The Non-Financial Ledger: What Was Actually Taken

There are conditions men rarely talk about, even in private. Erectile dysfunction. Low testosterone. Weight struggles. The shame attached to these conditions is not imaginary. It has been documented in medical literature and reported by major health institutions. Social stigma keeps men from seeking care. That stigma can cause real physical harm: delayed treatment, worsening conditions, shortened lives.

Gameday Men’s Health built its entire brand around breaking through that stigma. They told men: come to us, we specialize in this, you can trust us. They promised the men who showed up — digitally, at the appointment-booking page — that their information was secure. That promise is embedded in the company’s own website interface.

Then they wired the room.

The moment a man typed his name, his phone number, his email, and selected “testosterone health” or “erectile dysfunction” as his reason for the appointment, that information left the building. Not later. In real time. Before he even hit submit. It went to Google, which can match it to his full advertising profile using browser fingerprinting techniques that researchers have shown identify users with 99.24% accuracy. It went to TikTok, a platform that — according to its own commercial terms — claims a worldwide, sublicensable license to use anything it receives. And it went to Zeta Global, a data broker sitting on 240 million consumer profiles and 900 million active emails, which Gameday had already agreed in writing could use the data “for its own business and marketing purposes.”

The plaintiff in this case — identified in court documents only as A.P. to protect his privacy, because the system that was supposed to protect his privacy failed — booked four separate appointments through the website between January and March 2025. He trusted the process. He provided his name, his email, his phone number, and the intimate reason he needed medical help. He trusted the screen in front of him when it said his information was secure.

After his first booking, he started seeing ads. Targeted ads for men’s health products. He didn’t know why. He had no way of knowing why. No notification was sent. No consent was asked. No disclosure was made. The complaint states explicitly: “Plaintiff would not have made an appointment on the Website if he knew Defendant was sharing his PHI with unknown third parties.”

The men who used this website were seeking help for conditions they might not have told their closest friends about. They came to a healthcare provider operating under the legal and ethical framework of medical confidentiality. What they got was a surveillance apparatus running silently in the background of their most private moments, packaging their vulnerability into a data product, and selling access to it.

That is what was taken. Not just data. The right to seek medical help without being watched.

Legal Receipts: What the Documents Actually Say

The following are verbatim statements drawn from the class action complaint (Case No. 3:26-cv-00433) and the sources it cites. These are the words of the company, its partners, and the regulators watching them.

Societal Impact Mapping

Public Health: When Surveillance Kills Care

The harm caused by medical data surveillance extends beyond the individual patient whose data was stolen. When men learn their health information is being sold to advertisers, they stop seeking care.

• The complaint cites documented research showing that social stigma around men’s health conditions — including erectile dysfunction and low testosterone — already deters men from seeking timely medical help. Gameday’s tracking practices add a surveillance deterrent on top of an existing stigma deterrent, compounding the barrier to care.
• Conditions treated at Gameday locations — low testosterone, erectile dysfunction, weight management — are not cosmetic. Untreated low testosterone is associated with cardiovascular disease, metabolic disorders, and depression. When data breaches scare patients away from treatment, the downstream health cost is clinical, not just emotional.
• The complaint explicitly states: “When patients know their information is secure, they are more likely to pursue important health services.” The inverse is also true and documented: perceived insecurity in healthcare privacy systems reduces care-seeking behavior across entire patient populations.
• Gameday’s website offers treatment for GLP-1 medications (weight loss drugs), bremelanotide (used for hypoactive sexual desire disorder), and peptide therapies including drugs that affect hormonal and metabolic systems. The sensitivity of these treatment categories makes unauthorized disclosure particularly damaging to patient trust in digital healthcare infrastructure at large.

Economic Inequality: The Surveillance Tax on the Medically Vulnerable

The patients harmed by this scheme lacked any meaningful ability to detect, prevent, or opt out of the tracking. The corporations who benefited from it had every advantage.

