Episode 172:  Considering Cookies as a Source of ESI is Here. Are you Ready?

In Episode 172, Kelly Twigger discusses when a party is entitled to cookies from a party’s device or browser and how the court ordered the parties to meet and confer to find a solution to producing them in In re Meta Pixel Healthcare Litig.

Introduction

Welcome to our Case of the Week segment of the Meet and Confer podcast. My name is Kelly Twigger. I am the Principal at ESI Attorneys, a law firm for ediscovery and information law, and the CEO and founder at Minerva26, where we take the insights from our practice and provide a strategic command center for you to leverage the power of Electronically Stored Information (ESI). Thanks so much for joining me today.

Our Case of the Week segment is brought to you in partnership with ACEDS, and each week I choose a recent decision in ediscovery case law and talk about the practical considerations for counsel to apply in their practice and for other legal professionals handling ediscovery issues to know about. In general, we try to create what we call issue spotting, so making you aware of things you need to think about so when they come up for you, you can identify and put these practical lessons into use.

This week’s decision is from the incredibly dispute-intensive class action against Meta, titled In re Meta Pixel Healthcare Litig. We’ve covered other decisions from this matter on Episodes 115 and 118 on the Case of the Week, and this one keeps United States Magistrate Judge Virginia DeMarchi very busy — much to her chagrin, I’m sure.

This week’s decision comes to us from April 24, 2025, and we are before Magistrate Judge DiMarchi on a motion to compel. As always, we add the issues to each of the decisions in our Minerva26 case law database, and the issues this week include failure to produce, protective order, proportionality, medical records and privacy.

Facts

All right, what are the facts of the case before us?

Well, as I mentioned, we’re on a motion to compel before Judge DiMarchi. The motion was brought by Meta, seeking to require the plaintiffs to produce documents showing the cookies on their devices and browsers. The background of this particular litigation is that plaintiffs are claiming that, by having the Meta Pixel on their healthcare websites, that Meta is collecting private information about their healthcare that they shouldn’t be, and so that’s the basis of the allegations here in a very simplified form.

If you’re not familiar with cookies, let’s take a minute and understand what that technology is. You’ve seen the term a ton of times since GDPR came up a few years ago. You’ve seen the little banners at the bottom of every website you visit where you have to accept cookies, either on a limited basis or on a total basis, or to decline to accept cookies. When you accept those cookies, that web cookie puts a small text file that is stored on the website on either a user’s computer or device when they visit the site. So every time I go to visit facebook.com or Instagram.com, it’s using that cookie to detect who I am and apply that data to what actions I’m taking. So Meta is collecting all of that information.

From a definition standpoint, a web cookie is a small text file that a website stores on the user’s computer or device when they visit the site, just like I mentioned. Those cookies are used to store information about the user’s activity on the website, such as their login credentials, shopping cart contents and preferences. Even if you use a password manager, that password manager is using cookies to be able to decide what username and password should be input on that website when you go to it.

When you look at that little banner on the bottom that I mentioned and there’s a pop-up asking you to accept cookies, when you click accept, the website sends a cookie to your browser. Now every time you visit that site, the browser sends the cookie back to the server and allows the website to recognize the user and recall information that the user may have left there.

There are multiple types of cookies and many uses for them. Cookies can be used to track user activity across multiple websites and they can collect personal information. Many web browsers now offer options to control cookie usage and allow for blocking third-party cookies. You’ve seen a lot of this before in re-targeting, for example. When you go onto Amazon and you look for a particular product and then you start visiting other websites across the internet, you start seeing ads pop up for that same item that you visited on the website. White House Black Market is one of my favorite stores and I see a lot of re-targeting from White House Black Market for items that I look at.

Meta has its own third-party cookie that many businesses use to track website visitors and measure the effectiveness of their Facebook and Instagram ads. So, we’re back now to the specific cookie that is at issue here in the In re Meta Pixel Healthcare Litigation, and that’s Meta’s third-party cookie. That cookie is called the Meta Pixel. The Meta Pixel is an analytics tool that measures how effectively your Facebook ad campaigns drive actions on your website. It also has multiple use cases that include tracking website visitors, in which the Metapixel is placed on a website and triggers when user interact with it. This allows businesses to track which pages users visit, how long they stay and which links they click, and a lot of marketers use that information to drive folks to specific content on their websites, get them to download content and things like that.

The Meta Pixel can also be used to understand user behavior. So, by tracking that user behavior, businesses can gain insights into what content is most popular, which calls to action are the most effective, and which products or services are the most popular. The Meta Pixel can also be used to improve ad targeting, so the data collected by the Meta Pixel can be used to optimize the reach of Facebook and Instagram ads by targeting specific audiences. I would also include that it can be done on WhatsApp, because WhatsApp has advertising now and that is also owned by Meta.

