• by Wendy Davis , 2 hours ago

Meta Platforms "intentionally eavesdropped" on users of the menstrual tracking app Flo, a federal jury determined late last week after a seven-day trial.

The verdict -- which appears to be a first -- stems from allegations that Meta violated users' privacy by collecting ad-targeting data from an app via a software development kit. The jury specifically found Meta liable for violating a California wiretap law that prohibits companies from recording electronic communications without all parties' consent. 

A Meta spokesperson says the company "vigorously" disagrees with the outcome and is "exploring all legal options."

"The plaintiffs’ claims against Meta are simply false," the spokesperson stated. "User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.”

The verdict came in a 2021 class-action complaint brought by Erica Frasco and other Flo users against Flo Health, Google, Meta and other companies. The complaint alleged that Flo shared users' sensitive data with Google, Meta and others via software development kits embedded in the app.

"Not only did Meta receive the Flo app users’ health information, it also indiscriminately used that information for multiple commercial purposes, including to target users with ads based on health-related events (e.g., whether they wanted to get pregnant), to 'optimize' ads to Flo app users, and to develop new products and services," the plaintiffs argued in court papers.

The users sued soon after the Federal Trade Commission accused Flo of wrongly sharing pseudonymized data about consumers -- including their pregnancies -- with Meta, Google and other analytics companies. Though the data wasn't explicitly tied to users' names or addresses, it was connected to an “ad identifier,” according to the FTC.

Flo stopped sharing that data in early 2019, and settled with the FTC in 2021. The settlement agreement required Flo to notify customers about the prior data sharing, and obtain people's permission before sharing their health information in the future.

Google said last month that it reached a settlement with users, and Flo said in court papers filed July 31 that it also had agreed to resolve the case.

Meta took the case to a jury last month, after unsuccessfully urging U.S. District Court Judge James Donato to award it summary judgment -- meaning a verdict in its favor before trial.

The company had argued to Donato there was no proof that it "intentionally" obtained data from the app, contending that its terms "indisputably and expressly" prohibited app developers using its software development kit from sending any health information or other sensitive personal data.

"Granting every inference in plaintiffs’ favor, the record at most shows that if Meta received any health information from Flo, that was because Flo unilaterally decided to send it in violation of Meta’s terms," Meta argued in papers filed earlier this year with Donato. "Holding Meta liable for receiving that information would be like holding someone liable for receiving a package containing something he expressly told the sender never to send."

Meta also argued that its users consented to the data collection by agreeing to Facebook's policies, which the company said "have consistently made clear that Meta may receive data reflecting users’ activity on apps that use Meta’s [software development kit]."

Donato ruled that a jury should decide whether Meta violated the wiretapping law, writing: "Disputes of fact abound with respect to the scope of consent, the timing of Meta’s 'interception' or 'eavesdropping,' whether Meta 'intended' to intercept communications, whether Meta’s interception occurred while the communications were 'in transit,' and the like."