Opinion
23-CV-04422-AMO
09-16-2024
M.G., Plaintiff, v. THERAPYMATCH, INC., Defendant.
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS RE: DKT. NO. 20
ARACELI MARTÍNEZ-OLGUÍN UNITED STATES DISTRICT JUDGE
This is a data privacy lawsuit. Therapymatch, Inc.'s motion to dismiss was heard before this Court on April 18, 2024. Having read the papers filed by the parties and carefully considered their arguments therein and those made at the hearing, together with the relevant legal authority, the Court hereby GRANTS in part and DENIES in part the motion for the following reasons.
I. BACKGROUND
A. Factual Background
Defendant Therapymatch, Inc. d/b/a Headway (“Headway”) is a private company that has an online platform to provide users with access to mental health providers. First Amended Complaint (“FAC”) (ECF 17) ¶ 2. The website allows users to search Headway's clinician database based on specified preferences regarding language, race, ethnicity, gender, and more. FAC ¶ 32. Headway embeds Google Analytics code on its website, which allows Google to intercept and collect Headway website users' protected mental health information. FAC ¶ 4. Headway does not disclose that medical information is being shared with Google to improve Google's analytics services, software, and algorithms. FAC ¶¶ 104-05. Google analytics:
The Court accepts Plaintiff's allegations in the Complaint as true and Construes the pleadings in the light most favorable to Plaintiff. See Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008) (Citation omitted).
(1) simultaneously communicates information to an external server as a user navigates a website; (2) tracks users across devices, meaning that a user's actions on multiple devices all will be included in the information stored regarding that user; (3) is not easily disabled by users; and/or (4) creates a record of all of the information that users provide to and/or receive from the website.FAC ¶ 45.
Google Analytics offers website owners an opt-in Internet Protocol (IP) anonymization feature, however Headway did not enable this feature. FAC ¶ 37. In Headway's Privacy Policy linked at the bottom of its web page, Headway states that it will share personal information only “with insurance companies or clearinghouses for claims purposes, with other health care providers for treatment or care coordination purposes, or with business partners” to assist Headway in offering its services. FAC ¶ 39.
Plaintiff M.G. began using Headway's online platform to search for a mental health professional in May 2023. FAC ¶ 9. M.G. provided personal information on the website, including his name, address, cellular phone number, health insurance provider, group identification number, and employer. FAC ¶ 10. He also specified that he was looking for therapy related to two specific, unidentified, mental health conditions. FAC ¶ 10. Google intercepted M.G.'s communications with Headway, including the mental health conditions he searched, the treatment he was seeking, provider preferences, and appointment details. FAC ¶ 11. Google used M.G. and other class member's information to provide analytics services to Headway and to improve its own software and algorithms, as well as provide marketing services and offerings. FAC ¶ 13.
The Court notes that Plaintiff has not moved to proceed under a pseudonym. If Plaintiff wishes to proceed anonymously or under a pseudonym, he must so move the Court. See Does If thru XXIII v. Advanced Textile Corp., 214 F.3d 1058, 1067 (9th Cir. 2000).
B. Procedural Background
M.G. filed a putative class action complaint on July 6, 2023, in the Superior Court of California, County of Alameda. ECF 1-1. Headway timely removed the action to federal court on August 25, 2023, under the Class Action Fairness Act. ECF 1 ¶¶ 3-10. M.G. filed the First Amended Complaint (FAC), the operative complaint, on October 3, 2023, alleging six causes of action: (1) violation of the Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §§ 56.06, 56.101, 56.10; (2) aiding and abetting violation of the CMIA, Cal. Civ. Code § 56.36; (3) aiding and abetting unlawful interception under the California Invasion of Privacy Act (“CIPA”) Cal. Pen. Code § 631, (4) unlawful recording of and eavesdropping upon confidential information under CIPA, Cal. Pen. Code § 632, (5) invasion of privacy, Cal. Const. Art. 1 § 1, and (6) violation of the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code §§ 1798.100(e), 1798.81.5(b). FAC ¶¶ 73-140. On November 2, 2023, Headway filed the instant motion seeking to dismiss the complaint for failure to state a claim. “Mot.” (ECF 20).
