Let’s explore the details of the case and how the court’s decision illustrates broader legal challenges for plaintiffs in privacy litigation.
Overview
The Flo Health mobile app is used by millions each year to log sensitive health information related to menstruation, ovulation, pregnancy, and sexual activity. A group of women from multiple states, including California, alleged that between 2016 and 2019, the Flo Health app misled users by claiming their data would remain private.
The lawsuit alleged that the app secretly shared user data with Big Tech companies like Google and Meta through software development kits embedded in the app. According to the lawsuit, the kits enabled those companies to use the data for advertising and machine learning purposes.
The lawsuit, brought against Flo Health, Meta, and Google, alleged the following:
- That Flo Health misrepresented its privacy practices.
- That Meta and Google wrongfully received and exploited sensitive user data.
- That the sharing occurred without valid consent and in violation of several California privacy laws, as well as common law and contract theories.
The plaintiffs sought to certify both a nationwide class (users from 2016 to 2019) and a California subclass of state residents, seeking damages and injunctive relief. Alongside common law invasion of privacy and breach of contract, key claims included violations of the California Confidentiality of Medical Information Act, the California Comprehensive Computer Data Access and Fraud Act, and the California Invasion of Privacy Act.
Where the case stands today
Flo Health, Google, and Meta argued against class certification, arguing that (1) users had implicitly agreed to the data sharing; (2) too much time had passed since the alleged misconduct; (3) users had waived their right to sue as a group; and (4) no real harm had occurred because the data wasn’t personally identifiable.
In its ruling, Judge James Donato, an Obama appointee, rejected many of the defendants’ arguments and granted partial class certification for several core claims. However, Judge Donato still imposed some notable limits:
1. Some legal claims were excluded.
Claims for unjust enrichment and claims under parts of the Comprehensive Computer Data Access and Fraud Act and the Confidentiality of Medical Information Act required individualized evidence not suited for class treatment. These claims were not certified.
2. Narrower scope for Google and Meta.
The evidence of these organizations’ involvement wasn’t as direct as that of Flo Health, so only the common law invasion of privacy and the statutory California Invasion of Privacy Act claims against them were allowed to proceed. Certification was granted only in part.
3. Relief was narrowed.
Injunctive relief and damages were permitted only where harm could be shown across the entire class. As a result, only certain remedies were allowed to move forward.
Implications for future privacy litigation
Judge Donato didn’t shut the door entirely on class actions in privacy cases, but he made clear that only narrowly tailored claims and clearly defined user groups were likely to succeed. Key legal issues—such as consent, anonymized data, and the enforceability of user agreements—continue to complicate certification efforts.
In the future, courts are likely to demand more precision in privacy class action lawsuits, including the following:
- Well-constructed classes.
- Concrete and consistent harm.
- Strong common evidence that can be applied across the entire group.
The Frasco v. Flo Health decision underscores the growing difficulty of certifying privacy classes, which often involve complex and interrelated defenses. As privacy litigation evolves, both plaintiffs and defendants face increasingly higher stakes in shaping these cases and ensuring that sensitive user data remains private.
