Angela Cole and Beatrice Roche filed suit against Quest Diagnostics, claiming that Quest violated California’s privacy laws by letting Facebook’s Pixel tracker collect sensitive information when they used Quest’s websites, both the public pages and the password-protected patient portal.

Specifically, they pointed to two California laws:

• California Invasion of Privacy Act (CIPA), which prohibits secret “interception” of communications; and
• Confidentiality of Medical Information Act (CMIA), which protects patients’ medical information from unauthorized use and disclosure.

The complaint alleged that, when Quest installed the Facebook Pixel, their browsers sent page URLs, titles, and metadata straight to Facebook, while users were logged into Facebook.

The lower court tossed out all claims, and the Third Circuit agreed. Here’s why:

• No “Eavesdropping” Under CIPA When Your Browser Talks Directly to Facebook
  • The central question: Is Facebook an “eavesdropper” or just a participant when your browser sends it tracking data?
• Past cases (notably the “Google Cookie” and “Nickelodeon” privacy lawsuits) made clear that when your browser separately and directly contacts a tracker’s (like Facebook’s) server, the tracker isn’t a creepy third-party listening in. It’s one of the communicators.
• In their words: If your browser fires off a separate message to Facebook (triggered by visiting a Quest page), Facebook is a recipient, not a wiretapper.
• Result: No “interception,” so the CIPA claims go nowhere.
• CMIA Only Covers Real Medical Content, Not Just “You Accessed Your Results”
  • The other claim: Did Quest unlawfully share “medical information” by sending Facebook URLs that showed a user accessed the test-results page?
    • California courts have made it clear that just knowing someone was a patient, scheduled an appointment, or accessed a portal isn’t “medical information” under CMIA.
    • What’s covered under CMIA? Details like test names, diagnostic info, specimen labels, or actual results. Simply knowing a user looked at their results? Not enough, unless the shared page title or URL spells out the specific medical detail.
    • In this case, the complaint didn’t allege any actual diagnosis, test, or result information was shared—just the fact that a results page was accessed.

Result: No cognizable CMIA claim presented.

Here are the real-world implications for healthcare providers and website operators:

• Pixels and Third-Party Trackers Aren’t Illegal Per Se, but you do want to ensure those pixels aren’t sending sensitive substantive data; don’t embed diagnoses or test types in URLs or event names. Minimize what those trackers get.
• Separate public and patient-only content, and watch what client-side trackers report, especially inside login-protected areas.
• Clear documentation and disclosures help; while it won’t save a bad practice, clarity may help in defending against other kinds of privacy suits.

In the Third Circuit (which includes Pennsylvania, New Jersey, Delaware and the U.S. Virgin Islands), these claims against Facebook Pixel or similar tech are on shaky ground, unless the facts show something more than a standard browser-to-tracker call. This decision makes it clear that routine browser-to-tracker communications aren’t “interceptions” under CIPA, and only real medical information (not just the fact that you logged into your results account) is protected by the CMIA.