NOT PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ______________ No. 25-1449 ______________ ANGELA COLE, individually and on behalf of all others similarly situated; BEATRICE ROCHE, individually and on behalf of all others similarly situated, Appellants v. QUEST DIAGNOSTICS INC ______________ On Appeal from the United States District Court for the District of New Jersey (D.C. No. 2:23-cv-20647) U.S. District Judge: Honorable William J. Martini ______________ Submitted Under Third Circuit L.A.R. 34.1(a) November 10, 2025 ______________ Before: SHWARTZ, MATEY, and MONTGOMERY-REEVES, Circuit Judges.

(Filed: November 13, 2025) ______________ OPINION* ______________

* This disposition is not an opinion of the full Court and, pursuant to I.O.P. 5.7, does not constitute binding precedent.

SHWARTZ, Circuit Judge.

Plaintiffs, users of websites operated by Quest Diagnostics Inc., allege that Quest transmitted to Facebook their browsing data in violation of the California Invasion of Privacy Act, California Penal Code § 631(a) (“CIPA”) and the Confidentiality of Medical Information Act, California Civil Code § 56.06(a) (“CMIA”). Because Plaintiffs directly transmitted to Facebook their browsing data and none of that data was substantive medical information, we will affirm the District Court’s orders dismissing Plaintiffs’ claims.

I1 Quest operates two websites: www.questdiagnostics.com (the “General Website”) and www.myquest.diagnostics.com (“MyQuest”). The General Website is “available to all internet users” who can “browse articles, read publications, and access [Quest’s] other services and products.” App. 56. MyQuest is a “password-protected platform” that allows users to create an account and “review test results, schedule appointments, or pay bills” for clinical lab services Quests provides to its patients. App. 56.

Both websites incorporate the Facebook tracking pixel. The pixel collects information about internet users’ activity for advertising purposes. When a user accesses a host website that incorporates the pixel, the user’s browser runs code to access the host website and “send[s] a separate message to Facebook’s servers . . . concurrent with the

“In reviewing a motion to dismiss under Rule 12(b)(6), we treat as true all well- pleaded facts in the complaint, which we construe in the ‘light most favorable to the plaintiff.’” Santomenno ex rel. John Hancock Tr. v. John Hancock Life Ins. Co. (U.S.A), 768 F.3d 284, 290 (3d Cir. 2014) (citations omitted). communications with the host website.” App. 55. This pixel communicates that the user is accessing that host website and transmits to Facebook any “additional data that the pixel is configured to collect.” App. 55. Facebook then matches this information “with personally identifiable information” associated with the user’s Facebook account “so it can later retarget patients [with advertisements] on Facebook.” App. 61.

When a user accesses the General Website, Plaintiffs allege the pixel transmits to Facebook “the URL of the page requested, along with the title of the page, keywords associated with the page, and a description of the page.” App. 59. Likewise, when a user accesses MyQuest, the pixel transmits to Facebook the URL “showing, at a minimum, that a patient has received and is accessing test results.” App. 59.

Plaintiffs allege that when they retrieved their medical test results by “navigat[ing] to the General Website, which redirected [them] to [MyQuest],” Quest transmitted to Facebook their personal information. App. 51-52. They filed a putative class-action complaint alleging this violated (1) CIPA because Quest “aided, agreed with, and conspired with Facebook to track and intercept Plaintiffs’ and Class members’ internet communications,” App. 66, and (2) CMIA because Quest “disclosed the URL of the webpage [Plaintiffs] accessed to review test results” along with Plaintiffs’ identifying information connected to their Facebook accounts,2 App. 67.

Quest moved to dismiss. In separate rulings, the District Court dismissed both the CIPA and CMIA claims. See Cole v. Quest Diagnostics, Inc. (Cole I), 2:23-CV-20647-

Plaintiffs have Facebook accounts and “typically remain[] logged in” on their devices after using their accounts. App. 51-52.

WJM, 2024 WL 3272789 (D.N.J. July 2, 2024); Cole v. Quest Diagnostics, Inc. (Cole II), 2:23-CV-20647-WJM, 2025 WL 88703 (D.N.J. Jan. 14, 2025).

