Think You Understand Online Trespass to Chattels Law? Think Again–In re Meta Healthcare Pixels

This is one of the many pending “Pixel” cases. If you don’t recall, a “pixel” is a 1×1-pixel image file that is imperceptible to web visitors. A website adds code to its web page that summons the pixel from a third-party source. By delivering the pixel and related items like cookies, the third party can independently and automatically gather information about the web visitor. This information can be used for analytics purposes or to track users, which can then be fed into remarketing or other targeting.

Using a pixel to track users is an Old School practice. In my Internet Law course, I still teach the Pharmatrak case from 2003, where an analytics service provider used a pixel and other tracking technology. 20 years later, we’re still fighting over pixels and cookies. There are hundreds of pixel lawsuits in the courts right now (and surely more to come after a ruling like this).

This case involves the deployment of Facebook’s pixel by healthcare providers. In general, the use of tracking and data-gathering pixels in a healthcare context isn’t advisable because of the risks that sensitive health data will leak out to unexpected recipients. Another lesson my class takes away from the Pharmatrak case (reminder: that case is 20+ years old).

I’m going to focus on the court’s ruling on trespass to chattels doctrines. It will rock your world (not necessarily in a good way).

California Penal Code 502 (Comprehensive Data Access and Fraud Act/CDAFA)

Facebook’s Pixel program places small electronic files into a user’s RAM or hard drive, including the pixel and cookies. Facebook queried how such files harmed the user’s device. The plaintiffs responded with generic allegations: “(i) Meta occupied storage space on their devices without authorization; (ii) Meta’s acts caused their devices to work slower; (iii) Meta’s acts used computer resources of the device; and (4) Meta unjustly profited from the data taken.” We might expect the judge to push on these vague and conclusory allegations and demand specifics. Exactly what did Facebook do? How exactly did it cause any purported harms? Instead, the judge accepts these allegations as good enough to survive the motion to dismiss. So a claim that “Meta’s acts used computer resources of the device” is good enough–seriously?

[Note: the court cites Facebook v. Power Ventures for the proposition that de minimis losses can state a 502 claim…belated kudos to Facebook’s litigation team for setting key Facebook-favorable precedent  🙄]

Facebook also challenged that it made sufficient “use” of the data. Once again, the “Plaintiffs rely on Northern District cases that have entered judgment in favor of Meta on data scraping cases based on mere use.” 🙄🙄 However, the court doesn’t analyze this aspect at all.

Instead, the court turns to the allegation that “Meta has altered plaintiffs’ devices, in violation of (c)(1) by (i) “usurp[ing] the[ir] normal operation”; (ii) “surreptitiously plac[ing] the _fbp cookie” on them; and (iii) “caus[ing]” the computers to “redirect Plaintiffs’ … data to Meta.” Again, the court accepts these generic and conclusory allegations as good enough.

Facebook also argued that its pixel and cookie weren’t an impermissible “contaminant.” The court responds:

plaintiffs allege that the Pixel records and transmits information to Meta. They say that Meta designed the Pixel to log and track website visitors’ actions, that Meta disguises the Pixel as a first-party cookie to allow it to be placed on website visitors’ devices and avoid detection, and that the Pixel usurps the normal operation of website visitors’ devices. These are sufficient to allege that the Pixel, as Meta puts it, transmits information without permission in violation of (c)(8)

The net effect is that Facebook may have violated multiple provisions of 502–a state statutory trespass to chattels law–by placing a pixel and cookie on users’ devices…even if the plaintiffs can’t show any other specific harm from that conduct.

Common Law Trespass to Chattels

Per Hamidi, common law trespass to chattels plaintiffs must show a measurable loss to computer system resources. Here’s how the plaintiffs alleged their harms:

(i) placement of the _fbp cookie/tracking tool, as the tool takes up a “measurable” amount of available storage that would otherwise be available to the devices; (ii) Meta source code that “used a measurable amount of resources” that slow the speed of user devices; and (iii) the lost time caused by Meta’s slowing communications exchanged with their healthcare providers, causing “measurable” increases in web-page loading time. As a result, plaintiffs seek nominal damages as well as damages for the loss of storage space and loss of time caused by Meta’s slowing of communications between plaintiffs and their healthcare providers.