II. LEGAL STANDARD
Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be dismissed for failure to state a claim for which relief may be granted. Fed.R.Civ.P. 12(b)(6). Rule 12(b)(6) requires dismissal when a complaint lacks either a “cognizable legal theory” or “sufficient facts alleged” under such a theory. Godecke v. Kinetic Concepts, Inc., 937 F.3d 1201, 1208 (9th Cir. 2019) (citation omitted). Whether a complaint contains sufficient factual allegations depends on whether it pleads enough facts to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678.
When evaluating a motion to dismiss, the court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek, 519 F.3d 1025, 1031 (9th Cir. 2008). However, “allegations in a complaint . . . may not simply recite the elements of a cause of action [and] must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014) (citations omitted). The Court may dismiss a claim “where there is either a lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal claim.” Hinds Invs., L.P. v. Angioli, 654 F.3d 846, 850 (9th Cir. 2011).
III. ANALYSIS
Headway moves to dismiss the complaint in its entirety. The Court addresses Headway's challenge to each claim in the order raised in the briefing.
A. Confidentiality of Medical Information Act Claims
M.G. alleges that Headway violated three separate sections of the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. §§ 56.10, 56.06, and 56.101. Section 56.06 defines “provider of health care,” while Section 56.10 dictates, in pertinent part, that a provider of health care “shall not disclose medical information regarding a patient . . . without first obtaining an authorization . . . [.]” Section 56.101 states, in relevant part, that “[a]ny provider of health care . . . who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties . . . [.]” Cal. Civ. Code § 56.101. Headway argues that the CMIA claims must be dismissed because M.G. fails to allege that any medical information or records were transmitted to Google or that anybody viewed any medical information. Mot. at 13-16.
The CMIA defines “medical information” as “individually identifiable information . . . regarding a patient's medical history, mental health application information, mental or physical condition, or treatment.” Cal Civ. Code § 56.05(i); see Eisenhower Med. Ctr. v. Superior Ct., 226 Cal.App.4th 430, 434 (2014) (“ ‘medical information' as defined under the CMIA is substantive information regarding a patient's medical condition or history that is combined with individually identifiable information”). “Mental health application information” means information “related to a consumer's inferred or diagnosed mental health or substance abuse disorder . . . [.]” Cal Civ. Code § 56.05(j). Under California caselaw, “[t]his definition does not encompass demographic or numeric information that does not reveal medical history, diagnosis, or care.” Eisenhower, 226 Cal.App.4th at 435. “[T]he mere fact that a person may have been a patient at the hospital at some time is not sufficient” without “substantive information regarding that person's medical condition, history, or treatment.” Eisenhower, 226 Cal.App.4th at 435; see also Wilson v. Rater8, LLC, No. 20-CV-1515-DMS-LL, 2021 WL 4865930, at *5 (S.D. Cal. Oct. 18, 2021) (concluding that allegations indicating that the plaintiff received medical treatment, physician names, and appointment discharge dates and times were not “medical information” within the meaning of the CMIA). However, the use of a patient portal to “schedule appointments, refill prescriptions, and to view [] test results and appointment notes,” constitutes “medical history, diagnosis, or care” within the meaning of the CMIA. B.K. et al, v. Desert Care Network, Desert Regional Medical Center, Inc. et al, No. 223-CV-05021-SPGPDX, 2024 WL 1343305, at *5 (C.D. Cal. Feb. 1, 2024); see also Tamraz v. Bakotic Pathology Assocs., LLC, No. 22-CV-0725-BAS-WVG, 2022 WL 16985001, at *5 (S.D. Cal. Nov. 16, 2022) (finding that disclosure of “specimen or test information” was substantive medical information within the meaning of CMIA).
