On February 23, 2026, Judge Anthony J. Battaglia, in the Southern District of California, granted defendant’s motion to dismiss a putative class action alleging that the company’s health information website unlawfully intercepted and shared users’ sensitive health-related search queries with third-party advertisers. The court held that the plaintiff lacked Article III standing because he failed to allege a concrete injury-in-fact. Plaintiff was given leave to amend.
Background
The plaintiff alleged that Dotdash used tracking technologies, including a proprietary advertising platform called D/Cipher, to intercept users’ search queries related to sensitive health topics and transmit that data—along with IP addresses and device identifiers—to third parties such as Google Analytics and DoubleClick for targeted advertising purposes. The complaint asserted nine causes of action under various federal and state privacy statutes, including the Electronic Communications Privacy Act, the California Invasion of Privacy Act, and the California Confidentiality of Medical Information Act.
The Court’s Analysis
The court systematically rejected each category of alleged injury:
Invasion of Privacy. The court found that the plaintiff failed to identify a legally protected privacy interest. Citing established precedent, the court held that users have no reasonable expectation of privacy in IP addresses, which are voluntarily transmitted to website servers as part of the communication process. Critically, the court noted that the plaintiff did not allege his search queries were linked to his name or other personally identifiable information—only to an IP address and metadata. The court also emphasized that searching for health-related terms on a publicly accessible website is distinct from disclosing information through a patient portal, and does not reveal details of an individual’s actual medical history.
Risk of Future Harm. The court held that the plaintiff’s allegations of increased risk of identity theft and digital profiling were too speculative to confer standing. Following TransUnion LLC v. Ramirez, the court reiterated that a mere risk of future harm, without allegations of certainly impending injury, is insufficient.
Informational Injury. The court rejected the plaintiff’s claim that he was harmed by being “deprived control over the dissemination of his private online activities,” finding this alleged harm lacked any close relationship to a traditionally recognized basis for a lawsuit.
Emotional Distress. Finally, the court found the plaintiff’s conclusory allegations of “anxiety” insufficient to establish concrete injury, as the complaint failed to set forth any specific information or detail regarding the alleged emotional harm.
Takeaways
This decision reinforces several important principles for companies operating websites that collect user data:
First, some courts continue to apply rigorous standing requirements in data privacy class actions, and plaintiffs must allege concrete, particularized harm beyond bare statutory violations. Second, the distinction between publicly accessible informational websites and confidential patient portals is significant—searches on general health websites may not implicate the same privacy interests as disclosures of actual medical records. Third, speculative future harms, such as generalized risks of identity theft, remain insufficient to establish Article III standing.
TYLER MAGHONEY, individually & on behalf of all others similarly situated v. DOTDASH MEREDITH, INC., No. 24-CV-2394-AJB-BJW, 2026 WL 497402 (S.D. Cal. Feb. 23, 2026).
