What’s going on with the Meta Pixel Lawsuit? A recent court document from California covered the claims that began over a year ago.

The Meta Pixel is a powerful tool for helping online vendors reach people who have shown an interest in a product or service. By identifying the user’s Facebook or Instagram, this tracker can help target ads to people who have already shown interest.

This is relatively harmless when you’re looking for shoes, blenders, and other innocuous items. In healthcare, however, this tracker can breach patient privacy if it’s included on certain pages.

In this article, we’ll cover what you should know about the Meta Pixel Lawsuit and discuss how this Meta Pixel lawsuit may impact the healthcare industry.

What Led to the Meta Pixel Lawsuit?

Meta Pixel is one of the most common tracking codes, and it can be a powerhouse in the right context. According to their website, the tracker can help ensure ads reach the right people, measure ad performance, and drive sales. 

The tracker achieves this by monitoring when you visit websites with the tracker and what you do on those websites. Over time, it logs a mountain of data about your interests and habits to show relevant ads.

For example, if you’re comparing the price of a specific pair of shoes across multiple websites, you may see ads for that exact pair of shoes while you browse Facebook. This happens because the Meta Pixel algorithm logs activity to show the most relevant ads possible. 

The issue that caused the Meta Pixel lawsuit, however, is when the tracker collects specific details directly related to patient care. This could include a wide range of details, from provider names to appointment times.

In the Meta Pixel lawsuit allegations, plaintiffs claim that the tracker unlawfully collected and used their health information. Want to learn more about the tracker’s data collection and user consent policies that led to the Meta Pixel lawsuit? Check out our previous article about the Meta Pixel.

Meta Pixel Lawsuit Summary 

Doe V. Meta Platforms Inc. is the official name of the Meta Pixel lawsuit. Meta faces the following claims in a Consolidated Class Action Complaint (CCAC) of 5 anonymous plaintiffs:

1. Breach of Contract
2. Breach of the Duty of Good Faith and Fair Dealing
3. Violation of the Electronic Communications Privacy Act (ECPA or Wiretap Act)
4. Violation of the California Invasion of Privacy Act
5. Intrusion Upon Seclusion
6. California Constitutional Invasion of Privacy
7. Negligence Per Se
8. Trespass to Chattels
9. Violation of California’s Unfair Competition Law (UCL)
10. Violation of California’s Consumer Legal Remedies Act (CAFA)
11. Larceny
12. Violation of California’s Comprehensive Computer Data Access and Fraud Act (CDAFA)
13. Unjust Enrichment

United States District Judge William H. Orrick handled this Meta PIxel lawsuit hearing for the Northern District of California. This was a preliminary hearing to determine which of the above claims the court should make a ruling on.

In this section, we’ll cover the court’s discussion of these claims. Click here to read the entire 26-page document. 

Violation of the Electronic Communications Privacy Act

The ECPA or Wiretap Act “prohibits the unauthorized ‘interception’ of an ‘electronic communication.’” This claim requires plaintiffs to “plausibly allege that Meta (1) intentionally (2) intercepted (3) the contents of (4) plaintiffs’ electronic communications (5) using a device.” 

In an effort to dismiss this claim, Meta claimed they didn’t intend to collect health information. This is because the Meta Pixel Lawsuit acknowledges that third-party web developers choose to add the pixel to their websites. Meta also cited their systems dedicated to filtering out sensitive information detected on the back end.

Ultimately, the court declined this dismissal for a few key reasons.

First, despite Meta disclosing their methods of preventing third-party developers from sending sensitive information, they intended to receive the information and did receive the information. This makes it an issue of consent.

Based on the plaintiffs’ claim, the healthcare providers’ consent to share sensitive information was presumed, not actual. In order for the consent to be actual, Meta should have explicitly notified providers of the issue. 

In order to determine whether providers gave actual consent, the court will need more evidence. This includes the following questions:

• What information did Meta share with healthcare providers?
• How did Meta train healthcare providers on the Pixel?
• Did the healthcare providers understand how the Pixel works and what information it collects?

While the court declined this dismissal, such evidence could lead to a dismissal in a future hearing of the Meta Pixel lawsuit.

California Invasion of Privacy Act

The CIPA is California’s equivalent to the Electronic Communications Privacy Act (ECPA), and this Meta Pixel lawsuit involves claims for both.

In an effort to have this claim dismissed, Meta argued that none of the plaintiffs are California residents, and the goal of CIPA is to “protect the right of privacy of the people of this state.” The judge provided 3 reasons for not granting dismissal on these grounds.

First, the court had not yet determined whether Meta’s actions “had a substantial nexus to California.” In basic terms, does Meta have enough of a presence in California for this law to be applicable? Until the court determines this, the judge argues that dismissal is premature. 

Second, plaintiffs alleged that the Pixel’s design and marketing and the development and implementation of its Terms of Service occurred in California. Based on legal precedence, California law governs actions that create liability within the state regardless of the plaintiff’s home state. 

Third, Facebook’s Terms of Service specify that California laws apply to user disputes. 

Constitutional Privacy Claim and Intrusion on Selection Claim

In defense against these claims, Meta argued again that California’s constitutional privacy protections shouldn’t apply to the plaintiffs. Additionally, they argued that the plaintiffs failed to adequately describe what specific sensitive information Pixel obtained. 

Like the CIPA claim, the judge declined dismissal for the plaintiffs not living in California. The second point, however, was more effective.

The judge dismissed the plaintiffs’ invasion of privacy claim. He also offered the plaintiffs an opportunity to amend the claim to include examples of sensitive information. With this update, the Meta Pixel lawsuit privacy claims can move forward.

