Frasco v. Flo Health, Inc.

Case Information

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF CALIFORNIA ERICA FRASCO, et al., Case No. 21-cv-00757-JD Plaintiffs, ORDER RE CLASS CERTIFICATION v. FLO HEALTH, INC., et al., Defendants.

Named plaintiffs Erica Frasco, Sarah Wellman, Justine Pietrzyk, Jennifer Chen, Tesha Gamino, Leah Ridgway, Autumn Meigs, and Madeline Kiss have alleged a variety of privacy claims against Flo Health, Inc. (Flo), Google LLC, and Meta Platforms, Inc. (Meta) ^[1] in connection with the Flo Period and Ovulation Tracker app for women (Flo App). They say that, from 2016 to 2019, the Flo App surreptitiously transmitted users’ highly personal information about menstruation, ovulation, pregnancy goals, and the like to Google and Meta through their software- development kits (SDKs), despite assurances to the contrary by Flo. See generally Dkt. No. 64 (consolidated amended complaint or CAC). Plaintiffs allege that defendants commercially exploited users’ sensitive health information, namely for marketing and advertising purposes. Id. ¶¶ 99, 105, 125, 128, 128 n.19, 141, 149, 182.

Plaintiffs filed a request to certify classes of Flo App users for damages and injunctive relief. Dkt. No. 477. Defendants opposed certification of any class. Dkt. No. 491. The submissions by both sides were massive and totaled just under 1,000 pages in all. Dkt. Nos. 477- 79, 490-91, 496-98. The brief filed by defendants was not a triumph of clarity and organization. Defendants did not address the elements required by Rule 23(a), and often did not support their arguments with useful analysis. The Court has undertaken the arduous work of bringing order to the question of certification, which has resulted in an atypically long order.

Overall, plaintiffs have adduced substantial evidence demonstrating that the proposed class members saw the same privacy representations by Flo, experienced the same Flo App and SDK practices, and have the same alleged claims and injuries. The questions posed in plaintiffs’ case can be answered on the basis of common evidence that applies on a classwide basis. Consequently, certification is granted in main part, with a few specific, claim-related exceptions.

BACKGROUND

I.

THE ALLEGATIONS The named plaintiffs are eight women in the states of California, New Jersey, New York, Ohio, and Pennsylvania, who downloaded and used the Flo App between 2017 and 2019. ^[2] Dkt. No. 64 ¶¶ 35-90. The Flo App is said to have been “the first mobile application to make use of artificial intelligence to accurately predict reproductive cycles” and was marketed as a sexual health and wellness app. Id. ¶¶ 115-21. The app coached users to input a wide variety of personal data, such as the “timing of the user’s menstrual cycle,” “preferred birth control methods,” and details about users’ “sexual activity.” Id. ¶¶ 131-33. Plaintiffs said that from its launch to the end of December 2020, the Flo App was “rated the #1 period tracker in the United States . . . and the #1 most downloaded health app in the Apple App Store.” Id. ¶ 121.

Plaintiffs allege that, between 2017 and 2019, Flo made representations to users that it would keep their personal information private and confidential. Dkt. No. 64 ¶ 136. For example, Flo’s 2017-18 privacy policy stated that Flo “may share certain” information with third parties “that is reasonably necessary to perform their work,” such as “supply[ing] software applications, web hosting, and other technologies,” but would “exclud[e] information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share.” Id. ¶¶ 164-65 (first alteration in original). Flo also represented that third parties “could not use Flo App users’ personal information ‘for any other purpose except to provide services in connection with the App.’” Id. ¶ 166. Similar assurances were alleged to have been made in the 2018-19 privacy policy. Id. ¶¶ 167-68, 177.

In plaintiffs’ telling, these assurances were false. They say Flo integrated Meta and Google’s SDKs into the Flo App to obtain personal information shared by users. Dkt. No. 64 ¶ 140. The SDKs collected two categories of information: “Standard Events” and “Custom Events.” Standard Events consisted of “routine app functions, such as launching or closing the app,” while Custom Events were “records of user-app interactions unique to the app itself.” Id. ¶ 137. Flo designed and named the specific Custom Events used in the Flo App. Id. ¶ 139. The Custom Events were said to have conveyed personal health information by virtue of Flo’s naming conventions ( e.g. , Flo gave them titles such as “‘R_PREGNANCY_WEEK_CHOSEN’ rather than something generic, like ‘Event 1’”), and were transmitted by the SDKs to Google and Meta. Id. ¶¶ 137, 140-46. Plaintiffs allege that the SDKs transmitted “critical pieces of data from [users’] mobile devices, including ‘persistent identifiers,’” which were “unique data points . . . that can link one specific individual to all the apps on her device and her activity on those apps, allowing her to be tracked over time and across devices.” Id. ¶ 151. Plaintiffs say that, notwithstanding Flo’s representations to users, Meta and Google used the collected data for commercial purposes beyond providing analytics to Flo. Id. ¶ 149.

