• by Wendy Davis  @wendyndavis, February 14, 2024

Meta Platforms must face privacy claims brought by people who used the online mental health service Cerebral, which allegedly transmitted data to Meta through its Pixel tool -- analytics code that sends information about website visitors back to the platform.

The ruling, issued this week by U.S. District Court Judge William Orrick in the Northern District of California, stems from a lawsuit brought against Meta last September by two individuals who alleged that they provided sensitive information to Cerebral. The individuals, proceeding anonymously, also say they don't use Meta's Facebook service.

“Like a bug hidden in the ceiling of a therapist’s office, Meta used the Pixel to intercept and eavesdrop on plaintiffs’ highly sensitive and identifiable health disclosures,” they alleged in a class-action complaint.

Among other allegations, the plaintiffs said the Meta Pixel “intercepted” information they provided to Cerebral -- including their names, email addresses, phone numbers and zip codes, as well as answers to questionnaires about their symptoms.

The complaint included claims that Meta engaged in “intrusion upon seclusion” -- a broad California concept that allows people to sue over highly offensive privacy violations -- and that Meta ran afoul of a provision enshrining a right to privacy in the state constitution.

Orrick found that the allegations, if proven true, could support those claims.

“Cerebral is not simply a healthcare provider; it is a mental health services provider,” he wrote, adding that even “somewhat innocuous information like name and zip code” could become sensitive given that “plaintiffs were seeking mental health services.”

Meta is facing other lawsuits over its tracking technology -- including a case brought by other people who said they were tracked at health and hospital sites, and one by people who say they were tracked at online tax preparation sites.

The company has argued that developers can use the analytics code without transmitting sensitive data, and that it “expressly prohibits developers from using the Pixel in a way that could share sensitive data.”