- within Litigation and Mediation & Arbitration topic(s)
- in United States
Duane Morris Takeaways: On November 13, 2025, in Cole, et al. v. Quest Diagnostics, Inc., 2025 U.S. App. LEXIS 29698 (3d Cir. Nov. 13, 2025), the U.S. Court of Appeals for the Third Circuit affirmed a ruling of the U.S. District Court for the District of New Jersey's in dismissing a class action complaint brought by website users against a diagnostic testing company alleging that the company's use of website advertising technology violated the California Invasion of Privacy Act ("CIPA") and California's Confidentiality of Medical Information Act ("CMIA").
The ruling is significant because it confirms two important principles: (1) CIPA's prohibition against eavesdropping does not apply to an online advertising company, like Facebook, when it directly receives information from the users' browser; and (2) the CMIA is not triggered unless plaintiffs plausibly allege the disclosure of substantive medical information.
Background
This case is one of a legion of nationwide class actions that plaintiffs have filed alleging that third-party technologies ("adtech") captured user information for targeted advertising. These tools, such as the Facebook Tracking Pixel, are widely used across millions of consumer products and websites.
In these cases, plaintiffs typically assert claims under federal or state eavesdropping statutes, consumer protection laws, or other privacy statutes. Because statutes like CIPA allow $5,000 in statutory damages per violation, plaintiffs frequently seek millions, or even billions, in potential recovery, even from midsize companies, on the theory that hundreds of thousands of consumers or website visitors, times $5,000 per claimant, equals a huge amount of damages. While many of these suits initially targeted healthcare providers, plaintiffs have sued companies across nearly every industry, including retailers, consumer products companies, universities, and the adtech companies themselves.
Several of these cases have resulted in multimillion-dollar settlements; others have been dismissed at the pleading stage (as we blogged about here) or at the summary judgment stage (as we blogged about here and here). Still, most remain undecided, and with some district courts allowing adtech class actions to survive motions to dismiss (as we blogged about here), the plaintiffs' bar continues to file adtech class actions at an aggressive pace.
In Cole, the plaintiffs alleged that the defendant diagnostic testing company used the Facebook Tracking Pixel on both its general website and its password-protected patient portal. Id. at *1-2. According to the plaintiffs, when a user accessed the general website, the Pixel intercepted and transmitted to Facebook "the URL of the page requested, along with the title of the page, keywords associated with the page, and a description of the page." Id. at *2-3. Likewise, when a user accessed the password-protected website, the Pixel allegedly transmitted the URL "showing, at a minimum, that a patient has received and is accessing test results." Id. at *3.
Plaintiffs asserted that these transmissions constituted (1) a CIPA violation because the company supposedly aided Facebook in "intercepting" plaintiffs' internet communications, and (2) a CMIA violation because the company allegedly disclosed URLs associated with webpages plaintiffs accessed to view test results along with plaintiffs' identifying information linked to users' Facebook accounts. Id. at *3.
The company moved to dismiss, and, in separate orders, the district court dismissed both claims. See 2024 U.S. Dist. LEXIS 116350; 2025 U.S. Dist. LEXIS 7205.
As to the CIPA claim, the district court found that CIPA "is aimed only at 'eavesdropping, or the secret monitoring of conversations by third parties,'" and that Facebook was not a third party because it received information directly from plaintiffs' browsers about webpages they visited. 2025 U.S. Dist. LEXIS 7205, at *7-8 (quoting In Re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 140-41 (3d Cir. 2015)). As to the CMIA claim, the district court found that plaintiffs alleged only that the company disclosed that a patient accessed test results but not what kind of medical test was done or what the results were. 2024 U.S. Dist. LEXIS 116350, at *15. Accordingly, the district court held that plaintiffs failed to allege the disclosure of "substantive" medical information as required under the CMIA. Id.
Plaintiffs appealed both rulings.
The Court's Decision
The Third Circuit affirmed. Id. at *1.
On the CIPA claim, the Third Circuit explained that "[a]s a recipient of a direct communication from Plaintiffs' browsers, Facebook was a participant in Plaintiffs' transmissions such that [the company] did not aid or assist Facebook in eavesdropping on or intercepting such communications, even if done without the users' knowledge." 2025 U.S. App. LEXIS 29698, at *6. With no eavesdropping, "Plaintiffs' CIPA claim was properly dismissed." Id. at *7.
On the CMIA claim, the Third Circuit explained that "at most, Plaintiffs alleged that [the company] disclosed Plaintiffs had been its patients, which is not medical information protected by CMIA." Id. at *8. Thus, the Third Circuit held that the district court properly dismissed the CMIA claim. Id. at *9.
Implications For Companies
Cole offers strong precedent for any company defending adtech class action claims (1) brought under CIPA's eavesdropping provision where the third-party adtech company directly receives the information from users' browsers and (2) brought under the CMIA where the alleged disclosure merely shows that a person was a patient, without revealing any substantive information about the person's medical condition or test results.
The latter point continues to appear across adtech class actions. Just as the plaintiffs in Cole failed to plausibly allege the disclosure of substantive medical information, courts have dismissed similar claims where plaintiffs allege disclosure of protected health information ("PHI") without actually identifying what PHI was supposedly shared (as we blogged about here). These decisions reinforce that adtech plaintiffs must identify the specific medical information allegedly disclosed to plausibly plead claims under the CMIA or for invasion of privacy.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