Headway argues that the information disclosed here is not medical information because it does not involve M.G.'s medical history, condition, or treatment, but is instead “mere browsing information.” Mot. at 14. It argues that, at most, M.G. disclosed his “possible status as a patient.” Mot. at 15. M.G. counters that the disclosed information is “detailed personal and medical information” because it includes the patient's “specific concern giving rise to the need for mental health therapy,” the “kind of care that the patient was requesting,” and information regarding the patient's preferences regarding the therapist and where the patient was seeking therapy. “Opp.” (ECF 27) at 11. However, it is not clear what “medical information” M.G. disclosed. He alleges that “[w]hen prompted by the site to enter his mental health concerns and search parameters, [he] specified that he was looking for therapy related to two specific mental health conditions.” FAC ¶ 10. The Court cannot determine based on these sparse, generalized allegations whether M.G. shared (and thereafter Headway disclosed) “substantive information” regarding his “medical condition, history, or treatment.” See Eisenhower, 226 Cal.App.4th at 435. Because the Court cannot determine whether M.G.'s substantive medical information was disclosed, the Court GRANTS the motion to dismiss the CMIA claim with leave to amend. Because the Court dismisses the underlying CMIA cause of action, it also GRANTS the motion to dismiss the claim for aiding and abetting a violation of the CMIA.
At the hearing, Plaintiff's counsel expressed concern about disclosing such private information. The Court reminded counsel that there are numerous ways to protect a plaintiff's privacy, including by moving the Court to proceed under a pseudonym, or seeking to redact and file certain pleadings or parts of pleadings under seal.
B. California Invasion of Privacy Act Claims
M.G. brings claims under Sections 631 and 632 of the California Invasion of Privacy Act (“CIPA”). Headway challenges both causes of action for failure to state a claim.
1. Section 631
California Penal Code § 631(a) punishes any person who:
(1) “by means of any machine, instrument, or contrivance, or in any other matter, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument”;
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message . . . while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state”;
(3) “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained”; or
(4) “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section.”Cal. Penal Code § 631(a). Though Section 631 is a criminal statute, Section 637.2 provides a civil cause of action for damages or an injunction to anyone “injured by a violation of this chapter . . . against the person who committed the violation . . . [.]” Cal. Penal Code § 637.2.
M.G. advances a claim under the fourth subsection for aiding and abetting an unlawful interception. FAC ¶¶ 109-120. Headway argues that the Section 631 claim fails because M.G. fails to plead (1) that “content information” in communications was disclosed to Google, (2) that any interception occurred “in transit,” or (3) that Headway aided and abetted Google to commit any wrongdoing. Mot. at 19-22.
i. Content Information
Section 631 prohibits reading or learning the “contents or meaning” of a communication without consent. Headway argues that M.G. only alleges that browsing or “record” information was transmitted to Google - not substantive patient records or patient-doctor communications. Mot. at 20.
The analysis for a violation of CIPA is the same analysis for a violation of the federal Wiretap Act. Brodsky v. Apple Inc., 445 F.Supp.3d 110, 127 (N.D. Cal. 2020) (citation omitted). Under the Wiretap Act, “contents” is defined as “any information concerning the substance, purport, or meaning of [a] communication.” 18 U.S.C. § 2510(8). The “content” of a communication is “the intended message conveyed by the communication.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). It does not include “record information regarding the characteristics of the message that is generated in the course of the communication” such as “the name, address and subscriber number or identity of a subscriber or customer.” Id. (internal quotation marks omitted); see United States v. Reed, 575 F.3d 900, 914, 917 (9th Cir. 2009) (holding that information about a telephone call's “origination, length, and time” was not “contents” for purposes of § 2510(8), because it contained no “information concerning the substance, purport or meaning of [the] communication”). “Whether information is ‘content' or ‘record information' can depend in part on the manner in which the information is generated, as information that would otherwise be considered ‘record information'-such as names, addresses, telephone numbers, and email addresses-may be ‘contents' of a communication where the user communicates with a website by entering his information into a form provided by the website.” Saleh v. Nike, Inc., 562 F.Supp.3d 503, 517 (C.D. Cal. 2021).