The Meta Pixel can also be used to build custom audiences, measure campaign effectiveness, or do re-targeting, just like I mentioned. With retargeting, the pixel allows businesses to show ads to users who have previously visited their website, encouraging them to revisit the website and complete desired actions.

From my perspective — this is not in the Court’s decision — what’s critical here to remember is that using the Meta Pixel is a choice made by the company or the person that owns the website that users visit. For example, if ABC Company sells widgets and they also sell via ads on Facebook or Instagram or WhatsApp that Meta owns, then that ABC company may install the Meta Pixel on their website. That pixel then, in essence, acts as a bridge between their website and Meta’s advertising platform, providing valuable data that allows you to improve your ad campaigns and reach your target audience effectively.

Not having gone through the complaint in this case, I don’t know how far it stems, but in effect, Meta gathers all of that data by virtue of your internet usage via cookies, and then Meta has all of that in its backend database and it sells that information to partners. So all of the information about what you’re creating on the internet is being collected via this Meta Pixel to Meta, and then Meta sells that to all of their partners to allow them to target you effectively for advertisements.

In this particular litigation, Meta asked the plaintiffs to produce all of the documents showing “the cookies on [plaintiffs’] devices and/or browsers for every device and browser plaintiffs used to access their healthcare providers’ websites and patient portals.” Now if, for some reason, you’re one of the lucky people who is not familiar with medical website portals, all healthcare companies now have set up portals for you to be able to access for each doctor’s practice that you visit, and I alone have multiple medical portals that I manage for me and for my children, and they are each an individual website I have to visit. So if the healthcare provider for that portal has added the Meta Pixel to that website, then that information from that portal can be collected. And so a big part of this litigation is understanding whether or not there’s harm that has come to plaintiffs from collection of that information via the Meta Pixel from their healthcare websites.

The plaintiffs’ allegations here are key, and that is that they allege that Meta uses the pixel to collect plaintiffs’ and class members’ health information and then uses that information to facilitate targeted advertising to plaintiffs and putative class members, causing them harm. Pretty much what I already told you.

Plaintiffs also allege that Meta is solely responsible for this conduct and the resulting harm. Now, given what I told you already that it is incumbent upon the healthcare provider to use the Meta Pixel in order to allow Meta to collect the data, we’ll see how that plays out in the litigation, but that raises some questions from my perspective.

But you can see right away from the request, and from everything that I’ve told you about cookies, that the cookie data requested is relevant to the allegations of plaintiff’s complaint in that: (1) plaintiffs have health portal websites that have the pixel enabled and (2) whether there are other cookies on their health portals that are also tracking information, such that Meta is not the only party engaging in the alleged behavior.

So, we’ve got relevance, and we’ll talk about whether the Court sees it the same way in a minute. But pay attention to the scope of Meta’s request. It sought “all” documents showing the cookies on plaintiffs’ devices and/or browsers for every device and browser that the patients use to access their healthcare providers’ websites and patient portals. It didn’t limit it just to the cookies on the healthcare websites. It included all cookies. And, if you’re a frequent user of the internet, your cookie history probably has thousands and thousands of records in it, and that’s for each plaintiff and then for each browser.

Meta identified three bases of why it needed this cookie data from the plaintiffs:

1. Meta needed the cookies to defend against plaintiffs’ contention that Meta is solely responsible for the collection and use of plaintiffs’ confidential health information for targeted advertising.
2. Meta needed the data to defend against plaintiffs’ contention that Meta’s actions solely caused the harm.
3. The cookie data would show whether and to what extent there are variations between class members acceptance or tolerance of non-Meta third-party cookies that collected and shared their health information.

That last argument is, according to Meta, really crucial to its arguments of class certification, because class certification has those four requirements and whether or not the claims are similar to all of the plaintiffs in the class is very relevant for class certification. So if certain members of that putative class said no to cookies and didn’t allow the Meta Pixel on their healthcare websites, then they, of course, probably are not likely to be included in that class. So, that behavior from those individual plaintiffs is very crucial and that can be shown through the cookies.

In response to Meta’s arguments, the plaintiffs countered that:

1. The data was not relevant because Meta did not plead an affirmative defense predicated on non-Meta cookies and Meta never mentioned such cookies in responding to an interrogatory about its factual and legal bases for opposing class certification.
2. Meta’s request was overly broad, because it asked for all cookies, including the ones that have nothing to do with the collection or sharing of health-related information, and some of those irrelevant cookies may have serious privacy implications.
3. The plaintiffs argued that Meta blew the timing for a response by failing to respond to plaintiffs’ objections for more than a year, and because any protocol to identify potentially relevant cookies that might have been established at this late date would unduly delay the case schedule.

Those are the arguments and the facts we have before us.

