Judge Peter Wilson, Case 2023-01321351 2023-08-31 Tentative Ruling

Judge: Peter Wilson, Case: 2023-01321351, Date: 2023-08-31 Tentative Ruling

Defendants Placentia-Linda Hospital, Inc. and Tenet Healthcare Corporation (collectively, Defendants) generally demur to each cause of action in Plaintiff’s Complaint. For the reasons set forth below, the demurrer is SUSTAINED in part and OVERRULED in part. Plaintiff may file an amended complaint within 15 days.

Request for Judicial Notice.

Defendants’ request for judicial notice (ROA 28) of (1) the Woodbridge Declaration filed in In re Meta Pixel Healthcare Litig., Case No. 22-cv-03580 [Exhibit A], (2) Facebook’s Terms of Service [Exhibit B], (3) Facebook’s Privacy Policy [Exhibit C], and (4) Facebook’s Cookies Policy [Exhibit D] is DENIED as to Exhibit A and GRANTED as to Exhibits B-D.

Plaintiff’s request for judicial notice (ROA 36) of the (1) Office for Civil Rights at the U.S. Department of Health and Human Services’ Press Released dated July 20, 2023 [Exhibit 1] and (2) Joint Letter by the HHS Office for Civil Rights and the Federal Trade Commission dated July 20, 2023 [Exhibit 2] is GRANTED.

The Court takes judicial notice of the existence of the documents and the legal effect of the documents, if any, but does not take judicial notice of the truth of statements contained therein or their proper interpretation.

Legal Standard for Demurrer. A general demurrer challenges the legal sufficiency of a complaint on the ground that it fails to state facts sufficient to constitute a cause of action. (Code Civ. Proc. § 430.10(e).) The allegations in the complaint as a whole must be reviewed to determine whether a set of alleged facts constitutes a cause of action. (People v. Superior Court (Cahuenga’s the Spot) (2015) 234 Cal.App.4th 1360, 1376.) A complaint need only meet fact-pleading requirements, which requires a statement of facts constituting a cause of action in ordinary and concise language, and should allege ultimate facts that, as a whole, apprise defendant of the factual basis of the claim. (Code Civ. Proc. §425.10(a)(1); Navarrete v. Meyer (2015) 237 Cal.App.4th 1276, 1284.)

In ruling on a demurrer, the Court follows these long-settled rules: The Court assumes the truth of the properly pleaded factual allegations, facts that reasonably can be inferred from those expressly pleaded and matters of which judicial notice has been taken. The Court accepts as true even improbable alleged facts, and does not concern itself with the plaintiff's ability to prove the factual allegations. However, the Court is not required to accept the truth of the factual or legal conclusions pleaded in the complaint. (Marina Pac. Hotel & Suites, LLC v. Fireman's Fund Ins. Co. (2022) 81 Cal. App. 5th 96, 104–05, 296 Cal. Rptr. 3d 777, 784.)

First Cause of Action - CIPA.

Penal Code § 631(a) provides:

Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine …”

“CIPA prohibits any person from using electronic means to “learn the contents or meaning” of any “communication” “without consent” or in an “unauthorized manner.” Cal. Pen. Code § 631(a).” (In re Facebook, Inc. Internet Tracking Litig. (9^th Cir. 2020) 956 F.3d 589, 607.) Liability only applies to third parties, not parties to the communication. (Id.; see Warden v. Kahn (1979) 99 Cal.App.3d 805 [“[S]ection 631 ... has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”])

Defendants argue that Plaintiff’s claim for violation of CIPA fails because “(1) she does not allege Defendants transmitted the contents of Plaintiff’s communications; (2) Plaintiff has not pled aiding and abetting with specificity; (3) Plaintiff consented to the conduct she now challenges; and (4) she does not allege Defendants intercepted Plaintiff’s communications.”

Contents.

