I’m back with the latest decision that could reshape how companies handle digital health information. A federal court in the Western District of Washington has largely greenlit a lawsuit challenging Costco’s use of Meta’s tracking pixel on its pharmacy website. Don’t miss my last blog on medical health data—check it out here for more insights! In Castillo v. Costco Wholesale Corp., No. 2:23-cv-01548-JHC, 2024 U.S. Dist. LEXIS 207197 (W.D. Wash. Nov. 14, 2024), the Court addresses pressing questions about privacy in the digital age: When does tracking your prescription searches become a privacy violation? And what happens when your pharmacy shares your data with Facebook?

The case prescribes a closer look at Costco’s installation of Meta’s tracking pixel on its pharmacy website. Plaintiffs and several other Costco pharmacy customers alleged that when they searched for prescriptions, transferred medications between pharmacies, and reviewed insurance co-pay information, Costco secretly collected and shared their data through Meta’s tracking pixel. The Pixel tracks users’ interactions by recording detailed URLs triggered each time a customer enters information and can link this data to users’ Facebook identities—even for those without Facebook accounts, storing it until they potentially create one in the future.

So what’s the deal here? Well, before diving into the substantive claims, the Court addressed a pivotal preliminary issue: whether Washington law should exclusively govern the claims. Costco argued that its website terms and conditions required applying Washington law, but the Court rejected this, reasoning that the choice-of-law clause only governed the interpretation of the terms—not all disputes tied to website use. This distinction followed reasoning in cases like Garner v. Amazon.com, Inc., 603 F. Supp. 3d 985 (W.D. Wash. 2022), where similar provisions were narrowly construed.

Next, the Court’s analysis of the federal Wiretap Act claim provides crucial guidance for digital healthcare privacy and modern web technologies. By treating prescription-related searches as communications implicating privacy laws, the Court elevated the standard for how businesses handle sensitive data online. Following the Ninth Circuit’s framework from In re Zynga Privacy Litigation, 750 F.3d 1098 (9th Cir. 2014), the Court distinguished between protected “contents” of communications and mere “record” information.

Significantly, the Court held that URLs containing prescription-related search terms are “contents” because they reveal the “substance, purport, or meaning” of the communication. Judge Chun emphasized that search terms entered on a pharmacy website go beyond mere metadata, offering a window into the user’s private health information. This aligns with In re Meta Pixel Healthcare Litigation, 647 F. Supp. 3d 778 (N.D. Cal. 2022), which similarly treated descriptive URLs as protected content.

Even more intriguing was the Court’s handling of the “crime-tort exception.” While Costco was technically a “party to the communication,” the Court found that using health data for targeted advertising could violate HIPAA, triggering the exception. Judge Chun stated: “The Court concludes that alleging a defendant intercepted data to use the data in violation of criminal or tort laws suffices to invoke the crime-tort exception.”

The decision contrasted with cases like Smith v. Facebook, Inc., 262 F. Supp. 3d 943 (N.D. Cal. 2017), where general browsing activity was deemed insufficient to establish a Wiretap Act violation. Here, the Court underscored that the nature of the data—prescription-related searches—was more specific and sensitive than general web activity.

Next, the Court’s treatment of California privacy laws—particularly the California Invasion of Privacy Act (“CIPA”) and the California Confidentiality of Medical Information Act (“CMIA”)—demonstrates the strong protection these statutes offer for health information.

Under CIPA (Cal. Pen. Code § 630), the Court reaffirmed that the statute protects against unauthorized wiretapping of communications. Relying on Brodsky v. Apple Inc., 445 F. Supp. 3d 110 (N.D. Cal. 2020), the Court ruled that vague privacy disclosures do not meet the statute’s explicit consent requirements, particularly for sensitive data.

Costco also argued that browsing data was not protected “medical information” under the CMIA. However, the Court rejected this defense, finding that prescription searches linked to identifiable Facebook profiles could constitute protected health information.

The Court emphasized that: “Unlike unique identifiers, personal Facebook accounts disclose actual identities,” making Costco’s data collection far more invasive than anonymous tracking. This interpretation builds on Cousin v. Sharp Healthcare, 702 F. Supp. 3d 967 (S.D. Cal. 2023), where the CMIA applied to disclosures of identifiable patient data collected through tracking tools.

With this in mind, while federal and California claims survived, the Washington Privacy Act (“WPA”) claim fell short. The Court ruled that the WPA’s requirement for communications to be “between two or more individuals” doesn’t apply to automated systems. This decision aligns with In re Meta Pixel Tax Filing Cases I, 2024 WL 1251350 (N.D. Cal. Mar. 25, 2024), which similarly excluded machine-driven interactions from WPA protections.

However, the Washington Consumer Protection Act (“WCPA”) claim survived, with the Court recognizing that the diminished economic value of personal health data constitutes a concrete injury. Expanding on Kaiser Found. Health Plan, Inc., 2024 WL 1589982 (N.D. Cal. Apr. 11, 2024), the Court held that the unauthorized disclosure of data reduces its economic value, constituting an actionable injury. It noted that Costco’s alleged failure to disclose its tracking practices could mislead consumers, satisfying the deception element under the WCPA.

The Court also discussed HIPAA violations in the context of the crime-tort exception under the Wiretap Act. It found that Costco’s alleged use of health data for targeted advertising plausibly violated HIPAA, as it involved the unauthorized disclosure of individually identifiable health information (“IIHI”).

Judge Chun highlighted HIPAA’s criminal provision (42 U.S.C. § 1320d-6), which prohibits knowing disclosures of protected health information for commercial gain. This violation underpinned the crime-tort exception, distinguishing this case from others where financial motives were insufficient to invoke the exception, such as Rodriguez v. Google LLC, 2021 WL 2026726 (N.D. Cal. May 21, 2021).

Lastly, the Court’s handling of common law claims revealed the challenges of applying traditional legal concepts to digital privacy. The invasion of privacy claim failed because Plaintiffs didn’t adequately allege publicity of their private information. Under Washington law, publicity requires public disclosure or, in certain cases, to a small group where the disclosure would be highly offensive. Plaintiffs’ allegations did not meet this threshold. Reid v. Pierce Cnty., 961 P.2d 333 (Wash. 1998).

The breach of implied contract claim was dismissed because promising to follow HIPAA isn’t valid consideration under Washington law. The Court explained that a promise to comply with preexisting legal obligations, like those under HIPAA, cannot form the basis of a contractual agreement. To establish an implied contract, the party must agree to additional obligations beyond what is already required by law. Multicare Med. Ctr. v. State, Dep’t of Soc. & Health Servs., 790 P.2d 124 (Wash. 1990).

The conversion claim failed because personal data isn’t considered “chattel” under Washington law. The Court emphasized that conversion applies only to tangible goods or certain intangible rights, such as patents, and does not extend to personal health data. In re Marriage of Langham & Kolde, 106 P.3d 212 (Wash. 2005).

However, the unjust enrichment claim survived as an alternative pleading. The Court found that plaintiffs plausibly alleged Costco had unjustly retained benefits, including the value of their personal health data and payments for its services. Costco gained these benefits at the plaintiffs’ expense by withholding key information about its tracking practices, making unjust enrichment a viable, equitable claim.

So what is the takeaway from all of this?

For healthcare providers and pharmacies, this ruling suggests that even public-facing websites need careful scrutiny if they collect health-related information. The Court’s holding that prescription searches constitute protected content means that common marketing tools like tracking pixels may create significant liability exposure when used on pharmacy websites. Collecting health-related information through website tracking technologies isn’t just a privacy concern—it’s a legal liability.