Opinion
23-cv-00598-WHO
05-06-2023
JANE DOE, Plaintiff, v. REGENTS OF THE UNIVERSITY OF CALIFORNIA, Defendant.
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS RE: DKT. NO. 3
WILLIAM H. ORRICK, United States District Judge
INTRODUCTION
Plaintiff Jane Doe alleges that the Regents of the University of California (“UC Regents”) violated the California Invasion of Privacy Act (“CIPA”), Confidentiality of Medical Information Act (“CIMA”), and right to privacy under the California Constitution and the common law, breached an express or implied contract, and is liable for unjust enrichment because of its use of a tracking technology called the Meta Pixel. UC Regents moves to dismiss, asserting that as a public entity it is immune from liability for several of plaintiff's causes of action and contending that plaintiff failed to state claim for each of the remaining causes of action.
On some claims-CIPA, privacy under the California Constitution, and those based upon an implied-in-law or quasi-contract theory-UC Regents is immune as a public entity. It is also not liable under CMIA § 56.06 because it is not a business that maintains medical information. Those claims are dismissed with prejudice. Plaintiff has not sufficiently alleged the existence of an express contract, so I will give her the opportunity to amend that claim. The remaining claims are sufficiently pleaded and will survive: plaintiff has stated a common law privacy claim and U.S. Regents is a healthcare provider subject to §§ 56.10 and 56.101 of the CMIA. The motion to dismiss will be GRANTED in part and DENIED in part.
BACKGROUND
Doe's Complaint makes the following allegations, which I accept as true for purposes of the motion to dismiss. The UC Regents university system is a corporation endowed by the California Constitution. Compl. ¶¶ 1, 18. It operates the nation's largest academic health system, including University of California San Francisco Medical Center (“UCSF”). Id. UC Regents provides UCSF patients with an online patient portal, MyChart, through which patients can message their health care providers, refill prescriptions, pay bills, and view appointment information. ¶ 24. UC Regents incorporates a tracking technology called the Meta Pixel, provided by Meta Platforms, Inc. (“Meta”), on both the UCSF website and the MyChart patient portal. Compl. ¶ 4.
The Meta Pixel is a snippet of code that, when embedded on a third-party website, tracks a user's activity as the user navigates the website. As soon as a user takes any action on a webpage that includes the Meta Pixel, the code embedded in the page re-directs the content of the user's communication to Meta while the exchange of the communication between the user and website provider is still occurring. Compl. ¶ 39. In this manner, the Meta Pixel intercepts the pages a user visits, the buttons they click, and some information they input or search and transmits that information, along with the user's IP address, to Meta. Compl. ¶ 30. Meta has multiple means of associating the data it collects through the Meta Pixel with a user's Facebook account. Compl. ¶¶ 41-43. Meta then uses this information to provide targeted advertisements to the Facebook user and to train its algorithms to more accurately identify and target users. Compl. ¶ 46.
Plaintiff is a UCSF patient who used the same email address to sign up for both MyChart and Facebook accounts. Compl. ¶¶ 54-55. Plaintiff entered data relating to her heart issues and high blood pressure in MyChart and later received advertisements on Facebook, including at least one advertisement relating to high blood pressure medication. Compl. ¶¶ 55-56. Plaintiff alleges that UC Regents intentionally incorporated Meta Pixel on the UCSF website and password protected MyChart portal, disclosing and allowing Meta to intercept plaintiff's and class members' data, including highly sensitive medical information. Compl. ¶ 31.
LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow[] the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570.
In deciding whether a claim has been stated upon which relief can be granted, the court accepts all factual allegations as true and draws all reasonable inferences in favor of the plaintiff. Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). “[A]llegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences,” however, need not be “accept[ed] as true.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) (internal quotation omitted).
If the court dismisses a complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir. 1995)). In making this determination, the court should consider factors such as “the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989) (citing Foman v. Davis, 371 U.S. 178, 182 (1962)).
DISCUSSION
I. California Invasion of Privacy Act
Plaintiff alleges that UC Regents violated Cal. Pen Code § 631, the California Invasion of Privacy Act (“CIPA”), by aiding Meta in misappropriating her private medical information. “When interpreting state law, federal courts are bound by decisions of the state's highest court. In the absence of such a decision, a federal court must predict how the highest state court would decide the issue using intermediate appellate court decisions, decisions from other jurisdictions, statutes, treatises, and restatements as guidance.” PSM Holding Corp. v. Nat'l Farm Fin. Corp., 884 F.3d 812, 820 (9th Cir. 2018) (internal quotation and citations omitted).