II.

THE LITIGATION

Plaintiff Frasco filed the original complaint in this case on behalf of herself and others similarly situated. Dkt. No. 1. The Court consolidated several related cases and subsequently appointed co-lead counsel for the putative class on an interim basis. Dkt. Nos. 59, 80. The operative complaint is the consolidated amended complaint, and it alleged claims against Flo, Google, Meta, and two other defendants, AppsFlyer, Inc. and Flurry, Inc. Dkt. No. 64. After the Court dismissed the complaint in part with leave to amend, plaintiffs voluntarily dismissed their claims against AppsFlyer. Dkt. Nos. 158, 171.

After substantial discovery and motion practice, plaintiffs moved to certify four classes of Flo App users. Dkt. No. 330. The motion was terminated after the Court directed the parties to address the bloated number of expert witnesses proffered by the parties and the resulting plethora of motions to exclude those witnesses under Federal Rule of Evidence 702. See Dkt. Nos. 330, 381, 383, 385, 389, 392, 394, 395, 403, 419. Google moved for summary judgment on the claims against it, Dkt. No. 338, and the Court granted summary judgment to Google for plaintiffs’ UCL and aiding-and-abetting claims, but denied Google’s request in all other respects. Dkt. No. 485.

Plaintiffs have renewed their motion for class certification. ^[3] Dkt. No. 477. They now ask for certification of a nationwide class and a California subclass, as follows: Nationwide Class: All Flo App users who entered menstruation and/or pregnancy information into the Flo Health App between November 1, 2016, and February 28, 2019, inclusive. California Subclass: All Flo App users in California who entered menstruation and/or pregnancy information into the Flo Health App while residing in California between November 1, 2016, and February 28, 2019, inclusive.

The nationwide class is proposed for certification under Rule 23(b)(3) for damages against defendant Flo for: (1) violation of the California Confidentiality of Medical Information Act (CMIA); (2) breach of contract (or in the alternative breach of an implied contract); (3) common law invasion of privacy (intrusion upon seclusion); and (4) violation of the Comprehensive Computer Data Access and Fraud Act (CDAFA). The same class is proposed for damages against defendants Meta and Google for violations of CDAFA. Certification of the California subclass is also proposed under Rule 23(b)(3) for damages against Flo for invasion of privacy in violation of Art. 1, Sec. 1 of the California Constitution, and against Meta and Google for violations of the California Invasion of Privacy Act (CIPA).

In addition to the damages classes, plaintiffs propose certification of the nationwide class and California subclass under Rule 23(b)(2). The nationwide class would seek injunctive relief in connection with the CDAFA and common law invasion of privacy claims, and the California subclass would seek injunctive relief in connection with their CIPA claims.

The three California plaintiffs (Wellman, Chen, and Gamino) are proposed to be the representatives for the California subclasses. The same three plaintiffs, plus plaintiffs Frasco and Meigs, are proposed as the representatives for the nationwide classes. ^[4]

Plaintiffs and defendant Flurry have settled. Dkt. Nos. 503, 589. The Court recently granted preliminary approval in principle for the classwide settlement subject to further proceedings not germane here. See Dkt. No. 597. Consequently, Flurry will not be considered for certification purposes here.

LEGAL STANDARDS

The goal of Federal Rule of Civil Procedure 23 is “to select the method best suited to adjudication of the controversy fairly and efficiently.” Schneider v. YouTube, LLC , 674 F. Supp. 3d 704, 715 (N.D. Cal. 2023) (citation omitted). “The class action is ‘an exception to the usual rule that litigation is conducted by and on behalf of the individual named parties only.’” Comcast Corp. v. Behrend , 569 U.S. 27, 33 (2013) (citation omitted).

