Federal Jury Says Meta Violated CIPA in Privacy Case Involving Flo Health App
Meta violated the California Invasion of Privacy Act (CIPA) when it intentionally eavesdropped on users of the health app Flo Health and received sensitive data on users' menstrual cycles and reproductive health, said a federal jury decision Friday that was posted Monday. The plaintiffs alleged Flo transmitted their personal information without user consent to the social media platform and other third parties for commercial purposes.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Flo and Google, defendants in case 21-00757, reached settlements in Frasco v. Flo Health, Inc. before the jury reached a verdict. No details on the settlements were released (see 2508010048 and 2507090063).
The U.S. District Court for Northern California jury agreed that the plaintiffs proved "that Meta intentionally eavesdropped on and/or recorded [the plaintiffs'] conversation by using an electronic device," and that the plaintiffs "had a reasonable expectation that the conversation was not being overheard and/or recorded."
Additionally, the jury found the social media platform didn't have the consent of all parties to the conversation that would legally permit eavesdropping and/or recording.
In an emailed statement, Meta said the plaintiffs' claims against it were false. “We vigorously disagree with this outcome and are exploring all legal options," a Meta spokesperson said. "User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.”
The verdict marked a "historic" day and its cost to Meta may be in the billions, Mike Swift, chief global digital risk correspondent at MLex, wrote in a LinkedIn post. He also said this decision could cause "wider ramifications" for the use of software development kits.
It was a "common sense" decision, said Don Marti, vice president of ecosystem innovation at media company Raptive, in a Monday blog post. "Meta’s failed defense relied on two long bullshit documents," he said. One, that users agreed to the surveillance when agreeing to the platform's terms and services, and two, that "they prohibited Flo from sending them data about user health."
"But the jury applied some common sense to the situation," Marti added. "First of all, nobody reads all the lengthy contracts they agree to ... and second, anyone who has dealt with large platform companies knows that they have one set of written rules, to show to media and regulators, and then the real rules that you have to follow in order to make any money."
He said the case will likely inform future state privacy laws, and is a "good argument for keeping a jury in the loop." Marti added, "some kind of private right of action is needed in order to deter companies from pursuing compliance through complex documents that are ultimately bullshit but tweaked to the point where regulators can’t find faults in them."