Facebook argued that these consequences were all de minimis. The court responds:

Plaintiffs have alleged measurable harm from the loss of available storage space on their devices. An allegedly unconsented, surreptitious, non-temporary placement of software on devices that reduces storage has a measurable impact. I will let the trespass to chattels claim based on the surreptitious placement of the _fbp cookie on plaintiffs’ devices, resulting in a measurable decrease in the storage plaintiffs’ have on their phone proceed

The court admits this is “a close call involving thorny and evolving issues of state law,” but rejects the motion to dismiss so that the parties can flesh out these issues in discovery.

Let’s make sure you didn’t miss the point: the court says placing a persistent cookie could constitute a common law trespass to chattel because it takes up a measurable amount of storage, even if that amount is trivial and has no other consequences for the user or the device.

Implications

What Online Activities Aren’t a Trespass to Chattels? This ruling suggests that simply placing a pixel and persistent cookie could be a prima facie common law TTC and 502 violation without showing any other specific harm. If that’s true, this ruling will mark the end of the Internet as we know it, because every Internet packet exchange potentially causes the same “harm.”

It doesn’t have to be this way. The trespass to chattels doctrine has always required a plaintiff to show non-de-minimis harm to establish a claim (as opposed to, say, trespass to real property, where mere presence is sufficient harm). This is why, for example, touching someone else’s car in a crowded parking lot (which everyone has done many, many times) intermeddles with a third party’s chattel, but it’s not actionable without any damage to the car (under the venerable legal principle “no harm, no foul”). Similar line of thinking with the petting of someone’s dog. It might be unwise to give feisty Bowser some head scritches without permission from the pet owner, but it’s not a tort, either.

In contrast, this opinion empowers claims when there is no meaningful impact on the user or their device. Without a limiting principle of harm, the trespass to chattels doctrine becomes a general-purpose tort applicable to all online interactions. This sounds like the recipe for an infinite litigation machine.

Are Cookie/Pixel Walls Coming? If all pixels and cookies could give rise to litigation, the obvious solution would be to get user consent to place them. (Facebook’s consent defense wasn’t timely yet in this case). Consent could be obtained in a TOS, but who knows if that would be sufficient, especially for random web browsing where users may not agree to a TOS to browse.

Instead, websites could deploy ever-increasingly-intrusive banners (a/k/a “walls”) to every visitor. Europe already mandates cookie walls, and they are widely considered to be a value-subtracting nuisance. Yet, this ruling could prompt more such walls. I don’t think anyone would consider that a win. The walls slow down users and their devices (ironically, way more than any slowdowns from actually installing cookies), they make it harder for visitors to read websites (thus slowing down users more), and they add to the cognitive load of casual web surfing because each visit involves complicated technical and legal choices.

N.D. Cal. Incoherency on Trespass to Chattels. This case reminded me of the Best Carpet Value v. Google decision, where a Northern District of California judge (Judge Davila) went out of their way to find that the trespass to chattels didn’t actually require a chattels. Fortunately, that ruling got corrected on appeal.

Like the Best Carpet Value ruling, this N.D. Cal. judge (Judge Orrick) goes out of their way to find a possible trespass to chattels. But contrast that approach with Judge Chen’s recent decision in a data snarfer case, where he went out of his way to negate contractual restrictions on web scraping–a ruling that facilitates MORE unwanted uses of third-party chattel. Judge Chen had also gone out of his way to dramatically narrow trespass to chattels doctrines in the hiQ case.

So it seems a little hard to square the normative implications of these cases side-by-side. They all address different legal doctrines, but they take philosophically divergent approaches to the legal rights of a chattel owner to exclude usage. I’ve complained before that I have no idea how to teach trespass to chattels to my students any more, and rulings like this reinforce that concern. As I argued over a decade ago, we need to structurally rethink online trespass to chattels.

Case Citation: In re Meta Healthcare Pixel Litigation, 2024 WL 333883 (N.D. Cal. Jan. 29, 2024)