A recent decision from the Southern District of California underscores a point courts have made increasingly clear after the Ninth Circuit’s precedential decision in Popa v. Microsoft: alleging the disclosure of online activity—even activity touching on sensitive health topics—is not enough, by itself to establish Article III standing.  As the Court put it, the mere allegation that a defendant disclosed “sensitive health related” search terms, without any indication in the search terms that they “were tied to his personal medical history,” cannot establish a concrete injury.  Maghoney v. Dotdash Meredith, Inc., 2026 WL 497402 (S.D. Cal. Feb. 23, 2026) (emphasis added).

The plaintiff in Maghoney alleged that he visited Dotdash’s website, Verywell Health, to research sensitive topics related to his sexual health.  According to the complaint, Dotdash used third-party website tools to capture “sensitive user data,” including the plaintiff’s “searches related to genital warts and the treatment of Sexually Transmitted Infections,” as well as his navigation history, IP address, and device information.  He alleged that this information was disclosed to third-party advertisers without his consent.  Based on this conduct, the plaintiff asserted claims under the federal Wiretap Act, the California Invasion of Privacy Act, the California Confidentiality of Medical Information Act, and the California Constitution.

Applying the Ninth Circuit’s Popa decision, the Court granted Dotdash’s motion to dismiss for lack of Article III standing.  As the Court explained, none of the plaintiffs’ four alleged theories of harm rise to the level of “highly offensive” conduct required to establish a concrete privacy injury:

  • Invasion of Privacy. “The alleged dissemination of th[e] search history” was not “highly offensive,” because the plaintiff “merely searched sensitive health related terms,” which did not themselves “reveal details of an individual’s health status or medical history.”  At most, the data was associated with IP address, but there is “no legally protected privacy interest in an IP address” because IP addresses are “voluntarily turned” to third parties (website operator’s servers) “when internet users visit a website.”
  • Informational Injury.  The plaintiff argued that he suffered an “informational injury” because Dotdash “deprived control over the dissemination of his private online activity,” but this ran into the same problem: it “does not have any common law analogue.”  As Popa explained, the common-law privacy analogues require “highly offensive” conduct, which the plaintiff failed to plead for the same reasons above.
  • Emotional Distress. The plaintiff next claimed he suffered “concrete emotional distress, including anxiety,” but the Court held that plaintiff’s “unadorned allegation of anxiety” was “conclusory at best” and “f[ell] short of showing an injury in fact that is concrete, particularized, and actual.”
  • Future Harm.  Finally, the plaintiff argued that he faced “an increased risk of identity theft” because of the possibility that third parties could tie his identity to his health-related searches.  The Court found that a “future risk of identity theft and digital profiling” was too speculative to be a concrete injury for the purposes of standing.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Divya Bhat Divya Bhat

Divya Bhat is a regulatory associate in the firm’s San Francisco office, where she is a member of the Data Privacy and Cybersecurity group. Before joining Covington, Divya clerked for Judge Kea W. Riggs in the U.S. District Court for the District of…

Divya Bhat is a regulatory associate in the firm’s San Francisco office, where she is a member of the Data Privacy and Cybersecurity group. Before joining Covington, Divya clerked for Judge Kea W. Riggs in the U.S. District Court for the District of New Mexico. Her pro bono practice focuses on reproductive rights and immigration matters.

Read more about Divya BhatEmail
Show more Show less
Photo of Matthew Verdin Matthew Verdin

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in…

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in securing dismissals at the pleadings stage. For example, he won dismissal at the pleadings stage of over a dozen wiretapping class actions involving the alleged use of website analytics tools to collect data about users’ website visits. He also advises companies on managing litigation risk under federal and state wiretapping laws.

Matthew is also dedicated to pro bono legal services. Recently, he helped a domestic violence survivor win a case in the California Court of Appeal. Matthew’s oral argument led to the court ordering renewal of his client’s restraining order just one day later.

Read more about Matthew VerdinEmail
Show more Show less