Headway argues that search terms used to find treatment for specific mental health issues and search for a provider and information about a booked therapy session are “record” information. Mot. at 21. This argument misunderstands the difference between content and record information. Content information includes “search terms” as they may “divulge a user's personal interests, queries, and habits . . . [.]” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 605 (9th Cir. 2020); cf. McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816, at *14 (N.D. Cal. Feb. 2, 2021) (concluding that data on “when and how often” an Android user “runs non-Google apps and the amount of time spent on the apps” is “record information”). For example, “[w]hile a URL that includes ‘basic identification and address information' is not ‘content,' a URL disclosing a ‘search term or similar communication made by the user' ‘could constitute a communication' under the statute.” In re Meta Pixel Healthcare Litig., 647 F.Supp.3d 778, 795 (N.D. Cal. 2022) (quoting In re Zynga, 750 F.3d at 1108-09). Similarly, log-in buttons and descriptive URLs are “contents” within the meaning of the Wiretap Act and CIPA because they reveal the “path” and “query string,” i.e., that the user searched for a specific doctor and searched for information about diabetes. Id. at 795, n.10. Here, M.G. alleges that Google intercepted the information he provided about the mental health conditions for which he was seeking therapy, his provider preferences, and his appointment details. FAC ¶¶ 10-11. This is content information.
ii. Interception
To violate Section 631, one must also listen to a communication “while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state.” Cal. Penal Code § 631(a). Headway argues that interception was not simultaneous here as two separate communications occurred - one between Headway's browser and the user's browser, and one between the user's browser and Google. Mot. at 22. However, the FAC contradicts Headway's argument. M.G. alleges that Google simultaneously intercepted class members' data in real time by using embedded Google Analytics Code. FAC ¶¶ 4-5, 11, 17, 26-27, 33, 40, 45. The Court must accept as true M.G.'s allegations that “[a]s users navigate the Headway website and platform, Google Analytics, in real-time, surreptitiously is collecting their sensitive information, including patient-clients' private personal and medical information, without the users' knowledge or consent.” FAC ¶ 33; see also In re Yahoo Mail Litig., 7 F.Supp.3d 1016, 1036 (N.D. Cal. 2014) (rejecting argument that emails were not intercepted in transit as “[t]he Court must defer resolution of whether Yahoo accessed the emails only after the emails were on Yahoo's servers until after discovery makes clear where and how Yahoo's scanning technology intercepted the emails.”). Thus, M.G. has alleged real-time interception of users' information. The caselaw Headway cites does not persuade otherwise. See Smith v. Facebook, Inc., 262 F.Supp.3d 943, 951 (N.D. Cal. 2017), aff'd, 745 Fed.Appx. 8 (9th Cir. 2018) (addressing whether defendant purposefully directed its activities at the forum state for purposes of personal jurisdiction, not whether a third party was intercepting communications in real time); Rodriguez v. Google LLC, No. 20-CV-04688-RS, 2022 WL 214552, at *1 (N.D. Cal. Jan. 25, 2022) (concluding that allegations of real-time interception were insufficient where complaint detailed Google's logging of data and subsequent transmission of a copy of the data).
iii. Aiding and Abetting
Finally, Headway argues that M.G. fails to allege that it aided and abetted Google's alleged violation of Section 631. Headway first argues - without legal support - that the criminal standard for aiding and abetting applies to the civil right of action. Mot. at 19. Not so. See Stoba v. Saveology.com, LLC, No. 13-CV-2925-BAS NLS, 2014 WL 3573404, at *3 (S.D. Cal. July 18, 2014) (declining to impose criminal standard for claims pursuing civil liability under Cal. Penal Code §§ 632 and 632.7). Under the common law definition of aiding and abetting, “[l]iability may . . . be imposed on one who aids and abets the commission of an intentional tort if the person (a) knows the other's conduct constitutes a breach of duty and gives substantial assistance or encouragement to the other to so act or (b) gives substantial assistance to the other in accomplishing a tortious result and the person's own conduct, separately considered, constitutes a breach of duty to the third person.” Fiol v. Doellstedt, 50 Cal.App.4th 1318, 1325-26 (1996) (citation omitted).
