Introduction

In a non-precedential but consequential decision for the proliferating wave of “pixel” and web-tracking privacy cases, the Third Circuit affirmed dismissal of California privacy claims brought by users of Quest Diagnostics’ websites against Quest for alleged disclosures to Facebook via the Facebook Pixel. The panel (Judge Shwartz, joined by Judges Matey and Montgomery-Reeves) held:

• California’s Invasion of Privacy Act (CIPA) § 631(a) does not reach communications where the user’s own browser directly transmits data to Facebook; in that circumstance, Facebook is a participant in those communications, so there is no third-party “eavesdropping.”
• California’s Confidentiality of Medical Information Act (CMIA) imposes liability only for disclosure of “substantive” medical information. The mere fact that a person accessed a test-results page (i.e., that the person is a patient or accessed results) is not “medical information” without disclosure of test type, diagnosis, or results.

Plaintiffs Angela Cole and Beatrice Roche brought a putative class action alleging Quest violated CIPA § 631(a) and CMIA by deploying the Facebook Pixel on both its public site and its password-protected patient portal, thereby sending URLs, page titles, and other metadata to Facebook while Plaintiffs were logged into Facebook. The District of New Jersey dismissed both claims, and the Third Circuit affirmed.

Summary of the Opinion

The Court accepted the well-pleaded facts and focused on two dispositive questions:

1. CIPA § 631(a): Was Facebook a third-party “eavesdropper,” or was it a participant in a direct communication from the user’s browser? Relying on In re Google Cookie Placement Consumer Privacy Litigation (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation (3d Cir. 2016), the Court held Facebook was a participant because the browser executed code that sent a separate, concurrent request directly to Facebook’s servers. Without third-party interception, a § 631(a) claim fails, and any theory that Quest aided or abetted an interception likewise fails.
2. CMIA: Did Quest disclose “medical information”? The panel applied Eisenhower Medical Center v. Superior Court’s requirement that CMIA covers “substantive” medical content—information regarding medical history, condition, diagnosis, or treatment—not mere administrative or demographic details. Because Plaintiffs alleged only that Quest disclosed a URL indicating the user accessed test results, and not any test type, diagnosis, or results, no “medical information” was disclosed under CMIA.

The Court affirmed dismissal of both claims. Although Plaintiffs urged the Third Circuit to follow certain California state-court decisions, the panel adhered to its own prior interpretations of California law absent intervening controlling authority.

Analysis

A. Precedents and Authorities Cited

• CIPA’s scope and the “participant” principle
  • Ribas v. Clark, 696 P.2d 637 (Cal. 1985): CIPA targets third-party eavesdropping and secret monitoring of conversations, not ordinary participation in a communication.
  • Warden v. Kahn, 160 Cal. Rptr. 471 (Ct. App. 1979): § 631(a) does not apply to a participant recording the conversation; the statute addresses non-party interception.
  • In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015): When a user’s browser directly communicates with an advertising technology server (e.g., to fetch an ad or transmit tracking data), the ad-tech company is a party to that transmission, so there is no interception “of” a communication to which it is not a party. The Cole panel quotes and applies this logic to the Facebook Pixel context.
  • In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016): Reinforces that CIPA does not apply when the alleged interceptor is a party to the communications, again supporting dismissal of § 631(a) claims in party-to-communication scenarios.
  • Karns v. Shanahan, 879 F.3d 504 (3d Cir. 2018): The panel notes that it is bound by Third Circuit precedent absent en banc reconsideration or U.S. Supreme Court intervention.
• CMIA’s definition of “medical information”
  • Statutory definition: Cal. Civ. Code § 56.05(j)(1) defines “medical information” as individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment, in the possession of or derived from a provider of health care.
  • Eisenhower Medical Center v. Superior Court, 172 Cal. Rptr. 3d 165 (Ct. App. 2014): “Medical information” must relate to medical history, condition, or treatment; it does not encompass demographic or numeric data that do not reveal medical care. This decision gives CMIA a “substantive, not administrative” boundary.
  • Tamraz v. Bakotic Pathology Associates, LLC, 2022 WL 16985001 (S.D. Cal. Nov. 16, 2022): Disclosures of specimen or test information, including test results and specimen types, constitute “medical information.”
  • Gray v. Luxottica of America, Inc., 2024 WL 5689566 (C.D. Cal. Dec. 16, 2024): Disclosure that a plaintiff scheduled an eye exam does not, by itself, constitute “medical information.”
  • Strong v. LifeStance Health Group Inc., 2025 WL 317552 (D. Ariz. Jan. 28, 2025): CMIA applies where disclosures reveal the types of treatments sought or medical conditions—i.e., substantive content.
  • Wilson v. Rater8, LLC, 2021 WL 4865930 (S.D. Cal. Oct. 18, 2021): The bare fact that a person is treated by a provider is not “medical information” under CMIA.
  • Provider status under CMIA § 56.06(a): The panel assumed, without deciding, that Quest qualifies. It notes split authority—e.g., Tamraz (lab services may qualify) versus Harrill v. Emanuel Medical Center, 2025 WL 1635428 (E.D. Cal. June 9, 2025) (public, generic-health-information websites are not necessarily “providers of health care”).