Analysis

Let’s talk about the Court’s analysis. It’s pretty straightforward here. Right out of the gate, Magistrate Judge DeMarchi found that:

To the extent Meta seeks documents showing all third-party cookies on plaintiffs’ devices and/or browsers that collected or shared health information—i.e., the same kind of data at issue in this case—such discovery is clearly relevant to plaintiffs’ claims and Meta’s defenses.

The Court went on to reject plaintiffs’ argument that Meta was required to plead an affirmative defense and found that neither an affirmative defense or mention of non-Meta cookies was a necessary condition to develop evidence regarding the essential elements of plaintiffs’ claims. But the Court did agree with plaintiffs that the scope of the request was overbroad and limited the discovery of cookie data to that which “collected or shared health information”, just as what was at an issue in the case, and not the full production of all cookies on plaintiff’s devices or browsers.

But the scope was a tough issue for the Court because, as Meta identified, there is difficulty in how to identify relevant non-Meta cookies from among the thousands or tens of thousands of third-party cookies that plaintiffs say their devices and browsers have. Meta explained to the Court that there are hundreds of thousands of possible cookies and that, absent some information about the kinds of cookies that plaintiffs have, the only way Meta’s experts could determine which other third-party cookies could have collected and transmitted plaintiffs’ health information is to examine all of the cookies on plaintiffs’ devices and browsers. Plaintiffs responded that Meta never proposed any kind of reasonable protocol for distinguishing relevant cookies from irrelevant cookies and, even if Meta had done so, plaintiffs object to undertaking the effort to implement such a protocol. There’s a little bit of irony there and we’ll talk about that in a minute.

At that point the Court really expressed its disapproval that the parties were not able to meet and confer to at least narrow the issues of this dispute, but declined to fault Meta for waiting to bring the dispute to the Court by relieving the plaintiffs of their obligation to produce relevant documents.

Following that analysis, the Court ordered Meta to identify “objective criteria plaintiffs may use to facilitate the identification of relevant and responsive cookies.”  Plaintiffs then have two choices: rely on the objective criteria identified by Meta to facilitate the identification of relevant and responsive cookies, or, if they decide not to rely on Meta’s objective criteria, plaintiffs must produce the entire list of third-party cookies on plaintiffs’ relevant devices and browsers. To address privacy concerns, the Court ordered the parties to meet and confer on additional protections to be added to the protective order in the matter.

So, the Court’s order here leaves the parties with more work to be done and with Meta to start the process by providing some sort of objective criteria to be able to identify the cookies that it deems are relevant, and the plaintiffs to either choose to follow that objective criteria or just provide all of the cookies.

Takeaways

All right, what are our takeaways here?

Well, I’m going to start with this. It’s kind of surprising to me here that the plaintiffs built an entire lawsuit specifically alleging that Meta used its pixel to collect plaintiffs’ and class members’ health information, and then objected to providing the very information from plaintiffs that those plaintiffs’ counsel would have to use to show that they were harmed.

Perhaps it was the breadth of the request that the judge subsequently narrowed that was the issue. But I have to agree with Magistrate Judge DiMarchi when she expressed frustration at the parties not being able to come to a resolution here themselves. Meta’s argument that there are cookies that can be disguised as healthcare platforms that the plaintiffs won’t readily identify is a good argument, and so it will remain to be seen if Meta can provide plaintiffs with a list of terms or sites that will capture what is needed, what they actually want, to be able to determine the issues they’re trying to on class certification and on the merits going forward.

The process that the Court has ordered — and, essentially, the parties really forced the Court to order — seems very fraught to me. It’s a bit like trying to guess search terms to provide to the other side. And if you’re a regular here on Case of the Week, you know that I advocate very strongly for the position that search terms should come from the party with the data, and in this case that’s the plaintiffs.

So Meta essentially has to guess or come up with a very comprehensive list of healthcare providers or websites that may utilize cookies for all of the plaintiffs. I’m going to guess that this may be one that we see back in front of Magistrate Judge DiMarchi, when the plaintiffs aren’t necessarily able to reach some kind of resolution with Meta.

It also seems to me that this is an area of ESI that plaintiffs should have anticipated, and I see a pretty easy middle ground to get here using an approach that’s really similar to sampling, which is widely adopted in ediscovery. If plaintiffs provided the full cookie report from browsers and devices for a set of plaintiffs to Meta’s experts and let Meta identify which are relevant, then allow the plaintiffs to refute that where necessary, the parties could have come to a little bit more of an agreed upon plan as to exactly how to do this. So you could do that for one or two plaintiffs, come up with a plan for how to make it work, and then be able to apply that to the rest of the plaintiffs.

