Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.
Background
In Angel Cole, et al. v. Quest Diagnostics, Inc.[1], two users of websites operated by Quest Diagnostics, Inc. (Quest), alleged Quest improperly shared their personally identifiable information (PII) and protected health information (PHI) with a third-party digital advertiser (pixel provider) when they visited the websites. The plaintiffs alleged their communications with Quest’s websites were intercepted by a pixel without the plaintiffs’ consent, in violation of CIPA § 631(a), which prohibits aiding and abetting a third party in intercepting an electronic communication and CMIA §§ 56.10(a), (d), which prohibit the disclosure of an individual’s “medical information” without consent. The plaintiffs also sought to pursue these same claims on behalf of a putative class defined as “all persons in California who have navigated and accessed Quest’s websites located at www.questdiagnostics.com and www.myquest.questdiagnostics.com.”
At the district court, Quest moved to dismiss both causes of action. The district court initially granted the motion on the CMIA claim, but denied it as to the CIPA claim. The court ruled the CMIA claim was not cognizable because the plaintiffs failed to allege the disclosure of “medical information”[2] by Quest. Specifically, the court ruled that while the plaintiffs alleged that Quest disclosed that plaintiffs visited Quest’s websites to review test results, there were no allegations that Quest disclosed the type of test results reviewed or other specific medical information which could give rise to a CMIA claim. The CIPA claim initially survived the motion to dismiss because the court ruled that plaintiffs did not consent to the sharing of their electronic communications with the pixel provider, and the pixel provider was not a party to the plaintiffs’ communications with Quest’s websites.
Quest moved the district court for reconsideration of the CIPA decision and the court reversed.[3] Relying on the Third Circuit’s decision in In re Google Inc. Cookie Placement Consumer Privacy Litigation,[4] the district court ruled that the function of the third-party pixel precluded a claim of eavesdropping under the CIPA. Specifically, the court determined that because the plaintiffs’ web browsers, and not Quest, simultaneously transmitted the information to the pixel provider, the pixel provider was a party to the communication with each plaintiff. As a party to the communication, the court found that the pixel provider could not eavesdrop on its own communication under the party exception defense and dismissed the CIPA.[5]
The Third Circuit Affirms Dismissals
On appeal, the plaintiffs sought to reverse the district court. They argued that the district court erred in dismissing their CIPA claim by misapplying the holding from In re Google Inc. Cookie Placement Consumer Privacy Litigation to find the “party exception” applied to bar their CIPA claim. The plaintiffs also argued that they did not have knowledge of the pixel provider’s participation in the communication, and therefore, under the California Supreme Court’s and Ninth Circuit’s holdings in Ribas v. Clark, 38 Cal. 3d 355 (1985) and In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020), the district court improperly determined the party exception defense applied. In Ribas, the California Supreme Court held that a third party who eavesdropped on a phone conversation, without the permission of all parties to the call, violated CIPA § 631(a).[6] Similarly, in In re Facebook, Inc. Internet Tracking Litig., the Ninth Circuit held that the defendant was not, as a matter of law, entitled to the “party exception” because it simultaneously duplicated and intercepted the plaintiffs’ communications with various websites.[7] With regard to their CMIA claim, the plaintiffs argued that the claim was cognizable because they alleged that the pixel intercepted specific medical test results, as well as other medical symptoms and medical history information.
The Third Circuit rejected the plaintiffs’ arguments. It found no error in the dismissal of the CIPA claim because the plaintiffs’ web browsers transmitted communications directly to the pixel provider, and therefore the pixel provider was a party to the communications, making the party exception defense applicable. The Third Circuit further held that the CMIA claim was properly dismissed because there was no evidence in the record that any medical information was transmitted to the pixel provider. The Third Circuit rejected the plaintiffs’ argument that Quest’s disclosure of “the URL of the webpage a patient accessed to review test results” constituted medical information. It found that a URL identifying the diagnostic company was not medical information noting “[a]lthough the nature of treatment is medical information, the fact that treatment occurred is not.”
Takeaways
The Third Circuit is part of a recent trend of courts scrutinizing wiretap act claims and the requirements to pursue a cognizable claim. The Third Circuit’s recognition of how the pixel functions and who actually transmits the information is helpful to entities facing wiretap act claims involving a pixel and the transmission of information from a website visitor’s own web browsing device. Likewise, the Third Circuit’s guidance on what constitutes “medical information” under the CMIA is an added authority to demonstrate the transmission of a URL, without more, does not give rise to a CMIA claim.
[1] No. 25-1449 (3d Cir. Nov. 13, 2025).
[2] The CMIA defines “medical information” as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, reproductive or sexual health application information, mental, or physical condition, or treatment.” Cal. Civ. Code § 56.05(j).
[3] Angela Cole, et al. v. Quest Diagnostics, Inc., No. 23-20647 (D. N.J. July 2, 2024) (granting in part, and denying in part, Defendant’s motion to dismiss); Angela Cole, et al. v. Quest Diagnostics, Inc., No. 23-20647 (D. N.J. Jan. 14, 2025) (granting Defendant’s motion for reconsideration and dismissing Plaintiffs’ CIPA claim).
[4] 806 F.3d 125 (3d Cir. 2015).
[5] The “party exception” is derived from series of holdings that only a third party can eavesdrop on a communication. See Thomasson v. GC Servs. Ltd. P’ship, 321 Fed. App’x. 557, 559 (9th Cir. 2008); Warden v. Kahn, 160 Cal. Rptr. 471, 475 (Ct. App. 1979).
[6] 38 Cal. 3d at 360-62.
[7] 956 F.3d at 608.