. The Court does not find the inference improbable. To the contrary, Plaintiff's allegation is at least as probable as Carbon Health's postulated unlikely coincidence. See, e.g., United States v. Mayes, 524 F.2d 803, 807 (9th Cir. 1975) (finding it “too great a coincidence” that the tracks of three persons, including the defendant, joined together near a cache of marijuana). Moreover, “[p]lausibility pleading does not require a plaintiff to foreclose every other avenue by which she could have been harmed[,] . . . [s]he simply must plead facts that raise more than a sheer possibility that the defendant has acted unlawfully.” Doe v. Regents of Univ. of Cal., 672 F.Supp.3d at 819.
Plaintiff alleges that the business models for Facebook and Google use the information gathered from the Carbon Website for targeted advertising (including for Carbon Health). ECF No. 1 ¶¶ 23-26, 31, 43-45. She further alleges that after collecting and intercepting the information, Facebook process it, analyzes it, and assimilates it into relevant datasets. Id. ¶ 35. Similarly, Google uses the data to personalize content ads on Google and partners' sites. Id. ¶ 42. Finally, she alleges that after scheduling an appointment for her COVID-19 vaccine, Plaintiff received advertisements relating to COVID-19 vaccination. Id. ¶ 7. These allegations are sufficient.
Carbon Health's motion to dismiss is denied with respect to Plaintiff's CMIA claim.
C. California Invasion of Privacy Claim
To maintain a constitutional invasion of privacy claim, a plaintiff must allege: (1) a specific, protected privacy interest; (2) a reasonable expectation of privacy; and (3) a “sufficiently serious” invasion of the privacy interest such that it “constitute[s] an egregious breach of the social norms underlying the privacy right.” Hill v. Nat'l Collegiate Athletic Ass'n, 7 Cal.4th 1, 35-37 (Cal. 1994). Carbon Health argues that Plaintiff fails to plausibly allege any of these elements. ECF No. 19 at 21-23.
1. Protected Privacy Interest
“Legally recognized privacy interests are generally of two classes: (1) interests in precluding the dissemination or misuse of sensitive and confidential information (‘informational privacy'); and (2) interests in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference (‘autonomy privacy').” Hill, 7 Cal.4th at 35. “It is well-settled under California law that, although not absolute, people have a privacy interest in their ‘medical history and information.'” Ojeda v. Kaiser Permanente Int'l., Inc., 2022 WL 18228249, at *6 (C.D. Cal. Nov. 29, 2022). “Medical patients' privacy interests . . . may include descriptions of symptoms, family history, diagnoses, test results, and other intimate details concerning treatment.” Grafilo v. Wolfsohn, 33 Cal.App. 5th 1024, 1034 (Cal.Ct.App. 2019) (internal quotation marks and citations omitted). Because Plaintiff plausibly alleges Carbon Health's disclosure of her confidential medical information to Facebook and Google, as previously described, she sufficiently pleads a protected privacy interest.
2. Reasonable Expectation of Privacy
“The extent of [a privacy] interest is not independent of the circumstances.” Hill, 7 Cal.4th at 36 (internal citation omitted). “Even when a legally cognizable privacy interest is present, other factors may affect a person's reasonable expectation of privacy.” Id. Defendant argues that “Plaintiff provides little support, facts, or further contentions as to why [her] expectation of privacy is reasonable,” especially when there is “no reasonable expectation of privacy in many standard internet transmissions.” ECF No. 19 at 21-22.
The Court finds inapt Defendant's attempts to characterize communications with Carbon Health's website as “standard internet transmissions” and Plaintiff's personal health information as “general information.” ECF No. 19 at 22. Plaintiffs have “an objectively reasonable expectation that their communications with their medical providers [are] confidential based on the laws and regulations protecting the confidentiality of medical information.” In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 800. As Plaintiff alleges, “[p]atients can book appointments with Carbon Health medical providers to access medical care and manage their treatment or diagnosis of medical conditions through” the Carbon Website. ECF No. 1 ¶ 11. These include “patient communications concerning reasons for the appointments they are booking.” Id. ¶ 51. Thus, these are communications that Plaintiff can reasonably expect will remain confidential regardless of Defendant's label. See Dietrick v. Securitas Sec. Servs. USA, Inc., 50 F.Supp.3d 1265, 1276 (N.D. Cal. 2014) (recalling Abraham Lincoln's aphorism that “calling a tail a leg doesn't make it one” (citation omitted)).
