A California jury found Meta violated California’s 1960s-era wiretapping law – California Invasion of Privacy Act (“CIPA”) – through its unauthorized collection of sensitive health data from users of Flo Health, Inc. (“Flo”)’s popular period-tracking app (the “Flo App”). Meta has since petitioned the court to overturn the jury’s verdict.

For now, the verdict stands as warning for companies whose websites or apps collect or track consumer health data, even if such data may be considered “de-identified.” 

Lessons Learned from the Verdict Against Meta

The verdict against Meta in Frasco v. Flo Health, Inc., et al. No. 21-CV-00757-JD (N.D. Cal., filed Jan. 29, 2021) sends a strong signal to digital health companies whose websites or apps handle consumer health data – even if they are outside of HIPAA’s scope. Key compliance takeaways include:

• Explicit and Informed Consent Is Necessary

If health-related information is collected and/or shared, the privacy policy should clearly explain what health data is collected, who it is shared with, and for what purposes.

Obtaining affirmative consent – such as requiring users to actively check a box before proceeding – is highly recommended.

• “De-Identified” Data May Still Be Health Data

Device-linked health data, even without names or email addresses, may still be considered personal and sensitive, if such data could reasonably be re-linked to an individual.

• Third-Party Tracking May Create Liability

Embedding software development kits (“SDKs”), pixels, or analytics or advertising tools that transmit sensitive data to external parties can expose both the app developer and the third party to liability. Again, obtaining affirmative user consent is recommended. 

More Details – The Verdict

The class action lawsuit Frasco v. Flo Health, Inc., et al. No. 21-CV-00757-JD (N.D. Cal., filed Jan. 29, 2021) named Flo, Google, Meta, and analytics company Flurry as co-defendants. Plaintiffs alleged that Flo, through the Flo App, unlawfully shared users’ sensitive health data – including menstrual cycle, ovulation, and pregnancy-related information – with third parties such as Meta, Google, and Flurry for their own commercial use.

Flo transmitted the data via SDKs owned by the non-Flo defendants and incorporated into the Flo App – a practice common across many apps. The SDKs sent users’ “app events” (for example, starting a cycle, logging a symptom, or viewing certain content) to the non-Flo defendants. Although the data was arguably “de-identified,” it could be matched to device identifiers and used to build customer behavioral profiles for targeted advertising. 

Plaintiffs argued that this data sharing constituted illegal interception of private communications between the users and Flo’s servers, in violation of CIPA. None of the defendants, per Plaintiffs, obtained adequate user consent for the sharing or use of the data. Plaintiffs also asserted that Flo repeatedly assured users that their health data would remain private and confidential.

Flo contended that its privacy policy and terms of service adequately disclosed the use of third-party analytics, such as through SDKs, and that users implicitly consented to the described data sharing. Plaintiffs countered that, for sensitive health data, implicit consent is insufficient.

Defendants argued that data shared via the SDKs was “de-identified” and thus not personal. Plaintiffs disagreed, presenting evidence that the data contained elements such as device or app-instance identifiers that could be re-linked to individuals.  

Before the jury reached its verdict, Flo, Google and Flurry settled with Plaintiffs. Meta, however, proceeded to trial and lost. 

The jury found that Meta intentionally eavesdropped on and/or recorded private communications from the Flo App, that users had a reasonable expectation of privacy, and that Meta lacked the consent of all parties. The verdict could expose Meta to substantial financial liability, as CIPA allows damages of up to $5,000 per violation.

Overall, the Flo verdict serves as a cautionary tale for digital health companies. Even when not subject to HIPAA, implementing robust privacy policies and obtaining affirmative user consent for the collection and use of sensitive personal information are strongly recommended to help protect companies from potential liabilities when consumer health data is at stake.