“The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” (In re Meta Pixel Healthcare Litig., No. 22-cv-03580-WHO (N.D. Cal 2022) 2022 WL 17869218, at *14.) Under the Wiretap Act, the term “‘contents’ refers to the intended message conveyed by the communication – “any information concerning the substance, purport, or meaning” of the communication (18 U.S.C. §2510) – and does not include record information regarding the characteristics of the message that is generated in the course of the communication.” (In re Zynga Priv Litig. (9th Cir. 2014) 750 F.3d 1098, 1106.)

Therefore, tracking “keystrokes, mouse clicks, [and] pages viewed” are not “content” under CIPA. (Yoon, v. Lululemon USA, Inc. (C.D. Cal. 2021) 549 F. Supp. 3d 1073, 1082-83 (“[n]one of these pieces of data constitutes message content in the same way that words of a text message or an email do”); Graham v. Noom, Inc. (N.D. Cal. 2021) 533 F. Supp. 3d 823, 832-33; Johnson v. Blue Nile, Inc., No. C 20-08183 LB (N.D. Cal. Apr. 8, 2021) 2021 WL 1312771, at *3 (providing that IP addresses are “not content”).

The Complaint here alleges more than just keystrokes, mouse clicks, and pages viewed. Plaintiff alleges she used Defendants’ Website to identify a medical provider and schedule a procedure, and that her communications, along with her Facebook ID, were intercepted by Facebook through Pixel and linked to her Facebook profile. Complaint, ¶¶140-141, 143. The Complaint alleges this is the kind of information protected by HIPAA. Complaint, ¶142. Further, the Complaint provides examples of information that may have been transmitted on the “Find a Doctor” page and the appointment page, but does not allege that Plaintiff actually used these pages or conveyed any information on these pages. See e.g. Complaint, ¶¶59-61, 77-90.

These allegations are not sufficient to show that the contents of any of Plaintiff’s communications were disclosed. (See Cousins v. Sharp Healthcare, No. 22-CV-2040-MMA (DDL) S.D. Cal. July 12, 2023) 2023 WL 4484441, at *3, 9 [allegations of disclosure of personal, confidential, health information were conclusory and lacked factual support since plaintiff did not allege, among other things, what information was provided to defendant, and provided as an example a search by a hypothetical patient].) Here, where specific contents are alleged, for example the “I have dementia” search query, it is unclear whether this is being given as a hypothetical example or pertains to an actual class member patient.

Aiding and Abetting.

Plaintiff correctly argues that Penal Code § 631(a) imposes liability on one who “aids, agrees with, employs, or conspires” with another violator and that she need not meet the criminal standard for aiding and abetting. It is sufficient for Plaintiff to allege Defendants intentionally procured Meta Pixel or other tracking apps and installed it on their website in order to satisfy this requirement. (Cousin, 2023 WL 4484441, at *9.) And the Complaint does make such allegations. Complaint, ¶¶ 3, 10, 41, 160.

Consent

Defendants argue that because Plaintiff alleges she is an “active user” of Facebook, she cannot plausibly allege Defendants’ conduct was unauthorized. The Court disagrees.

Other courts have determined that disclosures in privacy policy does not constitute consent.

The Ninth Circuit has held, however, that such privacy policies do not bind users: “where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more—is insufficient to give rise to constructive notice.” Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1178–79 (9th Cir. 2014).

(Yoon v. Lululemon USA, Inc. (C.D. Cal. 2021) 549 F. Supp. 3d 1073, 1081.)

Further, Facebook’s terms of service and privacy policies explain that Facebook does not sell personal data, share information that directly identifies the user (your name, email address or other contact information) unless permission is given, and advises users that they have control over information that is collected and shared through the privacy settings. ROA 24, Ex. B, p. 2; Ex. C, p. 46 [in regard to third parties, Facebook represents it does not sell information to third parties and that it requires partners and other third parties to follow rules about how they can and cannot use and disclose information that Facebook provides] and pp. 8, 20, 22, 23, 40-41, 43, 59; Ex. D, p. 13 [user can choose cookies and delete them].

