In naming Flo Health, Inc., Google, Meta, and analytics company Flurry as co-defendants plaintiffs alleged that Flo, through the Flo App, unlawfully shared users’ sensitive health data – including menstrual cycle, ovulation, and pregnancy-related information – with third parties such as Meta, Google, and Flurry for their own commercial use. Before the jury reached its verdict, Flo, Google and Flurry settled with Plaintiffs. Meta, however, did not.
Key Issues
Flo transmitted the data via software development kids owned by the non-Flo defendants and incorporated into the Flo App – a practice common across many apps. The SDKs sent users’ “app events” (for example, starting a cycle, logging a symptom, or viewing certain content) to the non-Flo defendants. Although the data was arguably “de-identified,” it could be matched to device identifiers and used to build customer behavioral profiles for targeted advertising.
Plaintiffs argued that this data sharing constituted illegal interception of private communications between the users and Flo’s servers, in violation of CIPA. None of the defendants, per Plaintiffs, obtained adequate user consent for the sharing or use of the data. Plaintiffs also asserted that Flo repeatedly assured users that their health data would remain private and confidential.
Verdict
Flo had a privacy policy and terms of service that disclosed the use of third-party analytics, such as through SDKs, but the jury concluded that these so-called disclosures were not sufficiently explicit as required by sensitive health data. The jury also concluded that although the data shared via the SDKs was “de-identified” the data contained elements such as deice or app-instance identifiers that could be re-linked to individuals.
Lessons
Even when not subject to HIPAA, implementing robust privacy policies and obtaining affirmative user consent for the collection and use of sensitive personal information are important when consumer health data is at stake.
1. Explicit Consent for Third-Party Tracking. Web developers (internal or external) and marketing professionals often embed and use tracking pixels on company websites. Obtaining affirmative user consent may include requiring users to actively check a box before proceeding and which clearly explains what health data is collected, who it is shared with and for what purposes.
2. “De-Identified” Data. Device-linked health data may still be considered personal and sensitive if the data can be re-linked to an individual. For this reason obtaining affirmative user consent is recommended.
This ruling, one of the first against a major tech firm signals a critical shift in data privacy enforcement, highlighting the risks for companies handling health data, the importance of explicit user consent, and the potential for massive damages in data privacy class actions.