“To come within the exception, plaintiffs bear the burden of proving by a preponderance of the evidence that the proposed classes satisfy all four requirements of Rule 23(a) and at least one of the subsections of Rule 23(b).” In re Google Play Store Antitrust Litig. , No. 21-md-02981-JD, 2022 WL 17252587, at *4 (N.D. Cal. Nov. 28, 2022). The four requirements of Rule 23(a) are: “sufficiently numerous parties, common questions of law or fact, typicality of claims or defenses, and adequacy of representation.” In re Capacitors Antitrust Litig. , No. 17-md-02801-JD, 2018 WL 5980139 (N.D. Cal. Nov. 14, 2018) (quoting Comcast Corp. , 569 U.S. at 33). For Rule 23(b), plaintiffs seek to certify both (b)(2) and (b)(3) classes. The classes seeking injunctive relief must show that “the party opposing the class has acted or refused to act on grounds that apply generally to the class.” Fed. R. Civ. P. 23(b)(2). The proposed damages classes must show that “questions of law or fact common to class members predominate” over individual issues and that “a class action is superior to other available methods” for adjudicating the dispute. Fed. R. Civ. P. 23(b)(3).

Rule 23(a)(2)’s commonality requirement tasks the Court with “look[ing] for a common contention ‘capable of classwide resolution -- which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.’” Schneider , 674 F. Supp. 3d at 716 (quoting Alcantar v. Hobart Serv. , 800 F.3d 1047, 1052 (9th Cir. 2015)). The class need not be totally uniform, but plaintiffs must demonstrate the “capacity of a class-wide proceeding to generate common answers apt to drive the resolution of the litigation.” Wal-Mart Stores, Inc. v. Dukes , 564 U.S. 338, 350 (2011) (emphasis in original) (citation omitted). Rule 23(b)(3)’s predominance requirement is related to the commonality requirement but is more demanding. It asks “whether the common, aggregation-enabling, issues in the case are more prevalent or more important than the non-common, aggregation-defeating, individual issues.” Schneider , 674 F. Supp. 3d at 716 (quoting Olean Wholesale Grocery Coop., Inc. v. Bumble Bee Foods LLC , 31 F.4th 651, 664 (9th Cir. 2022) (en banc)).

“If the defendant provides evidence that a valid defense -- affirmative or otherwise -- will bar recovery on some claims,” the Court must “determine, based on the particular facts of the case, whether individualized questions will overwhelm common ones.’” Van v. LLR, Inc. , 61 F.4th 1053, 1067 (9th Cir. 2023) (cleaned up) (citations omitted). “Each element of a claim need not be susceptible to classwide proof,” Schneider , 674 F. Supp. 3d at 716 (citing Amgen Inc. v. Conn. Ret. Plans and Trust Funds , 568 U.S. 455, 468-69 (2013)), and the “important questions apt to drive the resolution of the litigation are given more weight in the predominance analysis over individualized questions which are of considerably less significance to the claims of the class.” Ruiz Torres v. Mercer Canyons Inc. , 835 F.3d 1125, 1134 (9th Cir. 2016). Certification is permissible under Rule 23(b)(3) where “one or more of the central issues in the action are common to the class and can be said to predominate” even if “other important matters will have to be tried separately, such as damages or some affirmative defenses particular to some individual class members.” Tyson Foods, Inc. v. Bouaphakeo , 577 U.S. 442, 453 (2016) (citation omitted).

The Supreme Court of the United States has repeatedly admonished that the certification analysis “must be rigorous and may entail some overlap with the merits of the plaintiff’s underlying claim,” but the merits should be considered only insofar as they are “relevant to determining whether the Rule 23 prerequisites for class certification are satisfied.” Amgen , 568 U.S. at 465-66 (cleaned up). Even with a rigorous inquiry, “Rule 23 grants courts no license to engage in free-ranging merits inquiries at the certification stage.” Id. at 466; see also Google Play Store , 2022 WL 17252587, at *4 (“The class certification procedure is decidedly not an alternative form of summary judgment or an occasion to hold a mini-trial on the merits.”). “The decision of whether to certify a class is entrusted to the sound discretion of the district court.” Google Play Store , 2022 WL 17252857, at *4 (citing Zinser v. Accufix Rsch. Inst., Inc. , 253 F.3d 1180, 1186 (9th Cir. 2001)).

DISCUSSION I. THE EVIDENCE The salient inquiry under Rule 23 is whether plaintiffs have adduced evidence that would permit the trier of fact to answer the liability and damages questions for all class members on the basis of evidence common to the class as a whole. The ensuing summary of plaintiffs’ evidence sets the table for answering this inquiry, much of which is not materially in dispute.

Plaintiffs start with the representations in the Flo App’s privacy disclosures, namely that (1) Flo “will never share your exact age or any data related to your health with any third parties,” Dkt. No. 477-112 at 992 ^[5] ; (2) “your personal information will never be sold or rented out to third parties,” Dkt. No. 477-99 at 047; and (3) Flo “will not transmit any of your personal data [which includes health data] to third parties, except if it is required to provide the service to you . . . unless we have asked for your explicit consent,” Dkt. No. 477-110 at 978; see also Dkt. Nos. 477-98- 111. These statements were made in more or less the same form to all Flo App users.