The Complaint repeatedly alleges Plaintiff did not give her authorization to collect and share health and personal identifying information about her. Complaint, ¶¶18, 95, 143, 152.

Given that Facebook permits the user some control over the information that is collected and shared about them, and that Facebook’s policies exclude the collection of private or confidential health information, the Court cannot conclude that Plaintiff agreed to have such information about her collected and shared.

Interception.

A communication is confidential under Penal Code § 632 if it occurs “when the contents of a wire communication are captured or re-directed in any way.” (Noel v. Hall (9^th Cir. 2009) 568 F.3d 743, 749 (examining the analogous federal Wiretap Act); In re Meta Pixel, 2022 WL 17869218, at *11 (“the Ninth Circuit has construed the term [intercept] according to its ordinary meaning as the “act of acquiring, or coming into possession of”). The interception of an electronic communication includes the simultaneous transmission of duplicate communications. (Revitch, 2019 WL 5485330, at *2; Facebook Tracking, 956 F.3d at 608 (“Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users’ information would render permissible the most common methods of intrusion.”).

The Complaint alleges that without Plaintiff’s authorization and knowledge, Defendants installed Pixel and CAPI on its website and “instantaneously and surreptitiously” duplicated user’s communications, intercepted and shared them with Facebook. Complaint, ¶¶42, 51, 60, 62, 65, 101, 166. These allegations are sufficient to satisfy this requirement. (Cousin, 2023 WL 4484441, at *10.)

In summary, Since the Complaint does not adequately allege any contents of any communications were disclosed, the demurrer to the First Cause of Action is SUSTAINED.

Second Cause of Action - CMIA. Defendants contend Plaintiff’s claim for violation of CMIA fails because she does not allege she is a “patient” under CMIA and that any of her “medical information” was disclosed.

CMIA prohibits the unauthorized disclosure of medical information and the negligent maintenance or preservation of medical information. (Civ. Code §§ 56.10(a), 56.101(a).) CMIA defines “Medical Information” as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan ... regarding a patient's medical history, mental health application information, mental or physical condition, or treatment.” (Civ. Code § 56.05(i).) “ ‘Individually identifiable’ means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.” (Id.)

Contrary to Defendants’ arguments, the Complaint does allege Plaintiff and the Class Members are patients of Defendants. Complaint, ¶¶7, 72, 174.

As discussed, the Complaint alleges Plaintiff used Defendants’ Website to identify a medical provider and schedule a procedure, and that her communications, along with her Facebook ID, were intercepted by Facebook through Pixel and linked to her Facebook profile. Complaint, ¶¶140-141, 143. The Complaint alleges this is the kind of information protected by HIPAA. Complaint, ¶142. Further, the Complaint provides examples of information that may have been transmitted on the “Find a Doctor” page and the appointment page, but does not allege that Plaintiff actually used these pages or conveyed any information on these pages. See e.g. Complaint, ¶¶59-61, 77-90.

While this information does reveal Plaintiff’s identity, as previously explained, these allegations are insufficient to demonstrate that any of her medical history, mental health application information, mental or physical condition or treatment has been disclosed. Plaintiff does not allege what information she conveyed to Defendants. For example, a search for primary care practitioner and not a specialist or the dates and times for an appointment and nothing more yields no specific medical information.

The demurrer to the Second Cause of Action is SUSTAINED.

Third Cause of Action - UCL. Defendants argue Plaintiff’s claim for violation of the UCL fails because she lacks standing as she has not alleged any economic harm or injury.

Private parties can sue under the UCL only if, as a result of unfair competition, they have: (1) suffered an injury in fact, (2) lost money or property, and (3) the economic injury was a “result of” the unfair competition. (Kwikset Corp. v. Superior Court (2011) 51 Cal.4th 310, 322, 326; Cal. Bus. & Prof. Code § 17204.) The “lost money or property” requirement means plaintiff “must demonstrate some form of economic injury such as surrendering more or acquiring less in a transaction, having a present or future property interest diminished, being deprived of money or property, or entering into a transaction costing money or property that was unnecessary. (Id. at 323.) Plaintiff must also show that the economic injury was the result of, i.e., caused by, the unfair business practice that is the gravamen of the claim. (Id. at 322.)

