As class action trial looms, Meta and Flo could face 'mind-boggling' damages

It’s hard to imagine more intimate queries than those that fertility tracking app Flo allegedly asked its users. Among them: When was your last period? How often do you have sex? Masturbate? Do you get yeast infections?

As app maker Flo Health and co-defendant Meta are set to face a class action trial in San Francisco federal court next week for allegedly violating the privacy of millions of Flo users, the question now is whether the companies will cut a deal or risk what Flo on appeal termed "mind-boggling" damages.

Litigators sometimes bandy about the phrase “bet-the-company case,” but this could be the real thing. Facebook parent Meta is defending against claims of violating the California Invasion of Privacy Act, which carries statutory penalties of $5,000 per violation.

That would add up to at least $190 billion in damages if, as plaintiffs have previously suggested, there are 38 million class members. If each app entry is treated as a separate violation, total damages could be quadrillions of dollars — "a sum so large it may as well be infinite," as Flo put it.

A spokesperson for Meta, which is represented by outside counsel from Latham & Watkins, said the plaintiffs’ claims against the company "are simply false, and we are confident that the evidence at trial will demonstrate the realities."

Flo, represented by Dechert, separately is dealing with claims including violations of California’s Confidentiality of Medical Information Act, which carries penalties of $1,000 per violation. A spokesperson for the London-based, privately held company said Flo "is committed to protecting the privacy of its users, and any allegation otherwise has no merit."

The companies have argued that Flo’s privacy disclosures gave users notice of the alleged misconduct and that they impliedly consented, that the shared data did not contain personally identifying information and that Meta never “intended” to intercept communications.

According to the Meta spokesperson, the company does “not want health or other sensitive information” and its terms “prohibit developers from sending any.”

Google, which was also named in the suit, reached a settlement in principle last week on as-yet undisclosed terms. A Google spokesperson did not respond to my request for comment.

Given the risk of outsized verdicts (even those that don't involve 16 figures), class actions rarely go to trial. For example, Google last month took a chance on one involving cellular phone data, only to be hit with a $314 million verdict by a California jury on July 1.

The Flo plaintiffs invoke California’s 1967 invasion of privacy law, a Cold War relic that makes it illegal to covertly eavesdrop or record telephone conversations. As I previously wrote, the cause of action has enjoyed a resurgence of late among plaintiffs' lawyers, especially in connection with the use of chatbots, tracking pixels and other data analytics software.

The Flo jury trial, set for July 21 before U.S. District Judge James Donato, looms as current and former Meta leaders face an $8 billion shareholder suit in Delaware that kicks off Wednesday. The shareholders allege Meta executives violated a 2012 agreement between Facebook and the Federal Trade Commission to protect users' data, my Reuters colleague Tom Hals reports.

The Flo class action also has its roots in an FTC case. The agency sued Flo after The Wall Street Journal in 2019 reported that it was able to intercept identifying health information about Flo users transmitted by the app to Facebook.

The FTC’s 2021 settlement required Flo to obtain users' consent before sharing their health information and to notify affected women about the disclosure.

According to the follow-on class action, which covers all Flo app users nationwide from Nov. 1, 2016, to Feb. 28, 2019, plus a California subclass, Flo integrated code from Meta and Google’s software development kits, which are used for data analytics, into its app. That allegedly allowed the companies to review personal information on users’ menstrual cycles, sex lives and pregnancies, despite promises by Flo that the data would remain confidential.

The third parties were "were free to use this data for their own purposes," including marketing and advertising, the complaint alleges. "If Plaintiff and Class members had known that Flo Health would share their intimate health data, they would not have used the Flo App."

Plaintiffs' lawyers from Labaton Keller Sucharow; Lowey Dannenberg and Spector Roseman & Kodroff did not respond to requests for comment.

Donato certified the class in May, writing that the “loss of control over one’s personal information” is a concrete harm, "whether from stealing access to a personal diary in 1916 or obtaining user information in a healthcare app in 2016.”

The decision prompted an interlocutory appeal in June by Flo to the 9th U.S. Circuit Court of Appeals. Flo argued that Donato wrongly held that the company’s class action waiver was unenforceable. The judge deemed the provision unconscionable because it was buried in Flo’s terms of service.

Flo also argued that the company’s use of the software development kits is “a practice as unremarkable as it is widespread,” and that it disclosed using the kits in its privacy policy and terms of service. Flo also said the transmitted data was de-identified, consisting of alphanumeric strings corresponding to the device on which the app was used.

The appeals court in six-sentence order on June 17 denied Flo’s petition and declined to stay the lower court proceedings.

“Cases of this magnitude almost never proceed to trial,” Flo noted in its appeal, describing the “hydraulic pressure” to settle.

I can only imagine. But if it does indeed go to trial, all I can say is, pass the popcorn.