Headway argues that M.G. failed to plead sufficient facts to support the aiding and abetting claim as M.G. “merely concludes that Defendant ‘allowed Google to tap intentionally and/or make unauthorized connections with the lines of Internet communications between Headway [and Plaintiff and Class Members].” Mot. at 19 (citing FAC ¶¶ 116-17). This misstates M.G.'s allegations, which include that Headway knowingly agreed to use Google Analytics, embedded tracking technology code on its website, and allowed Google to have direct access to Headway users' private medical information. FAC ¶¶ 88-91.
In summary, M.G. has adequately alleged that Headway disclosed content information to Google, that the interception occurred in transit, and Headway aided and abetted Google, and the Court DENIES Headway's the motion to dismiss CIPA Section 631.
2. Section 632
California Penal Code § 632 is also part of California's invasion of privacy scheme. It provides, in relevant part, that “[a] person who, intentionally and without the consent of all parties to a confidential communication, uses a . . . recording device to eavesdrop upon or record the confidential communication” violates the statute. Cal. Penal Code § 632(a).
Seeking dismissal, Headway argues that M.G. fails to allege that any “confidential communications” took place. Mot. at 22-23. “A communication is confidential under Section 632 if a party ‘has an objectively reasonable expectation that the conversation is not being overheard or recorded.' ” Brown v. Google LLC, 525 F.Supp.3d 1049, 1073 (N.D. Cal. 2021) (quoting Flanagan v. Flanagan, 27 Cal.4th 766, 777 (2002)). “[T]he plaintiff only needs to show a reasonable ‘expectation that the conversation was not being simultaneously disseminated to an unannounced second observer.'” Id. (citation omitted). Headway argues that numerous cases have held that “Internet-based communications are not ‘confidential' within the meaning of [S]ection 632, because such communications can easily be shared . . . [.]” Mot. at 23 (quoting Campbell v. Facebook Inc., 77 F.Supp.3d 836, 849 (N.D. Cal. 2014) (collecting cases)). However, in recent years, courts in this district have started to recognize that individuals may have a reasonable expectation of privacy for certain internet communications. See, e.g., Brown v. Google LLC, 685 F.Supp.3d 909, 936-39 (N.D. Cal. 2023) (finding plaintiffs had a reasonable expectation of privacy in private incognito browsing); Doe v. Regents of Univ. of California, 672 F.Supp.3d 813, 820 (N.D. Cal. 2023) (concluding plaintiffs could bring common law invasion of privacy claim because they had a reasonable expectation of privacy in personal medical information); In re Meta Pixel Healthcare Litig., 647 F.Supp.3d at 799 (finding confidential under CIPA internet communications with medical providers because “health-related communications with a medical provider are almost uniquely personal”). Here, given the nature of the allegations - that M.G. entered information about his mental health concerns and therapist preferences on a website that is a mental healthcare conduit - it was reasonable for M.G. to have an expectation of privacy. M.G. has alleged that the communications with Headway were confidential under the CIPA.
Headway also argues that M.G.'s allegations show that Google - not Headway - allegedly unlawfully eavesdropped or recorded the communications. Mot. at 22-23. However, the FAC alleges that “Headway permitted Google to eavesdrop upon and/or record Headway website users,” FAC ¶ 128, and that Headway embedded Google Analytics technology on its website allowing Google to intentionally tap communications, FAC ¶ 116. Headway has failed to show why this is insufficient to state a claim for aiding and abetting a violation of section 632.Accordingly, the Court DENIES the motion to dismiss this claim.
