Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.
The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.
Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.
Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.
Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”
The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.
- Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
- Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
- Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?
The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”
Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.
Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.
The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.