In the latest CIPA/ECPA pixel case, Abbott Laboratories walked away with a complete dismissal after plaintiffs alleged that Meta Pixel and Google tracking tools on its FreeStyle Libre free-trial pages unlawfully transmitted sensitive diabetes related data. The Illinois court wasn’t persuaded. While plaintiffs plausibly alleged they shared health related information with Abbott when requesting glucose monitoring devices, the complaint failed in showing that Abbott actually transmitted protected health information to Meta or Google.
In Ngyuen v. Abott Laboratories, United States District Court, N.D. Illinois, Eastern Division, Eastern Division, No. 24 CV 8289, the court evaluated whether plaintiffs’ amended complaint plausibly stated claims for relief for violations of Electronic Communications Privacy Act (“ECPA”), the California Invasion of Privacy Act (“CIPA”, and for negligence under Illinois law.
Abbott Laboratories manufactures and sells continuous glucose monitoring devices under the FreeStyle Libre brand and offers free trials through its website. Plaintiffs—residents of Georgia, Illinois, and California—alleged that when they requested free trials, Abbott used tracking technologies such as the Meta Pixel and Google analytics tools that transmitted their website activity to third parties like Meta and Google. Plaintiffs claimed they disclosed sensitive health related information when completing forms, including their diabetes diagnosis, insurance information, device usage, and personal identifiers. They further alleged that this information was shared with third parties and led to targeted diabetes-related advertisements on Facebook and Instagram.
With respect to the ECPA claim, the court explained that the statute prohibits intentional interception of electronic communications but includes a one-party consent exception, which excludes a party to the communication from liability unless the interception was undertaken for the purpose of committing a crime or tort. Plaintiffs conceded that Abbott was a party to the communications but invoked the crime-tort exception under ECPA, arguing that Abbott’s conduct constituted a criminal violation of HIPAA. The court first found that plaintiffs plausibly alleged they disclosed individually identifiable health information to Abbott when ordering diabetes related devices for themselves and providing insurance and personal details. But the claim failed as plaintiffs did not plausibly allege that Abbott knowingly disclosed HIPAA protected information to Meta or Google. The screenshots incorporated into the complaint showed only the transmission of event data—such as button clicks, form completion, gender markers, and identifiers, not specific health information or individualized medical details. Because the alleged transmitted data was not protected health information, ECPA’s crime-tort exception did not apply, and the one-party consent rule barred Plaintiffs’ ECPA claim.
The negligence claim under Illinois law also failed. To state a negligence claim, plaintiffs were required to allege a duty, breach, and proximate causation. Plaintiffs relied on Illinois’s Personal Information Protection Act to establish a duty to safeguard nonpublic personal information. But because the court concluded that plaintiffs had not plausibly alleged disclosure of protected health information or other qualifying nonpublic data, there was no breach of duty. The types of information allegedly transmitted—such as gender or social media identifiers did not fall within the IL statute’s protected categories.
Finally, the California plaintiff’s claim under CIPA failed for similar reasons. As CIPAWorld dwellers know, courts analyze CIPA wiretapping claims under the same framework as the federal Wiretap Act. Because Abbott was a party to the communications and the crime-tort exception did not apply, plaintiffs could not establish a direct violation under CIPA. The derivative liability theory also failed because plaintiffs did not plausibly allege that Meta or Google intercepted the “contents” of communications. The transmitted data reflected “record information”—such as button clicks and form completion status rather than the content of communications. Without a predicate violation involving protected content, plaintiffs failed to establish aiding and abetting liability under CIPA.
After already granting leave to amend once, the IL court dismissed the case with prejudice—a great win for Abott.
Troutman Amin, LLP will be covering the latest developments and defense/compliance strategies in CIPAWorld at the Law Conferences of Champions IV in May! Don’t miss it!
CIPAWorld 