Meet John Doe: Court Allows Meta Pixel Privacy Lawsuit to Proceed

Meta Pixel Privacy Lawsuit: Targeting Meta

Plaintiffs claim that the hospital systems were sending protected health information to Facebook through the Pixel tool without patient consent, which protected health information was then unlawfully used to create and serve individual plaintiffs with personalized ads. On August 15, 2023, U.S. District Judge William Orrick III issued an order denying Meta’s motion to dismiss the lawsuit, allowing the lawsuit to proceed for Meta’s alleged violations of (among other things) federal and state wiretap laws and the California Invasion of Privacy Act (CIPA); and California state larceny law. In his order, Judge Orrick dismissed but permitted the Plaintiffs to amend their privacy allegations, by requiring that the Plaintiffs describe the types or categories of sensitive health information they provided through their devices to their healthcare providers.

Meta Pixel Privacy Lawsuit: Re-Targeting Meta

On Monday, May 8, in a separate would-be class action, the same judge, Judge Orrick, allowed a lawsuit against the University of California San Francisco Medical Center (UCSF) to proceed.  In this suit, a Meta Pixel privacy lawsuit similar to John Doe, plaintiffs allege violations of a variety of provisions in the California Invasion of Privacy Act (CIPA), which they claim were caused by the presence of the Pixel tracking tool in UCSF’s patient portal and websites.

Plaintiffs also allege that UCSF violated the California Confidential Medical Information Act, through the presence and operation of the Pixel tracking tool.  The lead plaintiff has specifically alleged that Meta used information about heart issues and high blood pressure for – sound familiar? – advertising purposes.  She concluded after noticing that a series of ads for high blood pressure medication started appearing on her Facebook page (perhaps Meta had thought, “What Facebook user wouldn’t want to receive such ads as they view their family and friends’ posts and pictures?”

Judge Orrick, in allowing the suit to proceed, emphasized that prior court cases have recognized a right to privacy even in the absence of specific laws giving that right: “Personal medical information is understood to be among the most sensitive information that could be collected about a person,” Orrick wrote.   

Meta Pixel Privacy Lawsuit: What’s the Defense?

In the various Meta Pixel privacy lawsuits, Facebook is trying to explain away what it has done. In one Meta Pixel privacy lawsuit, Facebook claimed that Meta Pixel was not collecting the information the Plaintiffs alleged it had collected. In another lawsuit, Meta was quick to point the finger at providers. In this lawsuit, Meta defended itself by asserting: “While Meta provides instructions on how to install the Pixel, developers decide whether, how, where, and when to use it. To use the Pixel, developers must agree not to ‘share Business Tool Data . . . that [they] know or reasonably should know… includes health, financial information or other categories of sensitive information (including any information defined as sensitive under applicable laws, regulations, and applicable industry guidelines).”

This argument may have a very superficial appeal, given that Facebook does not sign a business associate agreement with providers (or anyone else, for that matter), and claims it does not perform business associate functions. The argument does not address what Meta gets out of the arrangement with the hospitals. The Meta Pixel privacy lawsuits claim that Meta “knowingly receives patient data — including patient portal usage information — from hundreds of medical providers in the U.S. that have deployed the Facebook Pixel on their web properties.” Meta then allegedly monetizes the data by generating “highly-profitable targeted advertising on- and off-Facebook.”

Patients allege that the targeted advertising – the appearance of ads on patients’ Facebook pages – is by itself a violation of state privacy and medical confidentiality laws, even if technically, the violation is not a HIPAA violation. 

Read the class action lawsuit here.