Judge Sunshine S. Sykes, in the Central District of California, partially granted and partially denied a motion to dismiss in a lawsuit alleging improper sharing of website visitor data with third parties, including Meta (Facebook), via tracking tools.
The case centers on a mental health services website that allegedly transmitted visitors’ personally identifiable information (PII) and protected health information (PHI) to Meta through the use of the Meta Pixel tracking tool. The plaintiff, who visited the website seeking information but did not become a patient, claimed she subsequently received targeted mental health advertisements on Facebook. She asserted that she was unaware her browsing activity would be shared with third parties.
The lawsuit advanced multiple claims under federal and California law, including the Electronic Communications Privacy Act (ECPA), the California Invasion of Privacy Act (CIPA) – including the pen register provision, the California Comprehensive Computer Data Access and Fraud Act (CCDAFA), the Computer Fraud and Abuse Act (CFAA), and the Stored Communications Act (SCA).
ECPA and CIPA Section 631 Claims Dismissed with Leave to Amend
The court dismissed the ECPA and CIPA claims, but allowed the plaintiff an opportunity to amend her complaint. The court found that while the plaintiff plausibly alleged that sensitive health-related information was transmitted, the complaint did not sufficiently establish the requisite intent or independent criminal/tortious purpose necessary to overcome statutory exemptions. The court emphasized that businesses may be exempt from liability if they are a party to the communication, unless the interception is for an independently unlawful purpose.
Pen Register Statute Claim Proceeds (CIPA Section 638.51)
The court denied the motion to dismiss the claim under California’s pen register statute (Cal. Penal Code § 638.51). The court found that the plaintiff plausibly alleged that the Meta Pixel functioned as a pen register by collecting and transmitting sensitive routing and addressing information without a court order.
Invasion of Privacy Claim Survives
The court allowed the invasion of privacy claim under the California Constitution to proceed. The court found that the alleged disclosure of sensitive mental health information to Meta could constitute a highly offensive intrusion, sufficient to state a claim at the pleading stage. The court noted that the seriousness of the privacy intrusion—particularly involving health information—raises factual questions that cannot be resolved without further proceedings.
Other Statutory Claims Dismissed
The plaintiff’s claims under the CCDAFA, CFAA, and SCA were dismissed with prejudice, as the plaintiff did not oppose dismissal and the court found the allegations insufficient.
Jane Doe et al v. Talkiatry Mgmt. Servs., LLC, No. 5:25-CV-00781-SSS-DTBX, 2025 WL 3190813 (C.D. Cal. Oct. 1, 2025).
