Frasco v. Flo Health, Inc.
3:21-cv-00757
N.D. Cal.May 19, 2025Background
- Plaintiffs, on behalf of a nationwide and California subclass of Flo App users, alleged that Flo Health, Inc., Meta (formerly Facebook), and Google improperly disclosed sensitive health data provided in the Flo App, contrary to their privacy policies.
- The allegedly improper data sharing with Meta and Google occurred through SDKs embedded in the Flo App between November 2016 and February 2019, affecting millions of users.
- Plaintiffs sought certification of classes for claims under California and federal law, including claims for invasion of privacy, breach of contract, violation of California’s Confidentiality of Medical Information Act (CMIA), and the Comprehensive Computer Data Access and Fraud Act (CDAFA).
- Plaintiffs also sought injunctive relief classes under Rule 23(b)(2); the primary focus of the suit was on monetary relief under Rule 23(b)(3).
- Defendants opposed class certification on multiple grounds, including implied consent, statute of limitations, class action waiver, and challenges to commonality and predominance under Rule 23.
- The court analyzed class certification requirements under Rule 23, evaluating the adequacy, numerosity, commonality, predominance, and superiority of class litigation for the asserted claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Implied Consent | Consent was not actual; users were not provided explicit notice of the data sharing. | Users impliedly consented by continuing to use the app after privacy policies and news reports. | Implied consent defense not sufficient to defeat certification; evidence does not support individualized inquiries. |
| Statute of Limitations | Fraudulent concealment and common representations allow classwide tolling. | Contractual one-year limitations period and individual notice inquiry defeat predominance. | Limitations defense is not a bar; predominance satisfied due to common evidence. |
| Class Action Waiver | Waiver is unconscionable, both procedurally and substantively, under California law. | Waiver is enforceable, especially as statutory damages sought are not small. | Waiver is unenforceable; Discover Bank rationale applies. |
| Standing/Injury | Privacy injury occurs at data interception, regardless of anonymization or data usage. | No standing for data that was anonymized or not sensitive to the individual. | Certification not barred; privacy loss/loss of control over information is a concrete harm. |
| Predominance/Commonality | Common disclosures, SDK practices, and privacy representations make class issues suitable for classwide proof. | Individual inquiries required for user information, consent, damage, and user actions. | Commonality and predominance met for most claims; denied only for CDAFA and part of CIPA. |
| CDAFA Damages/Loss | Damages can be proven on classwide basis via expert evidence of data value. | Individual economic loss is required, and no common evidence shows market participation or value. | Certification denied for CDAFA claims due to lack of classwide loss/damage evidence. |
| Breach of Contract Damages | Statutory and nominal damages available without actual damages. | Actual damages must be shown, defeating predominance. | Certification granted; nominal damages suffice under California law. |
| CIPA Geographic Scope | Sufficient evidence can show which users were in California for CIPA claims. | No classwide method to prove in-state conduct; servers outside California. | Certification for CIPA §632 claim only; not for §631. |
| Injunctive Relief Class | Requested but not principal relief; focus is on monetary recovery. | N/A | (b)(2) class denied; denial without prejudice for ancillary injunction later. |
Key Cases Cited
- Comcast Corp. v. Behrend, 569 U.S. 27 (2013) (articulates the class certification standard under Rule 23)
- Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011) (commonality requirement for class actions)
- Tyson Foods, Inc. v. Bouaphakeo, 577 U.S. 442 (2016) (predominance standard)
- Amgen Inc. v. Conn. Ret. Plans and Trust Funds, 568 U.S. 455 (2013) (rigorous certification analysis must not resolve ultimate merits)
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (standing and concrete harm for privacy/consumer claims)
- AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011) (limitations on unconscionability challenges to arbitration agreements)
- Discover Bank v. Superior Court, 36 Cal. 4th 148 (2005) (unconscionability standard for class action waivers in consumer contracts)
- Hill v. National Collegiate Athletic Association, 7 Cal. 4th 1 (1994) (privacy interests under California law)
- Armendariz v. Foundation Health Psychcare Services, Inc., 24 Cal. 4th 83 (2000) (unconscionability balancing in contract law)
- Sheehan v. San Francisco 49ers, Ltd., 45 Cal. 4th 992 (2009) (objective standard for privacy expectations in California)