In a gut-punch ruling this week, the U.S. District Court for the Northern District of California certified a class action against Flo Health, the popular period and ovulation tracking app, for allegedly sharing users’ private health data with tech titans like Google and Meta without permission. The Frasco v. Flo Health Inc. case isn’t just a legal skirmish it’s a terrifying reminder that even the most well-meaning companies can find themselves in a nightmare of litigation if they mishandle user data. As the privacy experts here at Captain Compliance has been warning everybody, this ruling is a shrieking alarm to tighten your data practices before the legal boogeyman comes knocking and files an expensive lawsuit against your company. It’s better to save $5 million dollars than to pay out $5 million in litigation for not respecting users privacy.
If you’ve been following our updates and information about litigation around The California Invasion of Privacy Act (CIPA) and how this ties in with Meta sharing health data then you won’t be surprised by these lawsuits.
Here’s what went down and three bone-chilling lessons every business needs to heed especially if you process health information on your website or app.
1. Anonymization Won’t Save You from the Original Sin
The court didn’t buy Flo Health’s defense that shared data was “anonymized,” so no harm was done. Judge Donato’s ruling cuts like a knife: the real damage happens the moment you collect or share personal data without clear consent. It’s like stealing someone’s diary and claiming it’s fine because you scribbled out their name before passing it around. The court said it plain: “The legal injury… occurs when the personal information is obtained in the first instance.” Whether it’s later stripped of identifiers or mashed into aggregate data doesn’t erase the initial betrayal.
This isn’t Flo’s first dance with disaster either. The Federal Trade Commission (FTC) already slapped them with a settlement for sharing user health data after promising to keep it locked tight. Even a Canadian class action called out Flo for questionable consent practices, even when data was supposedly “anonymous.” The lesson? If you’re collecting sensitive info like menstrual cycles or pregnancy details you’re walking a tightrope over a legal abyss.
Takeaway for Businesses: Don’t think anonymizing data later will shield you from liability. Courts are zeroing in on what happens at the point of collection. If you didn’t get crystal-clear permission upfront, you’re already in the danger zone.
2. “Medical Information” Is a Wider Net Than You Think
Flo Health tried to argue that determining whether shared data was “medical information” would require digging into each user’s case whether the data was about them, accurate, or identifiable. The court shut that down fast, saying the app’s very purpose—tracking menstruation, ovulation, and pregnancy screams “medical” from the rooftops. No need to dissect each user’s data to see if it fits; the app’s nature alone was enough to certify the class.
This echoes other cases, like Torres v. Prudential Financial, where a court certified a class over sensitive data collected through a website form, brushing off arguments that consent needed individual scrutiny. If your app or service touches anything that could be seen as health-related, courts won’t hesitate to slap a “medical” label on it and let a class action roll forward.
Takeaway for Businesses: Don’t assume your data isn’t “medical” just because it’s not a hospital record. If it smells even remotely like health info, courts will treat it as such. Brace for broad interpretations and plan your compliance accordingly.
3. Class Action Waivers Can Be Your Undoing
Flo Health thought it had a silver bullet: a class action waiver buried in its terms of service. But the court tore it apart, calling it both procedurally and substantively unconscionable. Why? It was tucked away in a “Miscellaneous” section, a single sentence at the end of a take-it-or-leave-it contract, with no bold text or clear heading to draw attention. Compare that to other terms like “Limitation of Liability,” which screamed for attention in all caps. The court wasn’t having it: hiding a waiver like that is like whispering a warning in a haunted house—nobody’s going to hear it, and it won’t save you.
Takeaway for Businesses: Your class action waiver is only as strong as its presentation. Bury it in fine print or sneak it into an obscure corner of your terms, and it’s as good as dead in court. Transparency isn’t just a buzzword—it’s your lifeline.
Captain Compliance’s Survival Guide for the Privacy Apocalypse
California’s privacy laws—like CIPA, VPPA, and the CCPA/CPRA are a gauntlet, and the Flo Health ruling shows just how brutal they can be. Here’s how to keep your business from starring in the next legal horror show:
- Consent is Non-Negotiable: Get explicit, informed consent for collecting and sharing sensitive data. Vague privacy policies won’t cut it courts will dissect whether a “reasonable person” would’ve known what they were signing up for.
- Audit Your Terms of Service: Make sure waivers and arbitration clauses are front and center, not buried like a body in a shallow grave. Use clear headings, bold text, or anything else to make them impossible to miss.
- Know Your Data’s DNA: Understand what you’re collecting and whether it could be deemed “medical” or “personal.” Courts won’t split hairs when it comes to sensitive info.
- The First Step is the Deadliest: Improper collection is the original sin. No amount of downstream anonymization will cleanse it.
- California Sets the Tone: The Golden State’s rulings often ripple nationwide. Ignore them at your peril.
The Flo Health case is still creeping toward a jury trial, but this class certification ruling is a screaming wake-up call. Data privacy isn’t just a checkbox it’s a minefield. For Captain Compliance clients, the path forward is clear: prioritize transparency, nail down consent, and make sure your terms are bulletproof. Anything less, and you’re inviting a legal nightmare that could haunt your business for years and break trust with your clients.
Book a demo below with one of our superhero team members.
