Doe v. Regents of the University of California, No. 3:2023cv00598 - Document 18 (N.D. Cal. 2023)

Court Description: ORDER GRANTING IN PART AND DENYING IN PART 3 MOTION TO DISMISS by Judge William H. Orrick. Plaintiff may amend its contract claim by May 30, 2023. (jmd, COURT STAFF) (Filed on 5/8/2023)

Download PDF
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 JANE DOE, Plaintiff, 8 United States District Court Northern District of California 9 Case No. 23-cv-00598-WHO v. 10 REGENTS OF THE UNIVERSITY OF CALIFORNIA, 11 Defendant. ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS Re: Dkt. No. 3 12 13 INTRODUCTION 14 Plaintiff Jane Doe alleges that the Regents of the University of California (“UC Regents”) 15 violated the California Invasion of Privacy Act (“CIPA”), Confidentiality of Medical Information 16 Act (“CIMA”), and right to privacy under the California Constitution and the common law, 17 breached an express or implied contract, and is liable for unjust enrichment because of its use of a 18 tracking technology called the Meta Pixel. UC Regents moves to dismiss, asserting that as a 19 public entity it is immune from liability for several of plaintiff’s causes of action and contending 20 that plaintiff failed to state claim for each of the remaining causes of action. 21 On some claims—CIPA, privacy under the California Constitution, and those based upon 22 an implied-in-law or quasi-contract theory—UC Regents is immune as a public entity. It is also 23 not liable under CMIA § 56.06 because it is not a business that maintains medical information. 24 Those claims are dismissed with prejudice. Plaintiff has not sufficiently alleged the existence of 25 an express contract, so I will give her the opportunity to amend that claim. The remaining claims 26 are sufficiently pleaded and will survive: plaintiff has stated a common law privacy claim and US 27 Regents is a healthcare provider subject to §§ 56.10 and 56.101 of the CMIA. The motion to 28 dismiss will be GRANTED in part and DENIED in part. BACKGROUND 1 2 3 the motion to dismiss. The UC Regents university system is a corporation endowed by the 4 California Constitution. Compl. ¶¶ 1, 18. It operates the nation’s largest academic health system, 5 including University of California San Francisco Medical Center (“UCSF”). Id. UC Regents 6 provides UCSF patients with an online patient portal, MyChart, through which patients can 7 message their health care providers, refill prescriptions, pay bills, and view appointment 8 information. ¶ 24. UC Regents incorporates a tracking technology called the Meta Pixel, 9 provided by Meta Platforms, Inc. (“Meta”), on both the UCSF website and the MyChart patient 10 United States District Court Northern District of California Doe’s Complaint makes the following allegations, which I accept as true for purposes of portal. Compl. ¶ 4. 11 The Meta Pixel is a snippet of code that, when embedded on a third-party website, tracks a 12 user’s activity as the user navigates the website. As soon as a user takes any action on a webpage 13 that includes the Meta Pixel, the code embedded in the page re-directs the content of the user’s 14 communication to Meta while the exchange of the communication between the user and website 15 provider is still occurring. Compl. ¶ 39. In this manner, the Meta Pixel intercepts the pages a user 16 visits, the buttons they click, and some information they input or search and transmits that 17 information, along with the user’s IP address, to Meta. Compl. ¶ 30. Meta has multiple means of 18 associating the data it collects through the Meta Pixel with a user’s Facebook account. 19 Compl. ¶¶ 41-43. Meta then uses this information to provide targeted advertisements to the 20 Facebook user and to train its algorithms to more accurately identify and target users. 21 Compl. ¶ 46. 22 Plaintiff is a UCSF patient who used the same email address to sign up for both MyChart 23 and Facebook accounts. Compl. ¶¶ 54-55. Plaintiff entered data relating to her heart issues and 24 high blood pressure in MyChart and later received advertisements on Facebook, including at least 25 one advertisement relating to high blood pressure medication. Compl. ¶¶ 55-56. Plaintiff alleges 26 that UC Regents intentionally incorporated Meta Pixel on the UCSF website and password 27 protected MyChart portal, disclosing and allowing Meta to intercept plaintiff’s and class members’ 28 data, including highly sensitive medical information. Compl. ¶ 31. 2 LEGAL STANDARD 1 Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint United States District Court Northern District of California 2 3 if it fails to state a claim upon which relief can be granted. To survive a Rule 4 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is 5 plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially 6 plausible when the plaintiff pleads facts that “allow[] the court to draw the reasonable inference 7 that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 8 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted 9 unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff 10 must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 11 U.S. at 555, 570. In deciding whether a claim has been stated upon which relief can be granted, the court 12 13 accepts all factual allegations as true and draws all reasonable inferences in favor of the 14 plaintiff. Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). “[A]llegations that are 15 merely conclusory, unwarranted deductions of fact, or unreasonable inferences,” however, need 16 not be “accept[ed] as true.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) 17 (internal quotation omitted). If the court dismisses a complaint, it “should grant leave to amend even if no request to 18 19 amend the pleading was made, unless it determines that the pleading could not possibly be cured 20 by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) 21 (quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir. 1995)). In making this determination, 22 the court should consider factors such as “the presence or absence of undue delay, bad faith, 23 dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to 24 the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 25 885 F.2d 531, 538 (9th Cir. 1989) (citing Foman v. Davis, 371 U.S. 178, 182 (1962)). DISCUSSION 26 27 28 I. California Invasion of Privacy Act Plaintiff alleges that UC Regents violated Cal. Pen Code § 631, the California Invasion of 3 1 Privacy Act (“CIPA”), by aiding Meta in misappropriating her private medical information. 2 “When interpreting state law, federal courts are bound by decisions of the state’s highest court. In 3 the absence of such a decision, a federal court must predict how the highest state court would 4 decide the issue using intermediate appellate court decisions, decisions from other jurisdictions, 5 statutes, treatises, and restatements as guidance.” PSM Holding Corp. v. Nat’l Farm Fin. Corp., 6 884 F.3d 812, 820 (9th Cir. 2018) (internal quotation and citations omitted). UC Regents raises two arguments concerning its liability under CIPA. First, it argues that United States District Court Northern District of California 7 8 it is immune from suit under CIPA because it is a public entity. Second, it contends that 9 embedding Meta’s technology on its website did not constitute aiding, agreeing with, employing, 10 and conspiring with Meta to carry out the wrongful conduct alleged, which would preclude 11 liability under Cal. Pen Code § 631(a)(4). By its text, CIPA applies to “[p]ersons.” Cal. Pen Code § 631(a). “Persons” is further 12 13 defined as “an individual, business association, partnership, corporation, limited liability company, 14 or other legal entity” or “an individual acting or purporting to act for or on behalf of any 15 government or subdivision thereof, whether federal, state, or local.” Cal. Pen Code § 632(b). 16 Plaintiff contends that UC Regents meets this definition because it is registered as a corporation 17 under California law. Not so. As she recognizes in her complaint, UC Regents was endowed by 18 the California Constitution and is therefore a public entity. The California Supreme Court has not ruled whether public entities are immune from civil 19 20 liability under CIPA.1 Plaintiff argues that CIPA only expressly excludes public utilities from 21 liability, and therefore applies to any other type of entity. But the California Supreme Court has 22 endorsed the opposite assumption with respect to liability for public entities. “[A]bsent express 23 words to the contrary, governmental agencies are not included within the general words of a 24 statute.” Wells v. One2One Learning Foundation, 39 Cal. 4th 1164, 1192 (2006).2 In Wells, the 25 26 27 28 1 I note that there is one unpublished decision in which the California Courts of Appeal held a public entity was immune from civil liability for invasion of privacy under this statute. Given the California rules for unpublished decisions, I do not consider this case in assessing how the California Supreme Court would decide this question. Cal. Rules of Court, rule 8.1115(a). 2 Wells also recognized that “government agencies are excluded from the operation of general 4 1 public entities at issue were school districts. Id. Because the text of CIPA does not expressly 2 include liability for public entities, I find that UC Regents is immune from liability under CIPA. 3 UC Regents also contends that plaintiff has not pleaded facts sufficient to show that UC Regents 4 had the requisite intent for claim of aiding and abetting. Because I find that UC Regents is 5 immune from liability under CIPA, I do not reach this question. Accordingly, the motion to 6 dismiss the first claim for relief is GRANTED with prejudice. 7 II. 8 Plaintiff alleges that UC Regents violated three separate sections of the California 9 Confidentiality of Medical Information Act (“CMIA”): Cal. Civ. §§ 56.10, 56.06, and 56.101. I 10 11 United States District Court Northern District of California Confidentiality of Medical Information Act 12 address each section below. A. CMIA § 56.06 In a footnote, UC Regents contends it is immune from liability under § 56.06 because it is 13 not a “business.” Plaintiff counters, also in a footnote, that UCSF is a business because it provides 14 services for money. The statute states, in pertinent part, that: 15 16 17 18 [a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. 