UC Regents raises two arguments concerning its liability under CIPA. First, it argues that it is immune from suit under CIPA because it is a public entity. Second, it contends that embedding Meta's technology on its website did not constitute aiding, agreeing with, employing, and conspiring with Meta to carry out the wrongful conduct alleged, which would preclude liability under Cal. Pen Code § 631(a)(4).
By its text, CIPA applies to “[p]ersons.” Cal. Pen Code § 631(a). “Persons” is further defined as “an individual, business association, partnership, corporation, limited liability company, or other legal entity” or “an individual acting or purporting to act for or on behalf of any government or subdivision thereof, whether federal, state, or local.” Cal. Pen Code § 632(b). Plaintiff contends that UC Regents meets this definition because it is registered as a corporation under California law. Not so. As she recognizes in her complaint, UC Regents was endowed by the California Constitution and is therefore a public entity.
The California Supreme Court has not ruled whether public entities are immune from civil liability under CIPA. Plaintiff argues that CIPA only expressly excludes public utilities from liability, and therefore applies to any other type of entity. But the California Supreme Court has endorsed the opposite assumption with respect to liability for public entities. “[A]bsent express words to the contrary, governmental agencies are not included within the general words of a statute.” Wells v. One2One Learning Foundation, 39 Cal.4th 1164, 1192 (2006). In Wells, the public entities at issue were school districts. Id. Because the text of CIPA does not expressly include liability for public entities, I find that UC Regents is immune from liability under CIPA. UC Regents also contends that plaintiff has not pleaded facts sufficient to show that UC Regents had the requisite intent for claim of aiding and abetting. Because I find that UC Regents is immune from liability under CIPA, I do not reach this question. Accordingly, the motion to dismiss the first claim for relief is GRANTED with prejudice.
I note that there is one unpublished decision in which the California Courts of Appeal held a public entity was immune from civil liability for invasion of privacy under this statute. Given the California rules for unpublished decisions, I do not consider this case in assessing how the California Supreme Court would decide this question. Cal. Rules of Court, rule 8.1115(a).
Wells also recognized that “government agencies are excluded from the operation of general statutory provisions only if their inclusion would result in an infringement upon sovereign governmental powers. Pursuant to this principle, governmental agencies have been held subject to legislation which, by its terms, applies simply to any ‘person.'” Wells, 39 Cal.4th at 1192. (citations omitted). The premise that public entities are statutory “persons” unless their sovereign powers would be infringed is simply a maxim of statutory construction. While the “sovereign powers” principle can help resolve an unclear legislative intent, it cannot override positive indicia of a contrary legislative intent. Id. at 1193.
II. Confidentiality of Medical Information Act
Plaintiff alleges that UC Regents violated three separate sections of the California Confidentiality of Medical Information Act (“CMIA”): Cal. Civ. §§ 56.10, 56.06, and 56.101. I address each section below.
A. CMIA § 56.06
In a footnote, UC Regents contends it is immune from liability under § 56.06 because it is not a “business.” Plaintiff counters, also in a footnote, that UCSF is a business because it provides services for money. The statute states, in pertinent part, that:
[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.Cal Civ. § 56.06 (emphasis added). The statute goes on to state that “[a]ny business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.”
It is undisputed that UCSF is a provider of healthcare and is therefore subject to the requirements of CMIA §§ 56.10 and 56.101. But § 56.06 imposes liability on an additional category of entities: businesses that act as intermediaries, maintaining medical information for transmission between patients and providers. The section also applies to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information in order to make the information available to an individual or a provider of health care.” Cal. Civ. Code § 56.06(b). It would be redundant for this subsection to apply to health care providers, who are already subject to the same liability in other subsections of the statute. The parties have not cited, nor have I located, any cases imposing liability on a healthcare provider for violation of § 56.06(b). Accordingly, the motion to dismiss the fourth claim for relief is GRANTED with prejudice.
B. CMIA §§ 56.10 and 56.101
UC Regents also challenges the sufficiency of Plaintiff's pleading as to each of her CMIA claims. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570.
Section 56.10 states, in pertinent part, that “[n]o provider of health care . . . shall disclose medical information regarding a patient of the provider of health care . . . without first obtaining an authorization ....” Section 56.101 of the CMIA states, in pertinent part, that “[a]ny provider of health care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties . . .” Cal. Civ. Code §§ 56.10, 56.101. UC Regents claims that plaintiff should have pleaded “[f]acts showing what specific medical information was entered by Plaintiff ....[and] which of that alleged medical information actually was transmitted to Meta and in what form.” Mot. at 7:7-13. It also contends that plaintiff must plead facts showing how data from the patient portal could be matched to her Facebook profile.