There is a split in authority on whether the injuries alleged here are sufficient to satisfy the standing requirement for a UCL claims. Some courts have found that the sharing of names, user IDs, location and other personal information constitute lost money or property for UCL standing purposes. “Indeed, the Ninth Circuit and a number of district courts, including this Court, have concluded that plaintiffs who suffered a loss of their personal information suffered economic injury and had standing. See In re Facebook Privacy Litigation, 572 F. App'x 494, 494 (9th Cir. 2014) (concluding that the plaintiffs had plausibly alleged that they experienced harm when their personal information was disclosed in a data breach and they lost the sales value of their personal information); In re Marriott Int'l, Inc., Cust. Data Sec. Breach Litig., 440 F. Supp. 3d 447, 461 (D. Md. 2020) (“[T]he growing trend across courts that have considered this issue is to recognize the lost property value of this information.”); In re Yahoo! Inc. Cust. Data Sec. Breach Litig., 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017) (holding that plaintiffs had adequately alleged injury in fact based on the loss of value of their personal information); In re Anthem Inc. Data Breach Litig., 2016 WL 3029783, at (N.D. Cal. May 17, 2016) (concluding that the plaintiffs had plausibly alleged injury from the loss of value of their personal information).” (Calhoun v. Google LLC (N.D. Cal. 2021) 526 F. Supp. 3d 605, 636 (N.D. Cal. 2021)

29.)

Other courts have found otherwise. “The weight of the authority in the district and the state, however, point in the opposite direction: that “the ‘mere misappropriation of personal information’ does not establish compensable damages.” Pruchnicki v. Envision Healthcare Corp., 845 F. App'x 613, 615 (9th Cir. 2021); see also Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 540-41 & n.13, 299 Cal.Rptr.3d 544 (2022) (noting that “[t]he scant California authority cited by Facebook Privacy did not address the value of PII, much less any deprivation thereof” and finding Facebook Privacy and district court cases following Facebook Privacy “unpersuasive.”); Facebook Consumer Privacy, 402 F. Supp. 3d at 804 (distinguishing a company's gain of money through sharing or use of Plaintiffs’ information from a claim that Plaintiffs actually lost money and dismissing Plaintiffs’ theory of economic loss as “purely hypothetical”); Gonzales v. Uber Techs., Inc., 305 F. Supp. 3d 1078, 1093 (N.D. Cal. 2018) (“However, the sharing of names, user IDs, location and other personal information does not constitute lost money or property for UCL standing purposes.”) (citing Campbell v. Facebook, 77 F. Supp. 3d 836, 849 (N.D. Cal. 2014); Svenson v. Google Inc., 65 F. Supp. 3d 717, 730 (N.D. Cal. 2014) (finding that Plaintiff could not proceed with UCL claim because she had “not alleged any facts showing that Defendants’ business practice—disclosing users’ Contact Information to third-party App vendors—changed her economic position at all”)). Because Plaintiffs have not alleged a specific monetary or economic loss, Plaintiffs lack standing to maintain their UCL claims.” (Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS (N.D. Cal 2023) 2023 WL 2838118, at *8.)

Here, Plaintiff generally alleges that she and Class Members have suffered injury in fact and lost money or property, including payments to Defendants, access to their private and personal data, and the diminished value of that information. Complaint, ¶191. But Plaintiff does not explain or present any factual allegations showing how any of these injuries were caused by any unfair competition.

Accordingly, the demurrer to the Third Cause of Action is SUSTAINED.