As to the CIPA claim, the District Court found that CIPA “is aimed only at ‘eavesdropping, or the secret monitoring of conversations,’” and that Facebook received information directly from “[P]laintiffs’ ‘browsers’” about webpages the Plaintiffs visited, and, thus, “‘there is no need for [Facebook to have eavesdropped] to acquire that information from transmissions to which they are not a party.’” Cole II, 2025 WL 88703, at *2 (quoting In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 140-41 (3d Cir. 2015)).

As to the CMIA claim, the District Court reasoned that CMIA bars the unlawful disclosure of “substantive” medical information, Cole I, 2024 WL 3272789, at *5 (citing Eisenhower Med. Ctr. v. Superior Ct., 172 Cal. Rptr. 3d 165, 170 (Ct. App. 2014)), and Plaintiffs alleged only that Quest disclosed “information reveal[ing] a patient has received and is accessing test results” but did not disclose to Facebook “[i]nformation regarding what kind of medical test was done or what the results were,” Id., at *5 (citation omitted). As a result, the Court held that Plaintiffs did not allege the disclosure of “medical information” under CMIA. Cole I, 2024 WL 3272789, at *5.

Plaintiffs appeal.

II3

The District Court had jurisdiction pursuant to 18 U.S.C. § 1332(d)(2)(A), and we have jurisdiction under 28 U.S.C. § 1291. We exercise plenary review of a district court’s order granting a motion to dismiss for failure to state a claim. See Burtch v. Milberg Factors, Inc., 662 F.3d 212, 220 (3d Cir. 2011).

A CIPA provides a private right of action against “[a]ny person” who “willfully and without the consent of all parties to the communication . . . read[s] . . . the contents or meaning of any message, report, or communication while the same is in transit.” Cal. Penal Code §§ 631(a), 637.2. The statute prohibits “eavesdropping, or the secret monitoring of conversations by third parties.” Ribas v. Clark, 696 P.2d 637, 640 (Cal. 1985). Section 631(a) does not apply to “recording by a participant to a conversation.”

Warden v. Kahn, 160 Cal. Rptr. 471, 475 (Ct. App. 1979).

In Google Cookie, we considered whether online advertising businesses, like Facebook, were parties to communications and, thus, exempt from CIPA liability. 806 F.3d at 152. There, internet users alleged that when they accessed certain websites, the servers hosting those sites would “instruct[] the user’s web browser to send a . . . request to [online advertising businesses] to display the relevant advertising information for [inclusion in] the space on the page” the user received. Id. at 140. In relevant part, we rejected users’ argument that these online advertising businesses violated CIPA because they “acquired and tracked the plaintiffs’ internet usage.” Id. at 139, 152. We explained that “[i]f users’ browsers directly communicate with [online advertising businesses] about the webpages they are visiting . . . then there is no need for [those businesses] to acquire that information from transmissions to which they are not a party.” Id. at 140-41.

Therefore, we affirmed the order dismissing the CIPA claim because those online advertising businesses “were parties to any communications that they acquired.” Id. at 145, 152; see also In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 276 (3d Cir. 2016) (footnotes omitted) (relying on Google Cookie to hold that CIPA “does not apply when the alleged interceptor was a party to the communications”).4 Plaintiffs’ CIPA claim similarly lacks merit. Like the users in Google Cookie, Plaintiffs here directly “sen[t] a separate message to Facebook’s servers . . . concurrent with the communications with [Quest]” that allegedly disclosed their browsing activity.

App. 55. As the recipient of a direct communication from Plaintiffs’ browsers, Facebook was a participant in Plaintiffs’ transmissions such that Quest did not aid or assist Facebook in eavesdropping on or intercepting such communications, even if done without the users’ knowledge. See Google Cookie, 806 F.3d at 151 n.130 (“The decision to use one or another technology is the decision to choose its features, even if the lay user may not actually know what all those features are in their specifics.”). Because there was no eavesdropping, Plaintiffs’ CIPA claim was properly dismissed.

B The District Court also correctly dismissed Plaintiffs’ CMIA claim. CMIA prohibits a “provider of health care” from “disclos[ing] medical information regarding a patient . . . without first obtaining an authorization.” Cal. Civ. Code § 56.10(a).