B. The Court’s Legal Reasoning

1. CIPA § 631(a): No “interception” when the user’s browser directly communicates with Facebook

The complaint alleged Quest placed the Facebook Pixel on both its general website and its MyQuest patient portal. The pixel caused users’ browsers, upon visiting Quest’s pages, to execute code that sent a separate, concurrent request to Facebook’s servers, including the URL of the visited page and other metadata. Plaintiffs argued Quest “aided, agreed with, and conspired with” Facebook to intercept communications, violating CIPA § 631(a).

The Third Circuit applied its Google Cookie/Nickelodeon line, reasoning that when the user’s browser sends a separate message to Facebook’s servers, Facebook is a party to that communication. CIPA § 631(a)—which polices eavesdropping by non-parties—does not apply. As the panel put it, there is “no need for [Facebook] to acquire [the] information from transmissions to which [it is] not a party” when the browser communicates with Facebook directly. Without third-party interception, there can be no primary violation and thus nothing for Quest to “aid” or “abett.”

The Court also underscored that a user’s choice to use a given technology entails its features, even if the user does not know every technical detail (quoting Google Cookie). That observation helps explain why the browser-to-Facebook request is treated as direct participation by Facebook, not surreptitious wiretapping by an outsider.

2. CMIA: URLs indicating that a user accessed results are not “medical information” absent substantive content

Plaintiffs claimed Quest disclosed, to Facebook, the URL of a page used to retrieve test results, tied to users’ Facebook identifiers. The panel accepted (without deciding) that Quest could be a CMIA “provider,” but held Plaintiffs had not alleged any disclosure of “medical information.” Under Eisenhower and its progeny, CMIA protects substantive medical content—e.g., test types, diagnoses, or results—rather than administrative facts such as that a person is a patient or accessed a results page.

The panel contrasted cases finding CMIA coverage where the disclosure revealed the nature of treatment or results (e.g., Tamraz, Strong) with cases declining coverage for appointment scheduling or patient status alone (e.g., Gray, Wilson). Because Plaintiffs alleged only that Quest disclosed a results-page URL (with no allegation that the URL revealed test type, diagnosis, or results), the claim failed. The Court further rejected Plaintiffs’ attempt to expand their theory on appeal by arguing that Quest disclosed titles of health-condition articles on its general website; those allegations were not in the complaint and could not be added by appellate brief.

C. Procedural Posture and Standards

• Standard: De novo review of Rule 12(b)(6) dismissal; all well-pleaded facts assumed true and construed in Plaintiffs’ favor.
• Jurisdiction: The district court had subject-matter jurisdiction under the Class Action Fairness Act (CAFA), and the Third Circuit had appellate jurisdiction under 28 U.S.C. § 1291.
• Pleading practice: Parties cannot amend a complaint via briefing on appeal; new factual theories must be pleaded in the operative complaint.

D. Impact and Practical Implications

1. CIPA claims against “pixel” deployments in the Third Circuit

This decision extends Google Cookie’s reasoning to the Facebook Pixel and similar client-side tracking tools: when embedded code causes the user’s browser to make a separate HTTP(S) request to a third-party endpoint (e.g., Facebook), that third party is a “participant” in that request. Absent additional facts showing an actual “interception” of a communication between the user and the first-party website, § 631(a) claims premised on such pixel traffic are unlikely to survive in the Third Circuit.

For plaintiffs, this raises the pleading bar: they will need to allege facts demonstrating a genuine non-party interception—something beyond the routine, separate third-party calls initiated by the browser. That might include different technologies or architectures (for example, scenarios where a third party contemporaneously siphons the content of the user–host exchange without being a party to any direct browser–third-party communication), but bare pixel allegations of the kind in Cole will not suffice.