Smith v. Facebook, Inc., cited by Carbon Health, is inapposite. In Smith, at issue was Facebook's tracking visits to websites that publish general and publicly available information about medical conditions, such as http://www.cancer.net/. 262 F.Supp.3d at 947-948 . The Smith court found that the web pages at issue “contain[ed] general health information that is accessible to the public at large.... Nothing about the URLs, or the content of the pages located at those URLs, relates ‘to the past, present, or future physical or mental health or condition of an individual.'” Id. at 955 (emphasis added). Not so here. As Plaintiff has alleged, the URLs pertain on to appointments the Plaintiff made, and the transmitted URLs contain information regarding the specific symptoms, physical condition, or course of treatment of an individual. ECF No. 1 ¶¶ 56, 68. The pleadings here are sufficient to support a reasonable expectation of privacy.
3. Highly Offensive
“Actionable invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill, 7 Cal.4th at 37. When determining whether an invasion is “highly offensive,” courts consider “the degree and setting of the intrusion,” as well as “the intruder's motives and objectives.” Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 287 (Cal. 2009). Given the factually intensive nature of the inquiry, “[c]ourts are generally hesitant to decide claims of this nature at the pleading stage.” In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 799. Only if the allegations “show no reasonable expectation of privacy or an insubstantial impact on privacy interests” can the “question of [a serious or highly offensive] invasion [] be adjudicated as a matter of law.” Hill, 7 Cal.4th at 40.
Plaintiff contends that there are two reasons why the disclosure here is “highly offensive.” First, she alleges that Carbon Health “states in its Privacy Policy that it ‘will not use Protected Health Information for any purpose that is not defined in [its] HIPAA Privacy Practices, including advertising or marketing purposes, without [patients'] consent.” ECF No. 1 ¶ 71; see also ECF No. 25 at 29. But, notwithstanding this pledge, Plaintiff alleges that Carbon Health fails to obtain its patients' authorization for the disclosure of medical information to Facebook and Google, among others, for marketing purposes. Id. ¶¶ 112, 119-120. This court joins a colleague court in finding that a defendant's representations that sensitive information would not be disclosed is relevant to whether the disclosure was highly offensive. See Rodriguez v. Google LLC, 2021 WL 2026726, at *8 (N.D. Cal. May 21, 2021).
Second, Plaintiff contends that the disclosure here is highly offensive because it involves Plaintiff's medical information. This Court agrees with other courts that “have refused to dismiss invasion of privacy claims at the motion to dismiss stage where, as here, a data breach involved medical information, because the disclosure of such information is more likely to constitute an 01 “egregious breach of the social norms” that is “highly offensive.” In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1143 (C.D. Cal. 2021) (quoting Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 926 (S.D. Cal. 2020); see also Doe v. Beard, 63 F.Supp.3d 1159, 1170 (C.D. Cal. 2014) (denying motion to dismiss where plaintiff's HIV-positive status was disclosed).
Defendant argues that where the disclosed medical information consists solely of a COVID-19 vaccination appointment, disclosure cannot be highly offensive, citing Ojeda v. Kaiser Permanente Int'l, Inc., No. EDCV 22-1057-MWF (GJS), 2022 WL 18228249, at *7 (C.D. Cal. Nov. 29, 2022). Ojeda does not foreclose Plaintiff's claim. First, Plaintiff alleges disclosure of more than just a COVID-19 vaccination appointment. See ECF No. 1 ¶ 70 (“Plaintiff used Defendant's Website to book COVID-19 vaccine appointments and an urgent care appointment.”). Second, Ojeda did not decide that disclosure of a COVID-19 appointment could never be highly offensive, only that plaintiff in that case had failed to allege “any of the circumstances around the disclosure” and that the court could not determine whether plaintiff had alleged “an egregious breach of social norms” “without these details.” 2022 WL 18228249, at *7 (emphasis added). Here, plaintiff alleges that Defendant implemented a system that surreptitiously allowed third parties, including Facebook and Google, to track, record, and intercept Plaintiff's and other online patients' confidential communications, personally identifiable information, and PHI, and use that information for marketing and other purposes. ECF No. 1 ¶¶ 72, 112. At this stage of the litigation, that is sufficient to allege that Defendant's conduct was highly offensive. The Court therefore denies Defendant's motion on this basis.
CONCLUSION
The Court grants Carbon Health's motion to dismiss with respect to clause one of Section 631(a). The Court grants Carbon Health's motion to dismiss with respect to clauses two, three and four of Section 631(a) with respect to Plaintiff's allegations regarding Google Pixel and denies the motion with respect to Plaintiff's allegations regarding Facebook Pixel. The Court denies Carbon Health's motion to dismiss under the CMIA and the California Constitution.
The Court grants leave to amend. Plaintiff may file an complaint within twenty-one days of this order amended solely to cure the deficiencies identified by this order. If no timely amended complaint is filed, the case will proceed only as to the claims that were not dismissed.
IT IS SO ORDERED.