A high-profile trial about data privacy violations by Facebook parent company Meta concluded with a shocking verdict from the jury: Meta violated California’s consumer privacy laws. The lawsuit concerned allegations that Meta unlawfully collected the personal health data of users of the Flo Ovulation & Period Tracker app. Women who use the app are encouraged to enter private details about their health, including sexual activity, birth control, and menstrual cycles. The California jury found that Meta eavesdropped on women as they entered data on the Flo Health app. The precedent-setting judgment could have serious financial consequences for Meta, in addition to shaping the future of data collection in the consumer health industry.
To learn more about the recent data privacy jury verdict against Meta, keep reading this blog.
Lawsuit: Meta Unlawfully Accessed Personal Health Data of Flo Health App Users
Meta Platforms, Inc. is the parent company of popular social media platform Facebook, as well as Instagram and WhatsApp. Meta entered into a partnership with Flo Health, which owns and operates the Flo Cycle & Period Tracker app. According to the class action lawsuit, the app has more than 38 million active monthly users and has been downloaded 180 million times, consistently ranking as the top period-tracking app and the most downloaded health app in the United States.
Software Development Kits (SDKs)
Flo Health’s app used software development kits (SDKs), which is a code commonly utilized by developers for analytics. This code is what allegedly enabled Meta to access the personal information of Flo Health’s users through custom logs.
According to the lawsuit against Meta, the SDK used by Flo Health included 12 “custom app events” that allowed the social media company to gain valuable information about users’ personal health information. Examples of this code cited by the lawsuit included “R_SELECT_LAST PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH.”
When someone first downloads the Flo Health app, they are instructed to provide personal health information by filling out a survey. The questions in this survey ask for extremely intimate details about the users: periods, menstrual cycles, pregnancy due dates, etc. As users continue to access the app, they are encouraged to provide even more information about their health, such as sexual activity, masturbation habits, physical health symptoms, and mental health. This information is supposed to help Flo Health offer user-specific health advice.
Flo Health Privacy Policy
The Flo Health Privacy Policy promised users that the company would only share data that was relevant to the app’s services, operation, and development. The Privacy Policy even underscored the company’s supposed commitment to protecting users’ privacy rights: “Users are trusting us with intimate personal information, and we are committed to keeping that trust.”
Meta, Google, and Flo Health Named as Defendants in Consumer Privacy Class Action Lawsuit
Multiple class action lawsuits were brought against Flo Health, Meta, Google, AppsFlyer (ad analytics company), and Flurry (analytics company owned by Yahoo!) alleging violations of California digital privacy laws. Eventually, those lawsuits were consolidated into one class action: Frasco v. Flo Health.
Most of the companies avoided trial by reaching settlements with the plaintiffs. The lawsuit against Flo Health was settled just before the jury issued its verdict, leaving Meta as the only remaining defendant.
Jury Verdict: Meta Violated the California Invasion of Privacy Act (CIPA)
The plaintiffs in the class action against Meta (Facebook) alleged that the social media company intercepted the intimate health data of people who used the Flo Health app – and that Meta did this without consent. The lawsuit further alleged that Meta eavesdropped on users of Flo Health to record highly sensitive personal information, such as menstruation cycles, pregnancy data, and other protected health information.
Specifically, Meta was accused of violating the California Invasion of Privacy Act (CIPA) by intentionally recording the sensitive health information of millions of women.
Trial & Verdict
The trial took place in the U.S. District Court for the Northern District of California. The jury found that the plaintiffs had a reasonable expectation of privacy when they used the Flo app, including a reasonable expectation that their health information would not be shared with others. Significantly, the jury ruled that Meta violated the California Invasion of Privacy Act (CIPA) by unlawfully harvesting personal health data from users of the Flo Health app without permission.
At the conclusion of the trial, the jury was asked three questions:
- Did the plaintiffs prove that Meta intentionally eavesdropped on and/or recorded their conversations by using an electronic device?
- Did the plaintiffs prove that Flo Health users had a reasonable expectation that their conversations were not being overheard and/or recorded?
- Did Meta have the consent of all parties to the conversations to eavesdrop on and/or record them?
The jury unanimously agreed that the plaintiffs proved, by a preponderance of evidence, that Meta did intentionally eavesdrop on user conversations.
The jury also unanimously agreed that the plaintiffs proved, by a preponderance of evidence, that users of the Flo Health fertility-tracking app had a reasonable expectation that their conversations on the app would not be spied on.
Finally, the jury unanimously agreed that Meta failed to get the consent of Flo Health app users to eavesdrop on their conversations.
Is Meta Liable for $200 Billion in Damages for California Privacy Law Violations?
Although the jury decision against Meta was rendered, the total amount of damages in this case has not yet been determined. Since the plaintiffs stated that there are 38 million class members whose data may have been breached by Meta, the damages could add up to nearly $200 billion. That’s because the California Invasion of Privacy Act (CIPA) imposes penalties of $5,000 for each violation of the statute.
The damages could be even higher because the California Confidentiality of Medical Information Act (CMIA) also imposes statutory penalties of $1,000 per violation.
Additionally, given the scope and scale of the alleged data privacy violations by Meta, the damages could have ramifications for how medical marketers, data brokers, and tech companies use privacy tracking technology in the future.
Data Privacy Verdict Against Meta/Facebook Could Affect Tech & Healthcare Industries
The Meta data privacy verdict could cause alarm bells to ring for tech companies that harvest user data without permission. After the verdict, the plaintiffs’ attorneys issued a statement criticizing Meta and other companies for “covertly profiting from users’ most intimate information.” The attorneys also emphasized the importance of consumers’ fundamental right to privacy, “especially when it comes to sensitive health data.”
Experts predict that health care companies may see the jury decision as a warning to be more careful about how patient health information is collected and who is given access to that information. That’s because the Meta class action jury verdict is a reminder of just how stringent California’s privacy laws are and how difficult it can be for companies to comply with those laws. Going forward, health companies with websites, apps, and other platforms may need to take a closer look at how their websites and products are designed.
Call the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP
If you are a California resident who used an app or website that collected your personal health information, your data might have been exposed. Both state and federal consumer privacy laws may give you a right to bring legal action for compensatory damages. The Los Angeles consumer protection lawyers at Tauler Smith LLP have extensive experience representing plaintiffs in data privacy lawsuits, and we can help you.
Call 310-590-3927 or email us today.