The Court does not consider the final argument Headway belatedly raised for the first time in the reply: that this section only applies to communications over the telephone, ECF 28 at 15. Padilla v. City of Richmond, 509 F.Supp.3d 1168, 1180 (N.D. Cal. 2020) (“As a general rule, courts do not consider arguments raised for the first time on reply.”) (citing cases).
C. Constitutional Privacy Claim
Headway also moves to dismiss M.G.'s constitutional privacy claim under Article I, Section I of the California Constitution. Mot. at 23-24. “[That] right, in many respects broader than its federal constitutional counterpart, protects individuals from the invasion of their privacy not only by state actors but also by private parties.” Leonel v. Am. Airlines, Inc., 400 F.3d 702, 711 (9th Cir. 2005). “To prove a claim under the California [constitutional] right to privacy, a plaintiff must first demonstrate three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious invasion of the protected privacy interest.” Id. (citing Hill v. Nat'l Collegiate Athletic Ass'n, 7 Cal.4th 1, 39-40 (1994)). “Actionable invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill, 7 Cal.4th at 37. Thus, if the allegations “show no reasonable expectation of privacy or an insubstantial impact on privacy interests, the question of invasion may be adjudicated as a matter of law.” Pioneer Electronics, Inc. v. Sup. Ct. of L.A., 40 Cal.4th 360, 370 (2007) (citing Hill, 7 Cal.4th at 40). “Determining whether a defendant's actions were ‘highly offensive to a reasonable person' requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive.” In re Facebook, Inc, 956 F.3d at 606 (citing Hernandez v. Hillsides, Inc., 47 Cal.4th 272, 295 (2009)).
Headway argues that the data collection practices here are “routine commercial behavior,” and are thus not a serious intrusion of privacy. Mot. at 23. Disclosure of certain personal information, such as social security numbers or an individual's address, does not rise to the level of an “egregious breach of social norms” to establish an invasion of privacy claims. Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1025 (N.D. Cal. 2012) (citing cases). However, “[c]ourts have refused to dismiss invasion of privacy claims at the motion to dismiss stage where . . . a data breach involved medical information, because the disclosure of such information is more likely to constitute an ‘egregious breach of the social norms' that is ‘highly offensive.' ” In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1143 (C.D. Cal. 2021) (quoting In re Facebook, Inc, 956 F.3d at 601); see Heldt v. Guardian Life Ins. Co. of Am., Case No. 16-cv-885-BAS-NLS, 2019 WL 651503, at *4 (S.D. Cal. Feb. 15, 2019) (recognizing a legally protected privacy interest in medical information held by an insurer); see also Strawn v. Morris, Polich & Purdy, LLP, 30 Cal.App. 5th 1087, 1100 (2019) (finding the seriousness of the alleged invasion of privacy based on disclosure of plaintiffs' tax returns presented a question of fact that could not be resolved on demurrer). Whether M.G. can prove an invasion of privacy “sufficiently serious in . . . nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right,” Hill, 7 Cal.4th at 37, remains to be seen. However, this is likely a factual dispute and Headway has not met its burden to show that the information disclosed here - M.G.'s provider preference, appointment details, and search concerning mental health conditions - cannot allege a serious invasion of privacy.
To be clear, “medical information” here is not a term of art as in the CMIA claim. The operative inquiry here is whether the privacy intrusion was “highly offensive” and an “egregious breach of social norms.” See In re Facebook, 956 F.3d at 601.
