App users claim company shared their sensitive health information.
Flo Health Inc., a menstrual cycle and fertility tracker app, is facing a class action lawsuit alleging the app’s developer shared users’ sensitive health information with third parties without their knowledge or consent. The lawsuit, filed in California federal court, also named the alleged third parties Facebook Inc., Alphabet Inc.’s Google, and data analytics companies Flurry Inc. and AppsFlyer Inc. as defendants. The plaintiffs claimed these companies “aided and abetted” Flo Health in sharing users’ sensitive information.
Flo’s site touts, “You trust us with your intimate personal information, and we promise to be 100% transparent with our data security and usage practices.” It also states, “Privacy in the digital age is of utmost importance. Flo provides a secure platform for millions of women globally.” However, the class action is the culmination of seven separately proposed lawsuits filed against Flo Health earlier this year with the first filed after the U.S. Federal Trade Commission (FTC) announced a its lawsuit in January. The FTC settled with Flo in June.
As part of the settlement with the FTC, Flo Health must notify affected users about the disclosure of their health information. It is also barred from misrepresenting “the purposes for which it (or entities to whom it discloses data) collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information,” according to the federal agency.
“Users of the women’s health app hand over personal information to Flo Health, including intimate details about sexual health and menstrual cycles, among other things, to use the app,” the latest complaint reads, adding, “Flo Health violated users’ privacy by disclosing that information to third parties through software development kits (SDKs) incorporated into its app, despite the company’s privacy policies and public assurances that it would not share data. In using the third parties’ SDKs, Flo Health transmitted the personal information back to other defendants, which allegedly knew that the data collected and received from Flo Health included intimate health data but didn’t stop that because the data is vital to their business, such as for marketing and data analytics purposes.”
The lawsuit cites “invasion of privacy, breach of contract, and violation of the federal Stored Communications Act.” The Stored Communications Act is a law that addresses voluntary and compelled disclosure of stored wire and electronic communications and transactional records held by third-party internet service providers. It is meant to keep private sensitive information and ensure it is not shared with third parties without the owner’s consent.
Plaintiffs’ counsel filed a separate motion this month seeking the appointment of attorneys as interim co-lead counsel. Carol Villegas of Labaton Sucharow, Diana Zinser of Spector Roseman & Kodroff and Christian Levis of Lowey Dannenberg are seeking the leadership roles, which “embody the diversity necessary to vindicate claims for women whose private intimate health data was disclosed without authorization,” according to the attorneys.
The case is Frasco v. Flo Health Inc, U.S. District Court for the Northern District of California, No. 3:21-cv-00757-JD.