At the motion to dismiss stage, it is not necessary for plaintiff to provide more specific medical details. She pleaded that she entered medical information, including information relating to her heart issues and high blood pressure, into the patient portal. She alleges that UC Regents intentionally incorporated Meta Pixel on the UCSF website and password protected MyChart portal, disclosing and allowing Meta to intercept her and class members' data, including highly sensitive medical information. She stated that after she entered her information into UCSF's patient portal, she began receiving advertisements on Facebook for high blood pressure medication as well as targeted email advertisements relating to the same. She further alleged that she used the same email address to register for both her MyChart and her Facebook account, which provides a plausible means by which her information could be matched to her Facebook profile.
UC Regents responds that even if plaintiff has alleged that the information was transferred to Meta, she has not sufficiently alleged that it was viewed by an authorized party. This challenge fails because plaintiff has alleged that Meta acted upon the information transmitted to it by tailoring advertisements to her based on her medical condition. This is sufficient to raise a plausible claim that her medical information was inappropriately accessed. To require more would place the burden on her to describe UC Regents' technical systems without the benefit of discovery. See Reichman v. Poshmark, Inc., 267 F.Supp.3d 1278, 1286 (S.D. Cal. 2017).
Finally, UC Regents argues that plaintiff's receipt of advertising related to her conditions does not plausibly show that anything she did on the UCSF Health website caused this. This is so, they claim, because the Meta Pixel is present on 6.7 million websites, and she may have received those advertisements due to having visited another website, such as WebMD, and entered her private medical information there. Plausibility pleading does not require a plaintiff to foreclose every other avenue by which she could have been harmed, much less when it would involve cataloging 6.7 million websites that she may or may not have visited. She simply must plead facts that raise more than a sheer possibility that the defendant has acted unlawfully. She has done so here. Accordingly, UC Regents' motion to dismiss the fifth and sixth claims for relief is DENIED.
III. Constitutional and Common Law Privacy
A. Public entity liability under Article I, Section 1 of California Constitution
UC Regents contends that public entities cannot be held liable for damages for an alleged privacy claim under the California Constitution and seeks that I dismiss plaintiff's entire constitutional privacy claim pursuant to Rule 12(b)(6) because her claim is not cognizable under California law. UC Regents contends that this is true because she does not seek an injunction, but only money damages. She counters that a motion to dismiss is not the proper vehicle for striking a prayer for relief. See Castle v. Gomez, No. 221CV06212JVSMAR, 2022 WL 4540523, at *8 (C.D. Cal. Aug. 9, 2022). She also cites analogous cases where public entities have been subject to claims for monetary relief under the California Constitution where injunctive relief was not a sufficient remedy. See Doe v. Beard, 63 F.Supp.3d 1159, 1171 (C.D. Cal. 2014).
Article 1, Section 1 of the California Constitution prohibits the government from violating a citizen's right to privacy. Citizens can seek to enjoin the government from violating that right but cannot seek damages. See Clausing v. San Francisco Unified School District, 221 Cal.App.3d 1224, 1238 (1990) (finding no error in the trial court's decision to sustain the demurrer to appellants' constitutional invasion of privacy claim, where appellants sought damages and injunctive relief). Because plaintiff lacks a cognizable claim for a privacy violation under the California Constitution, UC Regents' motion to dismiss the third claim for relief is GRANTED. But this analysis does not apply to plaintiff's claim for a common law violation of privacy.
B. Common law privacy claim
Claims for invasion of privacy under the California Constitution and common law intrusion both require that: “(1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020). UC Regents contends that plaintiff's privacy claims should be dismissed because she fails to establish that her specific personal information was transmitted or intercepted by Meta, and therefore fails to allege that a highly offensive intrusion occurred.
For the reasons discussed above, I find that plaintiff has sufficiently alleged that her information was transmitted to Meta through the Meta Pixel. UC Regents goes on to cite a case for the proposition that an intrusion upon seclusion claim should be dismissed where the information collected (physical tracking, the name of plaintiff's bank, and phone applications plaintiff used) was “not highly offensive.” Mot. at 18:18-21 (citing Hammerling v. Google LLC, No. 21-cv-09004-CRB, 2022 WL 17365255, at **8-9 (N.D. Cal. Dec. 1, 2022)). That case is inapposite here. Personal medical information is understood to be among the most sensitive information that could be collected about a person, and I see no reason to deviate from that norm. See, e.g., Doe v. Beard, 63 F.Supp.3d 1159, 1169-70 (C.D. Cal. 2014). Accordingly, the motion to dismiss the second claim for relief is DENIED.
IV. Breach of Contract
A. Existence of a contract
Plaintiff contends that UC Regents' Notice of Privacy, Privacy Statement, and other public representations constitute an express or implied contract. In support of her argument, plaintiff seeks judicial notice of the UCSF Health Notice of Privacy Practices. [Dkt. No. 4] Ex. A, and Website Privacy Statement Id. Ex. B. Both exhibits are available publicly on the UCSF Health website, UC Regents does not contest the request, and I will take notice of them.