Fourth Cause of Action - Invasion of Privacy under California’s Constitution and Fifth Cause of Action – Invasion Upon Seclusion. Defendants contend Plaintiff’s Constitutional and common law claims for invasion of privacy fail because she does not allege any intrusion was “highly offensive” or that she had a reasonable expectation of privacy in the information shared with Facebook. Additionally, Defendants contend Plaintiff cannot establish the disclosure to Facebook was a “publication” or that she had a reasonable expectation of privacy since she consented to sharing with Facebook.

“To state a claim for intrusion upon seclusion under California common law, a plaintiff must show that: (1) a defendant ‘intentionally intrude[d] into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy [,]’ and (2) that the intrusion ‘occurred in a manner highly offensive to a reasonable person.’ ” Davis v. Facebook Inc., (In re Facebook, Inc. Internet Tracking Litig.) 956 F. 3d 589, 601 (9th Cir. 2020) (quoting Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 97 Cal. Rptr. 3d 274, 285, 211 P.3d 1063 (2009)). “A claim for invasion of privacy under the California Constitution involves similar elements.” Id. Plaintiffs must plead “that: (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion [is] ‘so serious ... as to constitute an egregious breach of the social norms’ such that the breach is ‘highly offensive.’ ” Id. (quoting Hernandez, 97 Cal. Rptr. 3d at 285, 211 P.3d 1063). “Because of the similarity of the tests, courts consider the claims together and ask whether: (1) there exist a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” Id. at 601.

(Cousin v. Sharp Healthcare, No. 22-CV-2040-MMA (DDL) (S.D. Cal. 2023) 2023 WL 4484441, at *5.)

Whether an invasion of privacy is “highly offensive” requires the consideration of all-inclusive factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive. The focus must also be on the degree to which the invasion is unacceptable as a matter of public policy. (Cousin, 2023 WL 4484441, at *6.)

As such, in Cousin, the court found that disclosures of web browsing history did not rise to the level of “highly offensive” but disclosures about sensitive health information on an appointment scheduling page is highly offensive. (Id.) Plaintiff here does allege her sensitive health information, specifically, her search for a doctor and scheduling an appointment, were intercepted by Facebook. Complaint, ¶¶140-142.

Additionally, courts have recognized that the “ultimate question of whether Facebook's tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage. Plaintiffs have identified sufficient facts to survive a motion to dismiss. Plaintiffs’ allegations of surreptitious data collection when individuals were not using Facebook are sufficient to survive a dismissal motion on the issue.” (In re Facebook, Inc. Internet Tracking Litig. (9^th Cir. 2020) 956 F.3d 589, 606. See also, In re Meta Pixel Healthcare Litig., No. 22-cv-03580-WHO (N.D. Cal. 2022) 2022 WL 17869218 at *15 [courts are generally hesitant to decide claims of this nature at the pleading stage]; In re Facebook, Inc. (N.D. Cal. 2019) 402 F. Supp. 3d 767, 797 [“Under California law, courts must be reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy intrusion is.”]; Cousin, 2023 WL 4484441, at *6 [ same].)

For the reasons previously discussed regarding Facebook’s disclosures and consent, the Court concludes Plaintiff did have a reasonable expectation of privacy.

Additionally, Plaintiff expressly alleges she and other Class Members had a reasonable expectation of privacy in their health information, that she did not consent tracking and disclosure of her private health information, and that the tracking and commoditization of their health information is “highly offensive to a reasonable person”. Complaint, ¶¶18, 138, 152, 160, 205, 218.

The demurrers to the Fourth and Fifth Causes of Action are OVERRULED.

The Sixth Cause of Action (Invasion of Privacy Publication of Facts) is SUSTAINED. Plaintiff represents she is withdrawing this cause of action and has not opposed the demurrer on this claim. ROA 32, Opp., at p. 13 fn. 10.

The status conference is continued to November 3, 2023 at 9 AM, and the parties are ordered to file a joint status report not later than October 27, 2023.

Defendant is ordered to give notice.