• by Wendy Davis  @wendyndavis, January 30, 2024

A federal judge has again sided against Meta Platforms in a privacy battle centered on allegations that it tracked Facebook users' visits to websites operated by health care providers.

In a ruling issued Monday, U.S. District Court Judge William Orrick in the Northern District of California essentially found that the allegations, if proven true, could support a claim that Meta violated California privacy standards and also wrongly interfered with users' devices. Orrick previously ruled that the allegations could support claims that Meta violated federal and state wiretap laws.

The decision comes in a battle dating to May 2022, when several Facebook users alleged in a class-action complaint that Meta tracks their visits to hospital and health-care websites via the Meta Pixel -- analytics code that transmits information about website visitors.

The patients, who are proceeding anonymously, sued soon after The Markup reported that 33 of the country's top 100 hospitals have the Meta Pixel on their sites.

Meta urged Orrick to dismiss the lawsuit at an early stage in the proceedings, arguing that the Meta Pixel isn't in itself illegal. The company also said it didn't intentionally receive sensitive health data, arguing it instructs outside web developers who install the tracking code to avoid sending health information, and that it attempts to filter out sensitive data.

In September, Orrick dismissed several claims in the complaint, including that Meta interfered with users' devices and that it engaged in “intrusion upon seclusion” -- a broad California concept that allows people to sue for “highly offensive” privacy violations. At the time, he allowed the users to beef up those claims and refile them.

The users did so in October, when they specified their medical conditions in an amended complaint. (The conditions themselves have been blacked out of the publicly available version of the amended complaint.)

Orrick said in his new ruling that the additional information is detailed enough for the users to move forward with their “intrusion upon seclusion” claim.

“For the most part, plaintiffs identify the health conditions for which they sought treatment or services, as well as examples of their queries, appointment requests, or other information and services about which they communicated with their providers,” Orrick wrote.

“The allegations suffice at this juncture because they identify generally the types of sensitive information plaintiffs shared with their healthcare providers that was plausibly collected by Meta,” he added.

Orrick also allowed the users to proceed with a claim that Meta violated the California Comprehensive Computer Data Access and Fraud Act, writing that the amended complaint included allegations that Meta stored information on users' devices without authorization, causing them to slow down, and that Meta profited from the data.

“Plaintiffs’ revised allegations identifying the measureable impact on their devices is sufficient at this juncture,” he wrote.