UC Regents argues that no contract exists. It says that (1) there was no offer and acceptance, (2) UCSF's Notice of Privacy is mandated by HIPAA and is therefore not a bargained for exchange, and (3) plaintiff does not point to specific provisions in the contract that create the obligation she claims that UC Regents breached.
1. Express Contract
I agree with UC Regents that there is no express contract. Plaintiff relies on In re Solara Medical Supplies, LLC Customer Data Security Breach Litigation, 613 F.Supp.3d 1284 (S.D. Cal. May 7, 2020) for the proposition that a “Notice of Privacy Practices” can be form the basis for a breach of express contract claim. True enough, but in that case plaintiffs had alleged that every patient received a copy of both the Notice of Privacy Practices and Patient Bill of Rights. In re Solara, 613 F.Supp.3d at 1296-97. The same is true for In re Yahoo! Inc. Customer Data Security Breach Litigation, where all users were required to accept the Terms of Service, and the Privacy Policy was “incorporated by reference” into those Terms of Service. No. 16-MD-02752-LHK, 2017 WL 3727318, at *44 (N.D. Cal. Aug. 30, 2017).
Here, plaintiff does not allege that she was required to read or agree to either of the documents. Instead, she alleges that they were available on the website and that she understood them to include promises by UCSF to safeguard her data. This is not sufficient to form an express contract. The motion to dismiss the seventh claim for relief is GRANTED without prejudice.
2. Implied contract
A plaintiff “may alternatively plead both a breach of contract claim and a quasi-contract claim, so long as [Plaintiff] pleads facts suggesting that the contract may be unenforceable or invalid.” Beluca Ventures LLC v. Einride Aktiebolag, No. 21-CV-06992-WHO, 2022 WL 17252589, at *4 (N.D. Cal. Nov. 28, 2022). An implied contract requires that both parties agree to its terms and have a “meeting of the minds,” but the creation of an implied contract can be manifested by conduct rather than words. Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *8 (N.D. Cal. Sept. 14, 2016) (citations omitted).
Plaintiff alleges that she and other class members paid money and provided their User Data to UC Regents in exchange for services, and that she and class members would not have entrusted UC Regents with their User Data in the absence of an implied contract obligating UC Regents to safeguard that data. She states that UC Regents breached this implied contract by disclosing that information to Meta, a third party. She contends that she would not have paid, or would have paid less, for these services had she known that UCSF would disclose her data.
It is plausible that the parties entered into an implied contract by their actions. The agreed upon terms of this implied contract are those spelled out in the Notice of Privacy and Privacy Statement, providing assurances. But there is another problem with this claim
B. Availability of damages
As a public entity, UC Regents cannot be sued under a theory of quasi-contract. See Pasadena Live v. City of Pasadena, 114 Cal.App.4th 1089, 1094 (2004) (“A public entity cannot be held liable on an implied-in-law or quasi-contract theory”). Plaintiff argues that Pasadena Live incorrectly broadened this rule when interpreting Miller v. McKinnon, which states that:
Undoubtedly a school board, like a municipal corporation, may, under some circumstances, be held liable upon an implied contract for benefits received by it, but this rule of implied liability is applied only in those cases where the board or municipality is given the general power to contract with reference to a subject-matter, and the express contract which it has assumed to enter into in pursuance of this general power is rendered invalid for some mere irregularity or some invalidity in the execution thereof, and where the form or manner of entering into a contract is not violative of any statutory restriction upon the general power of the governing body to contract nor
violative of public policy.Miller v. McKinnon, 20 Cal. 2d 83, 91, 124 P.2d 34, 39 (1942) (emphasis added). But Miller did not suggest that public entities could normally be held liable based upon an implied contract. Instead, it allows for the possibility that the public entity believed it had entered a valid express contract that was rendered invalid by a minor irregularity. That is not this case. The motion to dismiss the eighth claim for relief is GRANTED with prejudice.
V. Unjust enrichment
For the same reasons discussed above, plaintiff cannot sustain a claim against UC Regents for unjust enrichment. See, e.g., Pasadena Live v. City of Pasadena, 114 Cal.App.4th 1089, 1094 (2004) (“The court sustained the demurrer to this cause of action because it was based on an oral contract. This ruling was correct. A public entity cannot be held liable on an implied-in-law or quasi-contract theory.”). Accordingly, the motion to dismiss the ninth claim for relief is GRANTED with prejudice.
CONCLUSION
For the foregoing reasons, UC Regents' Motion to Dismiss is GRANTED in part and DENIED in part. Plaintiff may amend its contract claim by May 30, 2023.
IT IS SO ORDERED.