• Google’s tracking pixel and DoubleClick API, TikTok’s Pixel, and Zeta’s tag network are invisible to the average website visitor. The complaint explicitly notes: “The Tracking Technologies are entirely invisible to a website visitor.” There was no notification, no consent dialogue, and no mechanism for patients to protect themselves.
• Unlike cookies, browser fingerprinting — which Google employs on the Gameday website — cannot be blocked or cleared by the user. Researchers demonstrated in 2017 that browser fingerprinting successfully identifies 99.24% of all users. Patients had no technical recourse against a tracking mechanism that is literally impossible to opt out of.
• Zeta’s database, expanded through its 2024 acquisition of LiveIntent, contains over 100 million home IP addresses and over 400 million offline records. This means Zeta can match a Gameday patient’s digital appointment data to their physical home address without the patient taking any additional action. The scale of this infrastructure dwarfs anything an individual consumer could oppose.
• The statutory damage structure ($5,000 per violation under CIPA) may sound significant for individuals, but Google’s 2021 advertising revenue alone was $209.5 billion. The economic asymmetry between what these companies earn from surveillance data and what patients can recover through litigation is structurally enormous.
• The class action mechanism exists precisely because individual patients cannot afford the legal cost to challenge this system alone. The complaint estimates “at least thousands” of class members. Even at modest numbers, combined CIPA exposure could reach nine figures, which is why this case exists as a class action rather than individual suits.

The Machine This Fed: Google’s Ad Revenue Engine

Patient data collected from websites like Gameday’s feeds the most profitable advertising infrastructure in human history. These are the documented revenue figures cited in the complaint itself.

The “Cost of a Life” Metric

California law sets the statutory floor for each privacy violation at $5,000. Here is what that number means relative to what it enables.

What Now? Who to Push and How to Fight Back

This case is active in the Northern District of California. There are regulators with authority to act, and there are things people can do right now at the individual, community, and organizational level.

Leadership Named in the Lawsuit

• Defendant: Ream Franchise Group LLC, doing business as Gameday Men’s Health. Principal place of business: Carlsbad, California. Operates 400+ franchise locations and the gamedaymenshealth.com website.
• Plaintiff’s Counsel: Sarah N. Westcot, Bursor & Fisher, P.A., 701 Brickell Ave, Suite 2100, Miami, FL 33131. Case No. 3:26-cv-00433 (N.D. Cal.).
• Corporate leadership of Ream Franchise Group LLC is [REDACTED – Not in Source Material]. For regulatory complaint purposes, direct correspondence to the company at its Carlsbad, California principal office.

Watchlist: Regulators With Authority Here

• Federal Trade Commission (FTC): The FTC issued guidance in July 2024 explicitly warning that hashing does not anonymize data and that companies using this defense face enforcement action. The FTC has authority over deceptive practices under Section 5 of the FTC Act. File a complaint at ftc.gov/complaint.
• California Attorney General (CAG): The California AG enforces the California Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act, and the California Privacy Rights Act — all of which are cited in this lawsuit. Submit complaints through oag.ca.gov.
• California Privacy Protection Agency (CPPA): The CPPA is the dedicated state body enforcing the CPRA. Gameday’s practices implicate the CPRA’s expanded protections for health and sexual orientation data. Contact the CPPA at cppa.ca.gov.
• Department of Health and Human Services Office for Civil Rights (HHS OCR): If any aspect of this case involves HIPAA-covered data transmission, HHS OCR has jurisdiction. File a HIPAA complaint at hhs.gov/ocr/complaints.
• U.S. District Court, Northern District of California: The active case (No. 3:26-cv-00433) is before Judge Haywood S. Gilliam Jr. Public docket accessible via PACER at pacer.gov.

Mutual Aid, Local Organizing, and Direct Action

• If you used gamedaymenshealth.com to book an appointment: Document everything. Screenshot any targeted ads you received after booking. Note the dates and platforms. This documentation could be relevant to the class action. Contact Bursor & Fisher, P.A. directly at swestcot@bursor.com to inquire about class membership.
• Audit every healthcare website before booking: Use a browser extension like uBlock Origin or Privacy Badger to identify third-party trackers on any healthcare website before you enter personal information. If you see Google Analytics, TikTok Pixel, or Zeta domains loading on a medical site, do not submit a form until you have confirmed their privacy policy addresses these tools.
• Support digital rights organizations: The Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC) both litigate and advocate on healthcare data privacy. Donating, volunteering, and amplifying their work directly supports the legal infrastructure that makes cases like this one possible.
• Push your state representative: California has stronger privacy laws than most states precisely because advocates pushed for them. If you live outside California, contact your state legislature and demand a state-level equivalent of CIPA and CMIA. The federal Electronic Communications Privacy Act has not been substantively updated since 1986; contact your U.S. senators and representatives to demand a modern federal privacy law for medical data.
• Talk about it publicly: Social stigma around men’s health conditions is part of how this surveillance scheme works. Men who feel ashamed of seeking care are less likely to demand privacy protections. Breaking the silence around these conditions is a concrete political act that makes the entire patient population harder to exploit.