“Medical information” is “any individually identifiable information . . . in possession of or derived from a provider of health care . . . regarding a patient’s medical history, mental health application information, reproductive or sexual health application information,

Although Plaintiffs argue that we should follow rulings from the California state courts, absent intervening precedent from the United States Supreme Court or en banc reconsideration from this Court, we are “obligated to follow our precedent.” Karns v. Shanahan, 879 F.3d 504, 514 (3d Cir. 2018); 3d Cir. I.O.P. 9.1. mental or physical condition, or treatment.” Id. § 56.05(j)(1). This information must “relat[e] to medical history, mental or physical condition, or treatment of the individual” and “does not encompass demographic or numeric information that does not reveal medical history, diagnosis, or care.” Eisenhower, 172 Cal. Rptr. 3d at 169-70; see also Tamraz v. Bakotic Pathology Assocs., LLC, 22-CV-0725-BAS-WVG, 2022 WL 16985001, at *4 (S.D. Cal. Nov. 16, 2022) (medical information under CMIA “must be ‘substantive,’ rather than merely administrative” (quoting Eisenhower, 172 Cal. Rptr. 3d at 168)).

Although the nature of treatment is medical information, the fact that treatment occurred is not. Compare Gray v. Luxottica of Am., Inc., 8:24-CV-00160-MRA-DFM, 2024 WL 5689566, at *9 (C.D. Cal. Dec. 16, 2024) (holding disclosure that plaintiff had scheduled eye exam was not “medical information” because it revealed that plaintiff “[a]t best . . . may have been a patient of [eyeglass store] at some time”), with Tamraz, 2022 WL 16985001, at *5 & n.4 (finding disclosure of “specimen or test information”— including “the results of test and the types of specimens”—constituted “medical information”), and Strong v. LifeStance Health Grp. Inc., CV-23-00682-PHX-KML, 2025 WL 317552, at *10 (D. Ariz. Jan. 28, 2025) (citation omitted) (holding defendant disclosed medical information where it revealed “the type of medical treatments [patients] sought, and their medical conditions” (internal quotation marks omitted)).

Assuming Quest qualifies as a CMIA medical provider,5 Plaintiffs allege that Quest “disclosed the URL of the webpage a patient accessed to review test results,”6 but did not allege that Quest disclosed those test’s nature or results or any other substantive medical information. App. 67. Thus, at most, Plaintiffs alleged that Quest disclosed Plaintiffs had been its patients, which is not medical information protected by CMIA.

See Wilson v. Rater8, LLC, 20-CV-1515-DMS-LL, 2021 WL 4865930, at *5 (S.D. Cal. Oct. 18, 2021) (holding that a person being treated by a provider “‘is not in itself medical information’” under CMIA (quoting Eisenhower, 172 Cal. Rptr. 3d at 169)). Therefore, the District Court properly dismissed the CMIA claim.

Under CMIA, a “provider of health care” is “[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual.” Cal. Civ. Code § 56.06(a). While at least one other court has concluded that an entity that provides “laboratory services to health care providers” is a health care provider under CMIA, Tamraz v. Bakotic Pathology Associates, LLC, 22-CV-0725-BAS-WVG, 2022 WL 16985001, at *1 (S.D. Cal. Nov. 16, 2022), some courts have held that public websites providing generic healthcare information do not meet CMIA’s definition of “provider of health care,” e.g., Harrill v. Emanuel Med. Ctr., 2:23-CV-01672-DC-CKD, 2025 WL 1635428, at *8 (E.D. Cal. June 9, 2025) (finding medical center that disseminated information “not exclusively available to [its] patients” on health conditions did not constitute a “provider of health care” under the statute). We need not decide whether Quest is such a provider to resolve this appeal.

Plaintiffs also argue that “Quest disclosed the titles of the articles users read, which revealed symptoms and conditions” on the General Website, Appellant’s Br. at 29 (citing App. 59), but this is not alleged in their complaint. A brief may not amend a complaint, see Gov’t Emps. Ins. Co. v. Mount Prospect Chiropractic Ctr., P.A., 98 F.4th 463, 472 (3d Cir. 2024), and the complaint does not allege that Plaintiffs used the General Website for anything more than accessing MyQuest. See App. 51-52 (“Plaintiff . . . navigated to the General Website, which redirected her to [MyQuest], where she created an account.”).

III For the foregoing reasons, we will affirm.