A proposed class action lawsuit filed this week seeks to take Flo Health, Inc. to task over its apparent disclosure of Flo app users’ private health information to advertisers.
According to the 29-page case out of California federal court, those who used the popular period-tracking, ovulation and pregnancy app had no idea that Flo was embedded with software to “secretly collect” their personal information—including whether they were trying to get pregnant and when they were on their period—and share that data with third-party data collectors and advertisers.
The lawsuit comes on the heels of a Federal Trade Commission investigation in which the agency alleged that Flo Health misled users about the disclosure of their health data. Flo settled the allegations in mid-January 2021 and, as part of the proposed settlement, agreed to stop misrepresenting how it uses customers’ data, notify affected users that their data was disclosed to third parties, and instruct those third parties to destroy the data.
The case claims the seriousness of Flo Health’s privacy violations “cannot be overstated,” noting that third parties and data brokers have increasingly been given free rein to collect data and build user profiles that allow consumers’ activities to be tracked “across their devices with essentially no limit.”
The plaintiff, who has used the Flo app since 2016, looks to obtain a court order to stop Flo Health’s “unlawful practices and sequester its unlawfully obtained information,” plus an award of reasonable damages for the alleged violations.
Flo’s Alleged Data Collection Practices
According to the lawsuit, the Flo app collects private details about its more than 150 million users’ menstruation and gynecological health to track ovulation and aid in pregnancy and childbirth.
Per the suit, Flo users were assured by the company’s privacy policies that Flo would only share certain personal data with third parties for the purpose of operating and servicing the app, and that the shared data would not be used “for any other purpose.” Additionally, the case says, the privacy policies in effect between May 2018 and February 2019 promised that Flo would not disclose “any data related to health” to certain marketing and analytics firms and would only provide “non-personally identifiable information” to Facebook, Google, and Google’s marketing service, Fabric.
Despite its promises, Flo disclosed unsuspecting users’ private health information to those same third parties “to use in an unrestricted manner,” the lawsuit alleges.
Per the suit, Flo generates a substantial portion of its revenue not from app sales but from selling users’ data to advertisers. Most consumers, the lawsuit notes, are unaware that the apps they use are “specifically designed” to secretly collect their personal information and share it with advertisers for profit.
Baked into the Flo app, the case alleges, are third parties’ software development kits (SDKs) that “operate to secretly collect an app user’s personal information and track online behavior to facilitate behavioral advertising or marketing analysis.” As explained in the complaint:
Armed with users’ personal data, Flo’s third-party SDK partners can build “immense online profile[s]” to target users with behavioral advertising across all their devices, the suit relays. According to the complaint, Flo Health embedded into its app SDKs from Facebook’s analytics tool; Google’s analytics division; Google’s marketing service, Fabric; marketing firm AppsFlyer, Inc.; and analytics firm Flurry, Inc.
According to the case, the Federal Trade Commission began investigating Flo Health’s data collection and disclosure practices after The Wall Street Journalreported in February 2019 that it had intercepted unencrypted identifying health information that had been transmitted from Flo to Facebook.
Per the suit, the information included “a unique advertising identifier,” the user’s intention to get pregnant, and when she was having her period.
After a subsequent investigation, the FTC issued a complaint to Flo Health stating it “[had] reason to believe” that Flo Health violated provisions of the Federal Trade Commission Act, the case says. According to the FTC complaint, Flo “stated, time and time again, that [it] would not share users’ health details with anyone” and yet went on to share the “intimate details of [users’] reproductive health” with numerous third parties.
The disclosure of users’ private data continued until the WSJ exposed Flo Health’s practices, the FTC complaint stated, noting that Flo stopped sharing health information with Facebook the day after the exposé was published.
Although Flo Health settled with the FTC in January 2021, Commissioners Rohit Chopra and Rebecca Kelly Slaughter noted disappointment in the agency for “not using all of its tools to hold accountable those who abuse and misuse personal data,” the lawsuit adds. Per the case, the commissioners believed Flo Health should have also been held accountable for violating the Health Breach Notification Rule.
“The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it,” the commissioners stated.
Nevertheless, Flo Health agreed as part of the proposed settlement to stop misrepresenting:
the purposes for which it (or the third parties to whom it discloses data) collects, maintains, uses, or discloses consumers’ information;
consumers’ control over how their data is used;
its compliance with privacy, security or compliance programs; and
how it collects, maintains, uses, discloses, deletes or protects users’ information.
Further, Flo Health agreed to notify affected users about the disclosure of their personal information and instruct third parties to destroy the data they received.
Why a Class Action?
The complaint implies that despite the FTC settlement, Flo users are owed additional relief and assurance that the company will stop its allegedly unlawful data sharing practices.
The lawsuit looks to obtain an injunction—i.e., a court order directing a defendant’s behavior—against Flo Health to stop it from continuing to engage in the conduct alleged in the suit.
Further, the plaintiff asks the court to make Flo Health give up “revenues wrongfully retained” as a result of its allegedly unlawful practices.
And perhaps most notably, the lawsuit looks to require that Flo Health pay consumers for the damages they’ve suffered as a result of their data being unlawfully disclosed.
Who Does the Lawsuit Look to Cover?
The case looks to represent anyone in the U.S. who used the Flo app, as well as a proposed subclass of California consumers who used the app.
How Do I Join the Lawsuit?
As with most class actions, there’s nothing you need to do to join the lawsuit. If the case moves forward and settles, that’s when “class members,” i.e., those who the lawsuit seeks to cover as detailed above, would be given an opportunity to claim whatever compensation the court deems appropriate.
Typically, the plaintiff’s attorneys can find out who was affected through the company’s records and be able to send out notice of the settlement when and if the time comes. You can find out more about the process here.
How Can I Keep Up with the Lawsuit’s Progress?
First, it’s important to note that class actions can take months or even years to reach resolution. With that in mind, you can check back to this page for any notable updates.
If you’d like to receive class action news and updates straight to your inbox, sign up for ClassAction.org’s newsletter here.