Jury Rules Meta Violated California Privacy Law by Collecting Health Data

A federal jury found that Meta (Facebook’s parent company) violated the California Invasion of Privacy Act (CIPA). Users of Flo, a period-tracking app, filed the class-action lawsuit. The plaintiffs argued that Meta collected health data from Flo without consent and used it to facilitate ad-tracking.

The class-action lawsuit named Flo Health, Google, and Meta as defendants. Flo and Google reached settlements before the trial concluded, leaving Meta as the only defendant for the jury verdict.

Privacy Violations Alleged in the Lawsuit

The Flo app uses artificial intelligence to provide advice and assistance related to women’s health. Features include an ovulation calendar, period tracker, pregnancy guide, and wellness and lifestyle tracker. To use the app, users provide personally identifiable information, including name, date of birth, email address, and physical address. Users also provide information about their sexual health and habits, gynecological health, and general health, such as dieting habits and whether they have any reproductive diseases.

Flo assured its users that their health data was protected and would not be disclosed to third parties. The company’s Privacy Policy stated: “WILL NOT TRANSMIT ANY OF YOUR PERSONAL DATA TO THIRD PARTIES, EXCEPT IF IT IS REQUIRED TO PROVIDE THE SERVICE TO YOU (E.G. TECHNICAL SERVICE PROVIDERS), UNLESS WE HAVE ASKED FOR YOUR EXPLICIT CONSENT.”

The plaintiffs alleged that Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ data to third parties, including Google and Meta. Flo disclosed the health information through “software development kits” (SDKs) that it incorporated into the Flo App. The company incorporated Facebook’s SDK to use Facebook’s analytics tools to identify which of its users would be prime targets for advertisements based on the data they entered into the app. Flo also used Google SDKs. Through the use of the SDKs, Flo transmitted health data to Facebook and Google, including when a user indicated that they were on their period or intended to get pregnant, contradicting its Privacy Policy. Meta and Google incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements. The lawsuit alleges Meta knew the data it was receiving from Flo contained health data, but it didn’t stop the flow of data.

The jury agreed with the plaintiffs that:

• Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device.
• The plaintiffs had a reasonable expectation that the conversation was not being overheard and/or recorded.
• Meta did not have the consent of all parties to the conversation to eavesdrop on and/or record it.

The financial penalty in the case is yet to be determined.

The California Invasion of Privacy Act

The California Invasion of Privacy Act (CIPA) is a law designed to prevent unauthorized surveillance and recording of private communications. The law was originally focused on wiretapping, but as technology has advanced, it has been applied to digital tools like website tracking, cookies, and live chat features. 

Web Trackers and Privacy Risks

Lawsuits against businesses for using digital tools like SDKs or the Meta Pixel are adding up fast, especially in cases involving health data. Other notable cases include:

• Aspen Dental will pay more than $18 million to settle claims it violated privacy rights with the use of tracking pixels.
• BJC Health System settled a web tracking lawsuit for $9.25 million.
• GoodRx agreed to a $25 million class action lawsuit settlement.

Companies should be aware that courts are still interpreting these use cases, and risk mitigation is a moving target. Risk mitigation techniques include:

1. The removal of tracking technology (not reasonable).
2. A notification of the tracking technology and clear opt-out instructions.
3. Only sharing and relying on tracking with the consumer’s consent to do so.

SDKs vs Pixels

SDKs and pixels are both web tools used for advertising, analytics, and app functionality, but they operate differently. An SDK is a bundle of code libraries, tools, and documentation that developers install into a mobile app or software product. It adds functionality within the app, such as analytics tracking, advertising, login capabilities, or payment processing. Because SDKs live within the application’s codebase, they can collect real-time data about user behavior, device information, and events that occur when the app is being used.

A pixel is a piece of code embedded on a website or in an email. When the page or email loads, the pixel fires, sending basic information (page views, device type, whether an email was opened, etc.) back to a server. Pixels are easier to implement than SDKs, but they typically collect less detailed information and are limited to web-based or email environments.

CompliancePoint offers Cookie Management Services to help businesses ensure the privacy and consent functionality of their websites comply with all data privacy and consumer protection laws. Reach out to us at connect@compliancepoint.com to learn more.