A federal jury found on Friday that Meta violated the California Invasion of Privacy Act, the state's wiretap law, by collecting data from a period-tracker app without user consent.
Plaintiffs in a class-action case proved by a preponderance of evidence that Meta intentionally eavesdropped on and/or recorded conversations using an electronic device, said a verdict form released yesterday in US District Court for the Northern District of California. Plaintiffs also proved that they had a reasonable expectation of privacy and that Meta did not have consent from all parties to eavesdrop on and/or record the conversations, the jury found.
The lawsuit was filed in 2021 against Flo Health, maker of an app for tracking periods, ovulation, and pregnancy. Facebook owner Meta, Google, and app analytics company Flurry were added as defendants later. The plaintiffs settled with Flo Health, Google, and Flurry before the trial, leaving Meta as the only remaining defendant.
The plaintiffs' trial brief said that "Flo allowed Google and Meta to eavesdrop on users' private in-app communications" between November 2016 and February 2019. Flo app users had to complete an onboarding survey requiring them "to select a 'goal' indicating whether they are pregnant, want to be pregnant, or want to track their period, as well as input other information about their pregnancy or menstrual cycle," the brief said.
Flo promised not to disclose this information but gave access to Google and Meta "via Custom App Events (CAEs) sent through their respective Software Development Kits (SDKs), incorporated in the Flo App," the brief said.
"Each of the Defendants had their own purpose for collecting and using Flo user data," the brief said. "Flo used this information to acquire new app users through advertising and marketing, including advertisements based on Flo App users' reproductive goals (e.g., getting pregnant). Flo also sold access to the CAEs sent through SDKs to other third parties for profit. Google and Meta separately used the data they intercepted for their own commercial purposes, including to feed their machine learning algorithms that power each of their respective advertising networks."
Jury sent “clear message” to Big Tech, lawyers say
Financial damages haven't been decided yet. Labaton Keller Sucharow, a law firm for the plaintiffs, said the "verdict sends a clear message about the protection of digital health data and the responsibilities of Big Tech. Companies like Meta that covertly profit from users' most intimate information must be held accountable."
Meta is likely to appeal. "We vigorously disagree with this outcome and are exploring all legal options," Meta said in a statement provided to Ars today. "The plaintiffs' claims against Meta are simply false. User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any."
Meta's trial brief said that "Custom App Events are customized strings of coded data, and Flo never sent Meta a key for decoding them, so Meta did not know the true meaning behind the limited data that it received, and certainly was not privy to Flo users' conversations with the Flo App... Despite all this, Plaintiffs seek billions of dollars in statutory damages from Meta." Meta said it "relies on app developers like Flo—who are best positioned to notify their users that they are sharing data with Meta, get any necessary permissions from their users, and ensure they are not sending health or other sensitive information—to make sure any data they send complies with Meta's terms."
Labaton Keller Sucharow's press release said that at the trial, five women "shared their deeply personal stories and the intimate health data they entered into the Flo Health app, including details about their menstrual cycles, sexual activity, and pregnancies."
"Plaintiffs' counsel presented internal Meta communications and technical documentation suggesting that Meta was fully aware it was receiving confidential health data from third-party app Flo Health and actively used it for ad-targeting purposes," the press release said. "Evidence also included messages among Meta employees that appeared to mock the nature of the data being collected, raising questions about the company's culture and attitude toward user privacy."
Details on the plaintiffs' settlements with Flo Health and Google haven't been released yet. Those two settlements were announced shortly before the trial. Flurry settled late last year, agreeing to pay $3.5 million to pay claims from Flo app users and other costs, but the settlement is still pending court approval.
Flo Health's trial brief, filed before it reached a settlement with plaintiffs, said the claims were barred by the statute of limitations and that the plaintiffs "consented to the very policies and practices they attack." Flo Health said that "every version of the Flo Privacy Policy explicitly permitted Flo to use third-party analytics to monitor and improve the App and permitted Flo to share de-identified information for any purpose."
The plaintiffs' brief said the statute-of-limitations defense would fail because users "had no knowledge of Defendants' wrongdoing until shortly before the filing of this case" and that "Flo did not disclose it would share Flo App users' private health data with third parties—it promised the opposite."
Google Gemini can now create AI-generated bedtime stories