Meta-Flo Health Case Shows Growing Risk of Ad Tracking Tech, Lawyers Say
The federal jury decision earlier this month that Meta violated the California Invasion of Privacy Act (CIPA) illustrates how tracking technologies can pose serious risks if not responsibly deployed, said Ice Miller lawyers in a Monday blog post. The jury in Frasco v. Flo Health, Inc. found the social media platform intentionally eavesdropped on users of the health app Flo Health without consent and received sensitive data on users' menstrual cycles and reproductive health (see 2508040041).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"The Meta verdict underscores a growing risk involving ad tech," the Ice Miller bloggers said. "Ad tech tools like Meta Pixel, widely used for analytics and advertising, can capture sensitive personal information if implementers do not understand how it works."
Additional defendants Flo and Google reached settlements before the jury came to a verdict. No details on the settlements were released (see 2508010048 and 2507090063).
The Ice Miller lawyers noted that while the case was in California, "which is a consumer-friendly jurisdiction with strict data privacy laws," it has also "sparked public debate and may influence future privacy legislation at both the state and federal levels."
As a result, "businesses must now treat tracking technologies not just as marketing tools, but as potential compliance liabilities." Accordingly, they suggested: auditing all tracking tools; reviewing policies, disclosures and contracts with vendors; documenting compliance efforts; preparing responses to minimize damage to the company's reputation from a privacy incident; and implementing data minimization, among other procedures.
In another recent legal blog post, Rivkin Radler lawyer Atara Khan said the case's "outcome underscores that companies handling sensitive health-related information must honor privacy commitments, secure clear and informed consent, and avoid undisclosed data sharing." Khan added, "Misuse of intimate health data can lead to severe legal, financial, and reputational consequences."