It gets complicated, though, because of technology. The process of providing cookies is not straightforward. Cookies have their own metadata fields, and more than one of those fields may be implicated in determining relevance. Plus, we’re also talking about providing them from all browsers and all devices from each plaintiff. That means if a plaintiff uses Safari, which is the default browser on their iPhone and Chrome and Firefox on their laptop, counsel would need to filter and collect cookies from each place for each plaintiff, and that’s a different process per browser for mobile devices and computers on a browser basis.

So, if I’ve got two computers and five browsers total that I use on those two computers, plus a phone or multiple phones, or an iPad, and then I’ve got browsers that I use there, you may have to collect them from all devices. It really depends on the browser functionality, whether they’re synced, etc., etc. There are a myriad of different technical issues that would determine what kind of collection needs to be done and what the scope of it is for this kind of ESI. Here is a link to a list of metadata fields that you’ll need to access via Chrome just to get a sense of what kinds of things we’re talking about.

The form of production is also going to be an issue by browser and device. In Chrome, for example, exports of cookies will be in JSON formats and that will have to be converted to something readable to produce. Can you just provide a JSON format to the other side? Is that going to be reasonable under Rule 34? That’s something the parties are going to have to work out. It’s going to be something they have to negotiate, and it’s part of why they should have undertaken this process at the outset of the litigation.

Could a protocol for a production of this type of data have been useful, as plaintiffs suggest? Absolutely. But protocol in the context of asymmetrical litigation is a very heavy word and it is often very fraught because the process of negotiating a protocol often gets drawn out and imposes unreasonable expectations that were not contemplated by the Federal Rules of Civil Procedure. Oftentimes, I think that plaintiffs’ counsel need to be sensitive to that fact and try to work with it, but ironically, here it’s Meta that really has to be the one sensitive to that and and try to work with it. Meta has to be the one sensitive to that and try to help work out a protocol, because they’re the ones that want the data from the plaintiffs from a variety of devices, from a variety of browsers, and there’s a different process for each of those that has to be undertaken. That’s not going to be an inexpensive task for plaintiffs to meet.

There is no mystery to the fact that when every dispute has to come before the court, as it seems to be in this case, that the judge is going to split the baby and, in many cases, lose patience with the parties and express frustration, the way that Magistrate Judge DiMarchi did here. She always seems to hold up well in the decisions in this matter, but this is a job for the lawyers and not the judge, and when the lawyers don’t do their jobs and the judge has to do it for them, you end up with an imperfect process, and that’s what we have here.

So, this decision leaves us with several lessons to take away.

One, lawyers are best situated to determine the most effective course of action forward, and you need to drop the swords and negotiate a resolution that works best for both parties. When you can’t get completely there, take a more refined approach to the judge. I mean here, let Meta have the browsing history of, maybe, the two named plaintiffs — and I’m literally just making this up off the top of my head. Let them have the browsing history of two named plaintiffs from two different devices and let them determine, based on Chrome browsing history or Safari browsing history, what we’re looking for. Help them create a set of objective criteria that’s going to be reasonable to apply across all of these plaintiffs. I mean, you got to think about this. How many healthcare systems are there in the United States that these plaintiffs may be a part of? How many different healthcare providers’ patient portals might they have? If you’ve got somebody who’s as healthy as it comes, they may only have their GPs portal. If you’ve got somebody who’s had medical issues, they may have five, six, seven, eight, nine different health portals that they’re accessing that cookies may come from. So, figure out a process that’s going to work. Don’t rely on the court coming up with a process for you when they don’t understand, and aren’t supposed to understand, all of the technicalities of the technology that’s involved in producing cookie data in discovery.

Second, cookies are fair game in discovery only when they are relevant. How you go about getting them is another whole podcast in itself, and it’s a topic that we’ll try to tackle sometime soon here on Meet and Confer.

Third, cookies are a form of ESI that requires a process to identify them and their own special metadata fields to be provided. You’ve got to think about what you want, where you’re going to get it from, what’s the form you’re going to get it in and how you’re going to narrow what can be thousands of inputs from cookies to just the ones that you need.

Conclusion

That’s our Case of the Week for this week. We’ll be moving forward to doing our Case of the Week every other week to make room for other content on our newly branded Meet and Confer podcast, so be sure to tune in for our next episode, whether you’re watching us via our blog, YouTube, or downloading it as a podcast on your favorite podcast platform. You can also find back issues of Case of the Week on your favorite podcast platform and be sure to subscribe, as we’ll be adding new content apart from the Case of the Week segments.

As always, if you have suggestions for a case to be covered on the Case of the Week, drop me a line. If you’d like to receive the Case of the Week delivered directly to your inbox via our weekly newsletter, you can sign up on our blog. If you’re interested in doing a free trial of our case law and resource database, you can sign up to get started.

Thanks so much. Have a great week!