19 Cal Civ. § 56.06 (emphasis added). The statute goes on to state that “[a]ny business described in 20 this section shall maintain the same standards of confidentiality required of a provider of health 21 care with respect to medical information disclosed to the business.” 22 It is undisputed that UCSF is a provider of healthcare and is therefore subject to the 23 requirements of CMIA §§ 56.10 and 56.101. But § 56.06 imposes liability on an additional 24 25 26 27 28 statutory provisions only if their inclusion would result in an infringement upon sovereign governmental powers. Pursuant to this principle, governmental agencies have been held subject to legislation which, by its terms, applies simply to any ‘person.’” Wells, 39 Cal.4th at 1192. (citations omitted). The premise that public entities are statutory “persons” unless their sovereign powers would be infringed is simply a maxim of statutory construction. While the “sovereign powers” principle can help resolve an unclear legislative intent, it cannot override positive indicia of a contrary legislative intent. Id. at 1193. 5 1 category of entities: businesses that act as intermediaries, maintaining medical information for 2 transmission between patients and providers. The section also applies to “[a]ny business that 3 offers software or hardware to consumers, including a mobile application or other related device 4 that is designed to maintain medical information in order to make the information available to an 5 individual or a provider of health care.” Cal. Civ. Code § 56.06(b). It would be redundant for this 6 subsection to apply to health care providers, who are already subject to the same liability in other 7 subsections of the statute. The parties have not cited, nor have I located, any cases imposing 8 liability on a healthcare provider for violation of § 56.06(b). Accordingly, the motion to dismiss 9 the fourth claim for relief is GRANTED with prejudice. 10 B. CMIA §§ 56.10 and 56.101 UC Regents also challenges the sufficiency of Plaintiff’s pleading as to each of her CMIA United States District Court Northern District of California 11 12 claims. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege 13 facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 14 570. 15 Section 56.10 states, in pertinent part, that “[n]o provider of health care . . . shall disclose 16 medical information regarding a patient of the provider of health care . . . without first obtaining 17 an authorization . . . .” Section 56.101 of the CMIA states, in pertinent part, that “[a]ny provider of 18 health care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or 19 disposes of medical information shall be subject to the remedies and penalties . . .” Cal. Civ. Code 20 §§ 56.10, 56.101. UC Regents claims that plaintiff should have pleaded “[f]acts showing what 21 specific medical information was entered by Plaintiff . . . . [and] which of that alleged medical 22 information actually was transmitted to Meta and in what form.” Mot. at 7:7-13. It also contends 23 that plaintiff must plead facts showing how data from the patient portal could be matched to her 24 Facebook profile. 25 At the motion to dismiss stage, it is not necessary for plaintiff to provide more specific 26 medical details. She pleaded that she entered medical information, including information relating 27 to her heart issues and high blood pressure, into the patient portal. She alleges that UC Regents 28 intentionally incorporated Meta Pixel on the UCSF website and password protected MyChart 6 United States District Court Northern District of California 1 portal, disclosing and allowing Meta to intercept her and class members’ data, including highly 2 sensitive medical information. She stated that after she entered her information into UCSF’s 3 patient portal, she began receiving advertisements on Facebook for high blood pressure 4 medication as well as targeted email advertisements relating to the same. She further alleged that 5 she used the same email address to register for both her MyChart and her Facebook account, 6 which provides a plausible means by which her information could be matched to her Facebook 7 profile. 8 UC Regents responds that even if plaintiff has alleged that the information was transferred 9 to Meta, she has not sufficiently alleged that it was viewed by an authorized party. This challenge 10 fails because plaintiff has alleged that Meta acted upon the information transmitted to it by 11 tailoring advertisements to her based on her medical condition. This is sufficient to raise a 12 plausible claim that her medical information was inappropriately accessed. To require more 13 would place the burden on her to describe UC Regents’ technical systems without the benefit of 14 discovery. See Reichman v. Poshmark, Inc., 267 F. Supp. 3d 1278, 1286 (S.D. Cal. 2017). Finally, UC Regents argues that plaintiff’s receipt of advertising related to her conditions 15 16 does not plausibly show that anything she did on the UCSF Health website caused this. This is so, 17 they claim, because the Meta Pixel is present on 6.7 million websites, and she may have 18 received those advertisements due to having visited another website, such as WebMD, and entered 19 her private medical information there. Plausibility pleading does not require a plaintiff to 20 foreclose every other avenue by which she could have been harmed, much less when it would 21 involve cataloging 6.7 million websites that she may or may not have visited. She simply must 22 plead facts that raise more than a sheer possibility that the defendant has acted unlawfully. She 23 has done so here. Accordingly, UC Regents’ motion to dismiss the fifth and sixth claims for relief 24 is DENIED. 