Plaintiffs’ attorneys are always looking for new ways to sue pharmaceutical companies. Under the banner of “no good deed goes unpunished,” plaintiffs in California recently sued a prescription drug manufacturer after they took advantage of the manufacturer’s program to help pay for a medicine widely used to treat arthritis and plaque psoriasis. There are no allegations that the drug caused any harm to these plaintiffs, nor did these plaintiffs allege that the product did not work as advertised. It appears that these plaintiffs actually benefitted financially from enrolling in the manufacturer’s program by receiving offsets in the cost of this undisputedly helpful medication. But they sued anyway.
What gives? These plaintiffs filed a class action complaint alleging that the drug manufacturer collected and disclosed their personal information in purported violation of multiple California laws. The case is Roe v. Amgen Inc., No. 2:23-cv-07448, 2024 U.S. Dist. LEXIS 101754 (C.D. Cal. June 5, 2024), and as the district court put it, “Plaintiffs’ overarching theory of the case, which grounds all their claims, is that Defendant collected their personal information and improperly disclosed it to third parties without their consent.” Id. at *7-*8. According to the plaintiffs and their experts (more on the experts later), when patients enrolled in the financial assistance program through the defendant’s website, tracking pixels gathered and sent their personal information to third parties, such as Meta and Google.
We surprisingly have not written before on pixels—a topic perhaps for deeper treatment in a future blogpost—but they are essentially tiny pieces of code that can gather information on website visitors—what they searched for, which links they clicked on, etc. When you make travel plans online and then start receiving ads from airlines and hotels in Facebook or Instagram, that might be the work of tracking pixels. Here, we have no idea whether the drug manufacturer’s enrollment website used tracking pixels. But that is what the plaintiffs alleged, along with allegations that when they enrolled in the manufacturer’s financial support program, they entered information such as their names, date of birth, zip code, insurance information, medical diagnosis, and prescription information. Id. at *3-*4.
So did these plaintiffs state claims under California’s privacy-related laws? In part, yes. But not by much and not without significant limitations on their claims.
The most interesting part of the order deals with expert opinions. Expert opinions on the pleadings? We did not know that was a thing, but the plaintiffs here retained two experts who examined the defendants’ website and opined that the defendant collected and shared user information with third parties. Id. at *8-*9. That seems like extrinsic evidence to us, and it also seems unfair for a court to consider expert opinions from one side without giving the other side an opportunity to test the opinions and respond.
The district court, however, considered the experts’ opinions in deciding whether the plaintiffs had plausibly set forth the elements of their claims:
Although most district courts with the circuit have concluded that it is inappropriate to consider an expert affidavit on a motion to dismiss . . . , plaintiffs may include an expert’s nonconclusory assertions within specific paragraphs in the complaint. Experts’ nonconclusory allegations in a complaint should be taken by a court as true allegations.
Id. at *9 (internal citations and quotations omitted). Applying this “nonconclusory assertion” rule, the district court considered the plaintiffs’ experts’ analysis in determining whether the plaintiffs stated plausible claims, and the court found that the defendants’ objections to the opinions were “better reserved for a motion for summary judgment or Daubert motion.” Id.
We won’t dwell on this, but it is not obvious to us how these experts’ opinions were “nonconclusory.” The experts opined that the defendant’s website used tracking pixels to collect and retransmit private information, which is an ultimate issue in the case. We also see a certain irony, or maybe a double standard, in the court’s position that the plaintiffs could submit expert opinions in support of their pleadings, but the defendants had to wait for a motion for summary or motions under Rule 702. We would have expected use of evidence outside the pleadings to be deferred to later motion practice—for both sides.
On the various causes of action, the plaintiffs won a little and lost most. On common law invasion of privacy, the defendant argued that there was no actionable invasion of the plaintiffs’ privacy because, among other things, the plaintiffs did not allege that they hit “decline” when asked whether they would accept the defendants’ “cookie banner.” That banner disclosed that the defendants would share personal information with third parties. Id. at *11. The court rejected that argument because “although a user’s consent to a website’s terms can undermine privacy claims when the user admits to accepting those terms, it is not clear from the face of the complaint, nor Plaintiffs’ opposition, whether Plaintiffs explicitly agreed to Defendant’s privacy terms.” Id. at *11-*12 (internal citation omitted). The complaint made no allegation either way—which was the defendant’s point—but the court ruled that the complaint’s ambiguity on consent justified allowing the claim to go forward.
The court dismissed the plaintiffs’ claims under California’s Confidentiality of Medical Information Act (“CMIA”). This California statute requires healthcare providers and pharmaceutical company to preserve the confidentiality of medical information in their possession, not too different from the federal mandate under HIPAA. Mere disclosure of medical information, however, does not constitute a breach of confidentiality under the CMIA. A plaintiff must plead and prove that someone “improperly viewed or otherwise accessed” confidential medical information. The plaintiffs’ complaint here lacked factual allegations of any unauthorized viewing. CMIA claims dismissed.
The court also dismissed claims under the Electronic Communications Privacy Act (“ECPA”) and the California Invasion of Privacy Act (“CIPA”). The ECPA prohibits the unauthorized interception of electronic communications, i.e., wire tapping. But the alleged communications were between the plaintiffs and the defendant, and the defendant could not have “intercepted” communications to which it was already a party. The plaintiffs’ CIPA claim failed for the same reason: The statute includes an exemption from liability for someone who was a party to the allegedly private communication. Id. at *14-*16. For both these claims, the plaintiffs basically alleged that the defendant was eavesdropping on itself. That’s a nice trick, but not a cause of action.
The plaintiffs’ anti-hacking claim likewise failed. California’s Comprehensive Computer Data and Fraud Act is directed at actions that illegally “cause output from” a person’s computer without permission. These plaintiffs alleged that the defendant collected and shared personal information that the plaintiffs provided, not that anyone hacked their computers. They also did not allege any damage or loss, which the statute requires to state a claim.
The court also dismissed claims for Larceny and violations of California’s Unfair Competition Law (“UCL”). The plaintiffs based their larceny claim on a theory of false pretense, i.e., that the defendants made false representations to induce them to transfer their “property” to the defendant. They did not allege, however, what representations the defendants made nor how they relied on them. Id at *18-*20. On the UCL claim, the court ruled that the plaintiffs failed to allege an actual loss of money or property, which doomed their claim. The plaintiffs argued that personal information, in some instances, has monetary value. The court, and others, disagreed:
[N]umerous courts in this circuit have held that the disclosure of a plaintiff’s personal information, absent allegations that the plaintiff intended to participate in the market to sell such information, does not constitute a monetary or property loss for purposes of UCL standing. The Court agrees with the weight of [this] authority . . . .
Id. at *22 (internal citations omitted). In other words, no harm, no foul.
The plaintiffs are left with claims for common law invasion of privacy, which apparently will depend on whether they accepted or declined the defendants’ cookie banner. The court also granted leave to amend on a few, but not all, of the other claims. But this was already the plaintiffs’ Second Amended Complaint, so we’re not sure what else these plaintiffs can do. In the end, this defendant was providing its medicine at a discount to patients who needed it. The thanks they got was a lawsuit from people who suffered no harm—and in fact were better off healthwise and dollarwise for their enrollment in the defendant’s program. Go figure.