New year, new Meta lawsuit! This time Meta, formerly known as Facebook (I might be a Prince fan), finds itself in hot water for their proprietary Meta Pixel code that they offer for free to web developers to install on websites. The Pixel tracks when certain triggering events happen on a website and collects generalized information about the website user which is then used by Meta for targeted advertising. I am going to go out a limb here and guess that most websites more than likely have this pixel firing on their site. The information collected is beneficial to both the website owner and Meta. While the website owner can learn from consumer activities and improve services, Meta can use the data for targeted advertising.

The plaintiffs, in this case, are requesting a motion for preliminary injunction for the following alleged claims, Plaintiffs did not consent to Meta’s acquisition of their health information, Wiretap Act Claim, CIPA Claim, and Invasion of Privacy and intrusion upon seclusion claims. To be successful in a motion for preliminary injunction “A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest”. The judge ultimately denied the motion but not before breaking it down. Let’s dive in!

The issue here is that the websites the Pixels were placed on are medical websites such as doctor’s offices and hospitals. The plaintiffs, there are several anonymous, are alleging that the Pixel is intercepting and monetizing their protected health information under HIPPA when they login into the website’s patient portal potentially exposing and passing on the data to Meta. Now Meta states that they try to block this sensitive data using a filter mechanism to screen for potentially sensitive health data and that the filter prevents the data from being consumed into their ad and optimization systems. They also state that they provide instructions to users on how to opt out of their “off-Facebook” activity which will prevent data from being shared for advertising based on their online activities. The data is not being used for advertising, great, but can we be sure that Meta is not receiving the data at all?

Meta has several policies that outline its Terms of Service, Data Policy, Cookie Policy, and Business Tools Terms and Pixel Creation Process they say clearly outline how it collects and uses data when signing up for a Facebook account. They have the burden of proving that a reasonable user would understand that they are agreeing to Meta collection of the data intercepted by the Pixel placement. Even if a reasonable user fully understands the data collection policy the agreement of the Pixel placement is between Meta and the website owner. Meta’s Data Policy states “…any third party that wishes to use the Pixel must “represent and warrant” to Meta that the third party has “all of the necessary rights and permissions and a lawful basis (in compliance with all applicable laws, regulations, and industry guidelines) for the disclosure and use” of the data.” The judge goes on to state that ‘“require” is susceptible to multiple meanings. It could mean, for instance, that all developers using the Meta Pixel have told Meta that they may lawfully share this information with them. This is, of course, Meta’s preferred interpretation. But it could also mean that—in the context of the health information at issue here—Meta required a HIPAA-compliant authorization before receiving such information. In light of the multiple plausible interpretations of “require,” it is unlikely that Meta will be able to establish that plaintiffs consented to the data collection at issue here.”

While the plaintiffs did make a strong case under the Wiretap Act, they were not able to conquer Meta’s argument as to being exempt under the act. The statute states ”It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State”. If you will recall above under the Business Tool Terms the business using the Pixel on their website essentially provided consent to Meta and because the Wiretap Act is a one-party consent statute and Meta was not acting “for the purpose of” committing any crime or tort the claim fails.

When it comes to the CIPA allegations the judge did find that the plaintiffs will likely be able to show that it was reasonable for them to believe that their accessing of their online patient portal was a confidential communication with their medical provider. The wiretapping provision of CIPA reads “Any person who, by means of any machine, instrument, or contrivance, or in any other manner…willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state…” While Meta tried to say well, they logged in online so it’s not confidential, previous court rulings say not so fast! The courts have seemingly come to an understanding that conduct over the internet “has an objectively reasonable expectation that the conversation is not being overheard or recorded” and therefore can be considered confidential communication.

Finally, the plaintiffs did have a reasonable expectation of privacy because they were communicating with their healthcare provider and these types of communications are protected by laws and regulations. Meta argued that they disclosed the collection of personal data but again we go back to the Business Tool Terms and the fact that those terms are between the website and Meta, the website owner should obtain “lawful rights”. Both Congress and the courts have decided that it can be deemed highly offensive to take personal information without proper consent. While a jury will have the deciding factor against Meta and if their act of intrusion was highly offensive, the plaintiff’s argument does have merit.

And while the plaintiffs have an incredibly strong case it seems against Meta, they could not meet the challenge of the high standards set for a mandatory injunction. This case will move forward into the discovery phase and with that hopefully, more answers from Meta will help resolve remaining questions on how the Pixel filters data.  Not to worry we will keep an eye on this case and bring you any updates as they arise!