Jury ‘sends a message’ on app privacy in ruling against Meta
A jury found that Meta illegally invaded the privacy of women who shared their sensitive health data with the period tracking app Flo by deliberately harvesting it.
The verdict, reached Friday in a California federal court, represents a significant loss for the tech giant in a closely watched civil case that could help set boundaries on how far tech firms can go in collecting personal data for use in targeted advertising.
The amount of damages Meta will pay in the class-action case remains unclear. The jurors found that the company violated the California Invasion of Privacy Act.
It’s one of the first major verdicts dictating how tech companies can handle consumer health data, privacy advocates said. Plaintiffs had alleged that Meta improperly gathered their data via a software development kit embedded in the Flo app.
“It sends a message to the industry, or it should, that courts are taking this seriously and considering the impact of these broadly unregulated ad tracking systems,” said Suzanne Bernstein, counsel at the Electronic Privacy Information Center.
Bernstein said the plaintiffs didn’t have to prove that “every single piece of data could be specifically traced back to [a specific] person. It was inferred that the value of this data is that it can be identifiable.”
Flo on Thursday settled with the plaintiffs, agreeing to pay an undisclosed sum. The Federal Trade Commission had reached an agreement with the period tracking app in 2021, requiring it to obtain users’ affirmative consent before sharing their data moving forward.
Google and the mobile analytics and advertising platform Flurry had previously settled with the plaintiffs.
“Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” plaintiffs’ lawyers Michael P. Canty and Carol C. Villegas said in a statement. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”
A Meta spokesperson said in a statement that the company “vigorously” disagrees with the verdict and is exploring all legal options.
“The plaintiffs’ claims against Meta are simply false,” the statement said. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.