Judge Cynthia Bashant, in the Southern District of California, grants in part and denies in part defendant’s motion to dismiss a putative class action by a California consumer against an out-of-state online pharmacy.
Personal Jurisdiction Over Out-of-State Online Businesses
The court’s analysis focused first on whether it could exercise personal jurisdiction over the non-resident pharmacy. Applying the Ninth Circuit’s three-pronged “effects” test for specific jurisdiction, the court found:
- The pharmacy purposefully directed its activities at California by marketing and selling prescription drugs to thousands of California residents, including targeted advertising and delivery of physical products.
- Plaintiff’s claims arose from these forum-related activities, as her use of the website to search for prescription drugs was directly related to the pharmacy’s business in California.
- Defendant did not present a compelling case that exercising jurisdiction would be unreasonable.
As a result, the court denied the defendant’s motion to dismiss for lack of personal jurisdiction, signaling that online businesses with substantial sales and marketing efforts in a state may be subject to suit there, even if physically located elsewhere.
Substantive Privacy Claims
The court then addressed whether the plaintiff’s allegations were sufficient to state claims under various privacy statutes:
- Wiretap Act (Federal): The court found the plaintiff plausibly alleged that her search terms and browsing activity constituted the “contents” of a communication and that the pharmacy intentionally intercepted these communications using tracking software. However, the claim was dismissed (with leave to amend) because the plaintiff did not sufficiently allege that the pharmacy’s primary purpose in intercepting the data was criminal or tortious, as required to overcome the statute’s one-party consent exception.
- California Invasion of Privacy Act (CIPA): The court allowed the CIPA claim to proceed, finding that the plaintiff adequately alleged third-party tracking software acted as an unauthorized eavesdropper, and that the statute applies to internet communications originating from California.
- California Computer Data Access and Fraud Act (CDAFA): The court held that the plaintiff sufficiently alleged unauthorized access to her computer via tracking software, but failed to allege a cognizable loss or unjust enrichment by the pharmacy, resulting in dismissal of the claim with leave to amend.
- California Confidentiality of Medical Information Act (CMIA): The claim was dismissed with leave to amend, as the plaintiff did not allege she was a “patient” or that medical information was actually disclosed as defined by the statute.
- California Consumer Privacy Act (CCPA): The court dismissed the CCPA claim with leave to amend, noting the complaint did not allege facts showing the pharmacy met the statutory thresholds for coverage.
Zarif v. Hwareh.com, Inc., 789 F. Supp. 3d 880 (S.D. Cal. 2025).