2. CMIA claims in tracker cases: the “substantive content” requirement

CMIA plaintiffs will need to plead that the disclosure revealed substantive medical content—such as test names, diagnostic codes, specimens, or results—not merely that the user was a patient or accessed a results portal. URLs or page titles that themselves embed diagnosis/treatment terms could suffice; generic “results” page identifiers without medical substance will not. The opinion also illustrates the importance of alleging the exact data elements transmitted and how those elements reveal diagnosis or treatment.

3. Provider status under CMIA

The panel did not decide whether Quest is a CMIA “provider of health care” under § 56.06(a), but flagged the issue and conflicting authorities. Litigants should expect provider-status disputes to remain a key threshold issue in CMIA tracker cases, especially where disclosures are tied to public-facing health-information pages rather than authenticated patient portals.

4. Forum and precedent strategy

The panel emphasized adherence to existing Third Circuit precedent on California law (Google Cookie, Nickelodeon). Until en banc reconsideration or contrary controlling authority, district courts in the circuit are likely to follow this approach. Plaintiffs may view other forums with different precedent as more hospitable to § 631(a) pixel theories; defendants will cite Cole for persuasive authority to dismiss similar CIPA claims at the pleading stage in Third Circuit courts.

5. Compliance takeaways for healthcare and consumer-facing sites

• Minimize “substantive” content in URLs and client-side telemetry. Avoid embedding test names, diagnostic terms, or results in query strings, page paths, titles, or event parameters sent to third parties.
• Segment authenticated patient portals from public content, and scrutinize client-side trackers on authenticated flows. If tracking is used, ensure it does not transmit test types, diagnoses, or results.
• Maintain vendor restrictions and data minimization. Configure third-party pixels to limit metadata and disable sensitive event capture.
• Document consent and disclosures. While not determinative for § 631(a) in a “participation” analysis, clear disclosures may affect other statutes and common-law privacy claims.
• Consider server-side architectures and contractual controls. Although server-side relays can reduce client-side leakage, they may raise distinct legal questions; vendor contracts should prohibit ingestion or use of medical content absent lawful authorization.

Complex Concepts, Simplified

• What the Facebook Pixel does: When a page loads, embedded JavaScript triggers the user’s browser to make an additional request to Facebook’s servers, often including the page URL and other configured parameters. That additional request is a separate network communication—hence, Facebook is a “participant” in that browser-to-Facebook message.
• “Interception” under CIPA § 631(a): CIPA focuses on non-party eavesdropping—reading or learning the contents of a communication “in transit” between two other parties. If the alleged “interceptor” is itself a recipient of a direct message from the user’s browser, it is not eavesdropping on someone else’s communication.
• “Medical information” under CMIA: CMIA protects content that reveals a patient’s medical history, conditions, diagnoses, or treatments. It does not cover administrative facts such as being a patient or accessing an account. Think “X-ray result showing pneumonia” (covered) versus “appointment scheduled” or “results page accessed” (not covered).
• Pleading precision matters: Courts evaluate the specific data alleged to have been transmitted. Conclusory statements that “medical information was shared” will be insufficient unless the complaint identifies the substantive elements (e.g., test names, results, diagnoses) and how the transmission revealed them.
• Non-precedential disposition: The Third Circuit labeled this opinion “not precedential.” It does not bind other panels but will likely be treated as persuasive by district courts within the circuit, especially given its reliance on established circuit precedent.

Conclusion

Cole v. Quest Diagnostics reinforces two pivotal constraints in tracker-based privacy litigation under California law. First, CIPA § 631(a) requires third-party eavesdropping; it does not reach situations where the user’s own browser sends a separate, direct transmission to the tracking service. Second, CMIA’s protections are triggered by disclosures of substantive medical information, not mere indicia that someone was a patient or accessed a results page.

For plaintiffs, the decision underscores the need to plead concrete, content-revealing transmissions and a genuine non-party interception mechanism. For defendants—especially healthcare and consumer-facing entities using pixels—Cole provides a roadmap: strictly limit any client-side exposure of medical content, and rely on the “participant” framework in defending § 631(a) claims premised on separate browser-to-tracker calls. Even as a non-precedential ruling, Cole is a strong signal that, in the Third Circuit, pixel-based CIPA claims will be measured against Google Cookie’s party/participant logic, and CMIA claims will turn on whether truly medical content—not just patient status—was disclosed.

Note: This commentary is provided for informational purposes only and does not constitute legal advice.