25 III. Constitutional and Common Law Privacy 26 A. Public entity liability under Article I, Section 1 of California Constitution 27 UC Regents contends that public entities cannot be held liable for damages for an alleged 28 privacy claim under the California Constitution and seeks that I dismiss plaintiff’s entire 7 1 constitutional privacy claim pursuant to Rule 12(b)(6) because her claim is not cognizable under 2 California law. UC Regents contends that this is true because she does not seek an injunction, but 3 only money damages. She counters that a motion to dismiss is not the proper vehicle for striking a 4 prayer for relief. See Castle v. Gomez, No. 221CV06212JVSMAR, 2022 WL 4540523, at *8 5 (C.D. Cal. Aug. 9, 2022). She also cites analogous cases where public entities have been subject 6 to claims for monetary relief under the California Constitution where injunctive relief was not a 7 sufficient remedy. See Doe v. Beard, 63 F. Supp. 3d 1159, 1171 (C.D. Cal. 2014). United States District Court Northern District of California 8 Article 1, Section 1 of the California Constitution prohibits the government from violating 9 a citizen’s right to privacy. Citizens can seek to enjoin the government from violating that right 10 but cannot seek damages. See Clausing v. San Francisco Unified School District, 221 Cal. App. 11 3d 1224, 1238 (1990) (finding no error in the trial court’s decision to sustain the demurrer to 12 appellants’ constitutional invasion of privacy claim, where appellants sought damages and 13 injunctive relief). Because plaintiff lacks a cognizable claim for a privacy violation under the 14 California Constitution, UC Regents’ motion to dismiss the third claim for relief is GRANTED. 15 But this analysis does not apply to plaintiff’s claim for a common law violation of privacy. 16 17 B. Common law privacy claim Claims for invasion of privacy under the California Constitution and common law 18 intrusion both require that: “(1) there exists a reasonable expectation of privacy, and (2) the 19 intrusion was highly offensive.” Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th 20 Cir. 2020). UC Regents contends that plaintiff’s privacy claims should be dismissed because she 21 fails to establish that her specific personal information was transmitted or intercepted by Meta, and 22 therefore fails to allege that a highly offensive intrusion occurred. 23 For the reasons discussed above, I find that plaintiff has sufficiently alleged that her 24 information was transmitted to Meta through the Meta Pixel. UC Regents goes on to cite a case 25 for the proposition that an intrusion upon seclusion claim should be dismissed where the 26 information collected (physical tracking, the name of plaintiff’s bank, and phone applications 27 plaintiff used) was “not highly offensive.” Mot. at 18:18-21 (citing Hammerling v. Google LLC, 28 No. 21-cv-09004-CRB, 2022 WL 17365255, at **8-9 (N.D. Cal. Dec. 1, 2022)). That case is 8 United States District Court Northern District of California 1 inapposite here. Personal medical information is understood to be among the most sensitive 2 information that could be collected about a person, and I see no reason to deviate from that norm. 3 See, e.g., Doe v. Beard, 63 F. Supp. 3d 1159, 1169-70 (C.D. Cal. 2014). Accordingly, the motion 4 to dismiss the second claim for relief is DENIED. 5 IV. Breach of Contract 6 A. Existence of a contract 7 Plaintiff contends that UC Regents’ Notice of Privacy, Privacy Statement, and other public 8 representations constitute an express or implied contract. In support of her argument, plaintiff 9 seeks judicial notice of the UCSF Health Notice of Privacy Practices. [Dkt. No. 4] Ex. A, and 10 Website Privacy Statement Id. Ex. B. Both exhibits are available publicly on the UCSF Health 11 website, UC Regents does not contest the request, and I will take notice of them. 12 UC Regents argues that no contract exists. It says that (1) there was no offer and 13 acceptance, (2) UCSF’s Notice of Privacy is mandated by HIPAA and is therefore not a bargained 14 for exchange, and (3) plaintiff does not point to specific provisions in the contract that create the 15 obligation she claims that UC Regents breached. 