California’s Comprehensive Computer Data Access and Fraud Act (CDAFA)

CDAFA allows individuals to seek compensation for damage or loss caused by a violation of this act. In this case, the plaintiffs argue that they have faced 2 types of actionable damages. 

First, they claim the Pixel impacts their ability to communicate with their healthcare providers via computer. Second, they claim the Meta Pixel diminished the value of their protected health information (PHI).

The judge dismissed this claim but will allow the plaintiffs to amend their claim if they can factually prove computer impairment. 

Breach of Contract and Breach of the Duty of Good Faith and Fair Dealing

In defense of these claims, Meta argued that a “limitation of liability” clause in their Terms of Service protects them from such claims. This clause states that their liability is limited, and they aren’t responsible for loss or damage from using Meta products. 

Plaintiffs responded to this defense by citing California Civil Code section 1668. This prevents contracts from exempting anybody from fraud or other legal violations, whether willful or negligent.

By not stopping data transfers or improving their sensitive information filter, the plaintiffs assert that Meta made a decision to continue collecting sensitive data. As such, the court did not dismiss the Meta Pixel lawsuit breach of contract claim, but Meta may move to limit the types of damages available.

Unjust Enrichment

In basic terms, unjust enrichment is when one person provides something valuable expecting some form of repayment, and the second person refuses. Let’s examine a real-life example of unjust enrichment.

In our example, imagine a homeowner hired a painter to paint all the walls in their house. Halfway through the painter’s work, the homeowner said to stop. Then, because the painter didn’t paint all the walls in the house, the homeowner refused to pay for the completed portion of the work. 

The plaintiffs allege in this claim that Meta sold their data without consent and unjustly kept the money. The court denied the dismissal of this Meta Pixel lawsuit claim.

Negligence Per Se

Negligence per se claims imply that a party failed to exercise due care and that the negligence caused an issue the statute was designed to prevent. In this claim, the plaintiffs tried to argue that HIPAA was the duty of care basis for their negligence claim. 

Based on legal precedent, however, federal laws like HIPAA aren’t eligible for identifying duties for negligence per se claims. As such, the court dismissed this claim but will allow plaintiffs to identify a state law for duty of care.

Trespass To Chattels

California law describes trespass to chattels as when intentional interference causes damage to personal property. The plaintiffs allege that the Meta Pixel has devalued their devices by discouraging electronic communication with their providers. 

In this claim, however, the plaintiffs didn’t report any performance or other measurable issues with their devices caused by the Meta Pixel. As such, the court dismissed this claim with leave to amend if the plaintiffs can describe appropriate damages. 

Larceny

Plaintiffs are claiming larceny on the basis that Meta allegedly used their Pixel to knowingly obtain sensitive information under false pretenses. The court dismissed this claim because the plaintiffs had not identified how Meta falsely represented the Pixel or how they relied on this representation.

Unfair Competition Law and Consumers Legal Remedies Act

The Unfair Competition Law protects people who have lost money or property as a result of unfair competition. Making this claim for the Meta Pixel lawsuit requires plaintiffs to demonstrate that they’ve unfairly lost money or had their property devalued. 

The plaintiffs argued that their personally identifiable information (PII) lost value when the Meta Pixel collected it, but the court determined that no monetary value was lost because the plaintiffs didn’t indicate a goal of selling their PII. As such, the UCL claim was dismissed.

As for the Consumers Legal Remedies Act, plaintiffs claimed that Meta misrepresented the Pixel. Meta, however, argued that none of the plaintiffs alleged seeing or relying on those misrepresentations. The court dismissed this claim and offered plaintiffs an opportunity to plead facts about their reliance on the alleged misrepresentation.

Meta Pixel Lawsuit Additional Information

We just covered a lot of information about the Meta Pixel lawsuit, so let’s review the facts. The court denied Meta’s motion to dismiss the ECPA, CIPA, breach of contract, and unjust enrichment claims. The court granted the other dismissals but granted plaintiffs 20 days to amend their complaints. 

This Meta Pixel lawsuit may be major for healthcare standards, and it’s especially worth noting the Negligence Per Se decision. To reiterate, HIPAA is a federal law, and therefore may not be used as a basis for this claim. 

You may have noticed HIPAA did not come up at any other point throughout this Meta Pixel lawsuit. Having not signed any Business Associate Agreements (BAA) with healthcare organizations, they’re not held to HIPAA standards.

As such, healthcare providers need patient consent before sharing any protected health information (PHI) with Meta.

Custodians of medical records have a legal and ethical duty to protect sensitive patient information from misuse and unlawful disclosure. By using Meta Pixel on pages where it can collect sensitive data, however, you could be inviting unnecessary risks.

According to HHS, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Furthermore, in December 2022, OCR confirmed that the use of tracking technology without a BAA is a HIPAA violation. Additionally, OCR confirmed that tracking technology vendors like Meta are classed as business associates even without a signed BAA.

 OCR stated, “Any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.”

How Should You Handle Trackers Following the Meta Pixel Lawsuit?

HIPAA violations are expensive, time-consuming, and devastating to an organization’s reputation. We believe that avoiding steep penalties and protecting patient privacy more than outweigh the benefits of using tracking technology.

As this case progresses, more people will likely realize that the security of their PHI may be in jeopardy. With this Meta Pixel Lawsuit acting like a bolt of lightning, the thunder to follow will be OCR HIPAA investigations.

Before that can happen, now is a great time to verify which sections of your website may have the Meta Pixel and what information it’s gathering. Protecting patient privacy requires proactivity and fast action.ChartRequest is dedicated to helping healthcare providers simplify compliance by streamlining the secure, digital release of protected health information. If you’d like to learn more about relevant regulations, news, and more, take a scroll through our other articles.