Headway next argues that the constitutional privacy claim must be dismissed because M.G. cannot bring a private claim for money damages under the California Constitution. Mot. at 24. Citizens may seek to enjoin the government from violating the right to privacy but cannot seek damages for a violation of this right. Clausing v. San Francisco Unified Sch. Dist., 221 Cal.App.3d 1224, 1238 (1990); see Regents of California, 672 F.Supp.3d at 820. M.G. seeks damages and disgorgement of profits for this claim. FAC ¶ 139. M.G. admits that “[i]nvasions of privacy, such as those here, cannot be rectified adequately through monetary damages,” but argues that courts permit plaintiffs to seek injunctive relief and disgorgement. Opp. at 25. It is clear that M.G. may not seek money damages for a violation of this claim here. Thus, the Court DISMISSES the claim to the extent M.G. seeks money damages. See Clausing, 221 Cal.App.3d at 1238; Federated Univ. Police Officers' Ass'n v. Regents of Univ. of California, No. SACV-1500137-JLSRNBX, 2015 WL 13273308, at *13 (C.D. Cal. July 29, 2015) (striking request for damages for invasion of privacy claims).
However, Headway bears the burden of showing that M.G. may not bring a claim for disgorgement under the California constitution, and it has not done so. Although M.G. may not ultimately be able to recover disgorgement of profits, Plaintiff's claim survives this stage of the proceedings, and the Court DENIES the motion to dismiss the California constitutional privacy claim.
D. California Consumer Privacy Act Claim
Finally, Headway moves to dismiss Plaintiff's third cause of action for violation of the California Consumer Privacy Act (“CCPA”). Mot. at 24-25. The CCPA creates a cause of action for:
Any consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information . . . [.]Cal. Civ. Code § 1798.150. M.G. brings a CCPA claim under sections 1798.100(e) and 1798.81.5(b) based on Headway disclosing M.G. and Class members' personal information, including medical and health insurance information, to Google. FAC ¶ 106
Headway argues that the CCPA claim must be dismissed because there is no private right of action under any subsection other than section 1798.150(a). Mot. at 24. The CCPA explicitly states in section 1798.150 that “[t]he cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.” Cal. Civ. Code § 1798.150(c). Accordingly, the Court DISMISSES with prejudice M.G.'s CCPA claims brought under sections 1798.100 and 1798.81.5. See Hayden v. Retail Equation, Inc., No. SACV-2001203-DOCDFM, 2022 WL 2254461, at *4-5 (C.D. Cal. May 4, 2022), reconsideration on other grounds, 2022 WL 3137446 (C.D. Cal. July 22, 2022) (dismissing with prejudice CCPA claims under section 1798.100(b), 110(c), and 115(d) as there is no private right of action under those sections). Although M.G. lists only CCPA subsections 1798.100(e) and 1798.81.5(b) in the heading of the cause of action, he includes section 1798.150 in the body of the FAC. See FAC ¶¶ 107-08. Thus, the Court addresses whether M.G. has stated a Section 1798.150 claim.
Headway argues that courts only recognize private rights of action under the CCPA in the data breach context and that M.G. does not allege a data breach here. Mot. at 25. Not so; courts have let CCPA claims survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff's personal information without his consent due to the business's failure to maintain reasonable security practices. See, e.g., Ramos v. Wells Fargo Bank, N.A., No. 23-CV-0757-L-BGS, 2023 WL 5310540, at *2 (S.D. Cal. Aug. 17, 2023) (concluding that plaintiff stated a CCPA claim, notwithstanding a failure to allege a data breach, where he alleged “unknown individuals accessed information regarding his savings account as a result Defendant's failure to properly maintain Plaintiff's nonredacted and nonencrypted information”); see also Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 924 (S.D. Cal. 2020) (finding that plaintiffs alleged a plausible CCPA claim where their personal and medical information was accessible over the internet but there was no theft). Headway has neither pointed to authority that a data breach is necessary nor shown that M.G.'s allegations are insufficient. The Court therefore DENIES the motion to dismiss the CCPA claim.
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS the motion to dismiss the Confidentiality of Medical Information Act and aiding and abetting the CMIA claims with leave to amend. The Court DENIES the motion to dismiss the remaining claims. Any amended complaint must be filed by October 16, 2024. No additional claims or parties may be added without stipulation of Defendants or leave of Court.
IT IS SO ORDERED.