Judge Cathy Ann Bencivevgo, in the Southern District of California, addressed the growing intersection of digital marketing technologies and medical privacy. The case centers on allegations that a medical services website disclosed confidential patient information to Facebook via tracking pixels, without user consent. The court’s ruling clarifies the scope of privacy protections under federal and California law, with important implications for businesses operating online platforms that handle sensitive data.
Background: Alleged Unauthorized Disclosure of Medical Information
Plaintiff used a medical website to schedule laser vision correction appointments, providing confidential and individually identifiable health information. Unbeknownst to plaintiff, the website incorporated the Facebook Tracking Pixel, which transmitted this sensitive information—including the plaintiff’s unique Facebook ID—to Facebook. Plaintiff subsequently received targeted advertisements based on this data. Plaintiff contended that he was neither notified of, nor consented to, this disclosure.
Legal Claims and Standing
The lawsuit asserted three claims:
- Violation of the Electronic Communications Privacy Act (ECPA)
- Violation of the California Invasion of Privacy Act (CIPA)
- Invasion of privacy under the California Constitution
Defendant moved to dismiss all claims, arguing lack of standing and failure to state a claim. The court found that plaintiff had sufficiently alleged a concrete and particularized injury—namely, the unauthorized disclosure of confidential medical information—to establish standing for the ECPA and CIPA claims. The court cited precedent recognizing intangible harms such as reputational damage and disclosure of private information as sufficient for standing.
ECPA and CIPA Claims Survive Dismissal
Defendant argued that, as the intended recipient of plaintiff’s communications, it was exempt from liability under the “party exemption” in both ECPA and CIPA. However, the court determined that the exemption does not apply if the interception was for a criminal or tortious purpose. Plaintiff’s allegations—that his health information was intentionally transferred to Facebook without consent, potentially violating HIPAA—were deemed sufficient to invoke this exception at the pleading stage. The court denied the motion to dismiss these claims, allowing them to proceed.
California Constitutional Privacy Claim Dismissed
The court took a different approach to the claim under the California Constitution. While plaintiff’s allegations were sufficient to state a claim for invasion of privacy, the court found that he lacked standing for prospective injunctive relief. Plaintiff did not allege a likelihood of future injury, such as continued use of the website or ongoing unauthorized disclosures by the defendant. The court noted that any future use of the Facebook Tracking Pixel by third parties (such as Meta) was outside the defendant’s control. As a result, the constitutional privacy claim was dismissed.
JUAN RAMIREZ, v. LASIKMD USA, INC., No. 24-CV-2221-CAB-DDL, 2026 WL 194855 (S.D. Cal. Jan. 26, 2026).