16 17 1. Express Contract I agree with UC Regents that there is no express contract. Plaintiff relies on In re Solara 18 Medical Supplies, LLC Customer Data Security Breach Litigation, 613 F. Supp. 3d 1284 (S.D. 19 Cal. May 7, 2020) for the proposition that a “Notice of Privacy Practices” can be form the basis 20 for a breach of express contract claim. True enough, but in that case plaintiffs had alleged that 21 every patient received a copy of both the Notice of Privacy Practices and Patient Bill of Rights. In 22 re Solara, 613 F. Supp. 3d at 1296-97. The same is true for In re Yahoo! Inc. Customer Data 23 Security Breach Litigation, where all users were required to accept the Terms of Service, and the 24 Privacy Policy was “incorporated by reference” into those Terms of Service. No. 16-MD-02752- 25 LHK, 2017 WL 3727318, at *44 (N.D. Cal. Aug. 30, 2017). 26 Here, plaintiff does not allege that she was required to read or agree to either of the 27 documents. Instead, she alleges that they were available on the website and that she understood 28 them to include promises by UCSF to safeguard her data. This is not sufficient to form an express 9 1 contract. The motion to dismiss the seventh claim for relief is GRANTED without prejudice. 2. 2 3 A plaintiff “may alternatively plead both a breach of contract claim and a quasi-contract 4 claim, so long as [Plaintiff] pleads facts suggesting that the contract may be unenforceable or 5 invalid.” Beluca Ventures LLC v. Einride Aktiebolag, No. 21-CV-06992-WHO, 2022 WL 6 17252589, at *4 (N.D. Cal. Nov. 28, 2022). An implied contract requires that both parties agree to 7 its terms and have a “meeting of the minds,” but the creation of an implied contract can be 8 manifested by conduct rather than words. Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 9 2016 WL 9280242, at *8 (N.D. Cal. Sept. 14, 2016) (citations omitted). 10 United States District Court Northern District of California Implied contract Plaintiff alleges that she and other class members paid money and provided their User Data 11 to UC Regents in exchange for services, and that she and class members would not have entrusted 12 UC Regents with their User Data in the absence of an implied contract obligating UC Regents to 13 safeguard that data. She states that UC Regents breached this implied contract by disclosing that 14 information to Meta, a third party. She contends that she would not have paid, or would have paid 15 less, for these services had she known that UCSF would disclose her data. 16 It is plausible that the parties entered into an implied contract by their actions. The agreed 17 upon terms of this implied contract are those spelled out in the Notice of Privacy and Privacy 18 Statement, providing assurances. But there is another problem with this claim 19 B. 20 As a public entity, UC Regents cannot be sued under a theory of quasi-contract. See 21 Pasadena Live v. City of Pasadena, 114 Cal. App. 4th 1089, 1094 (2004) (“A public entity cannot 22 be held liable on an implied-in-law or quasi-contract theory”). Plaintiff argues that Pasadena Live 23 incorrectly broadened this rule when interpreting Miller v. McKinnon, which states that: Undoubtedly a school board, like a municipal corporation, may, under some circumstances, be held liable upon an implied contract for benefits received by it, but this rule of implied liability is applied only in those cases where the board or municipality is given the general power to contract with reference to a subject-matter, and the express contract which it has assumed to enter into in pursuance of this general power is rendered invalid for some mere irregularity or some invalidity in the execution thereof, and where the form or manner of entering into a contract is not violative of any statutory restriction upon the general power of the governing body to contract nor 24 25 26 27 28 Availability of damages 10 violative of public policy. 1 Miller v. McKinnon, 20 Cal. 2d 83, 91, 124 P.2d 34, 39 (1942) (emphasis added). But Miller did 2 not suggest that public entities could normally be held liable based upon an implied contract. 3 Instead, it allows for the possibility that the public entity believed it had entered a valid express 4 contract that was rendered invalid by a minor irregularity. That is not this case. The motion to 5 dismiss the eighth claim for relief is GRANTED with prejudice. 6 V. Unjust enrichment 7 For the same reasons discussed above, plaintiff cannot sustain a claim against UC Regents 8 for unjust enrichment. See, e.g., Pasadena Live v. City of Pasadena, 114 Cal. App. 4th 1089, 1094 9 (2004) (“The court sustained the demurrer to this cause of action because it was based on an oral 10 contract. This ruling was correct. A public entity cannot be held liable on an implied-in-law or United States District Court Northern District of California 11 quasi-contract theory.”). Accordingly, the motion to dismiss the ninth claim for relief is 12 GRANTED with prejudice. 13 CONCLUSION 14 For the foregoing reasons, UC Regents’ Motion to Dismiss is GRANTED in part and 15 DENIED in part. Plaintiff may amend its contract claim by May 30, 2023. 16 IT IS SO ORDERED. 17 Dated: May 6, 2023 18 19 20 WILLIAM H. ORRICK United States District Judge 21 22 23 24 25 26 27 28 11

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.