Plaintiffs also proffered evidence showing that the Flo App asked users to share highly personal reproductive and sexual information within the app. To illustrate, users were asked to share whether they “[d]idn’t have sex,” had “[p]rotected sex,” or had “[u]nprotected sex.” Dkt. No. 478-7 at 828. Users were asked to “[l]og symptoms,” like “[c]ramps,” “[t]ender [b]reasts,” or “[a]cne,” and whether the user had taken any medications. Dkt. No. 478-6 (Egelman Rep.) ¶ 41 & Figure 8. Users were also asked to log and track details of their menstrual cycles, such as the consistency of their “Vaginal Discharge,” with options like “[s]ticky,” “[c]reamy,” or “[s]potting.” Dkt. No. 478-7 at 827-28; Egelman Rep. Figure 8. The evidence shows that the app interface and precise names of the inputs varied only marginally over the class period, such as “Vaginal Discharge” versus “Log Fluid,” but the type and substance of information capable of being entered and tracked were consistent. Compare Dkt. No. 478-7 at 827, with Egelman Rep. Figure 8.

Plaintiffs gave specific attention to the data all new Flo App users were required to share during the app’s onboarding process. They proffered evidence establishing that a new user was required to disclose: (1) the user’s age; (2) a “goal” from one of three options: (i) “Track my cycle,” (ii) “Get pregnant,” (iii) “Track pregnancy”; (3) the date of the last several menstrual periods and the average length of the periods; and (4) if pregnant, by how many weeks. See generally Dkt. No. 478-7; see also 478-8 at 891; Egelman Rep. ¶¶ 40-41 & Figures 7-8. The evidence indicates that Flo created and used Custom Events for the onboarding process with names like: “SELECT_LAST_PERIOD_DATE,” “AGE_CHOSEN_PREGNANCY,” “PREGNANCY_WEEK_CHOSEN_UNKNOWN.” See, e.g. , Egelman Rep. ¶¶ 60, 62-63, 69-72; Dkt. Nos. 478-8 at 891; 478-15 at 738.

The user entries for the Custom Events were sent to Meta and Google by means of their respective SDKs. See, e.g. , Egelman Rep. ¶¶ 60, 62, 65, 81-84, 87, 103, 105; Dkt. Nos. 478-15 at 738; 478-16 at 380; 478-17 at 147; 478-18 at First Supp. Resp. to Interrogatory No. 9, Exh. C; 478-21. Neither Google nor Meta had any method of preventing the SDKs from transmitting Custom Events that contained private health information. See, e.g. , Dkt. Nos. 478-14 at 244:12- 21; 478-51 at 47:2-19.

Plaintiffs presented evidence showing that the Custom Events featured words like “pregnancy” and “period,” which communicated information about the dates on which a user menstruated or became pregnant. This type of information is widely understood to be health information. See, e.g. , Office on Women’s Health, Your menstrual cycle and your health , U.S. D EP ’ T OF H EALTH & H UM . S ERVS . (Jan. 13, 2025) (“Your menstrual cycle can tell you a lot about your health. . . . Period problems like irregular or painful periods may be a sign of a serious health problem) ^[6] ; Federal Trade Commission, Statement of the Commission: On Breaches by Health Apps and Other Connected Devices (Sept. 15, 2021) (discussing “apps and other technologies to track . . . fertility” in connection with “the scope of the FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318”). ^[7]

Plaintiffs presented evidence indicating that defendants commercially exploited the user data. For example, there is evidence that “Flo sold access to the Custom App Event data to third parties, including Procter & Gamble . . . and Bayer” pursuant to, inter alia , “a $3 million contract in October 2018 [and] a $7 million contract in October 2019” with Procter & Gamble, and “10 contracts extending through January 2019 and October 2021, totaling $6.04 million” with Bayer. Dkt. No. 478-86 at 38. Other evidence indicated that Flo used Google and Meta’s advertising services to target users with advertisements based on whether the user was tracking her period or trying to get pregnant. See, e.g. , Dkt. Nos. 478-55 at 510; 478-56 at 855-56; 478-63 at 058; 478- 64; 478-87 at 938. Evidence shows the Custom Events data funneled to Google and Meta by their SDKs was used by both defendants to enhance their machine learning technologies. See, e.g. , Dkt. Nos. 478-31 at Meta’s Resp. to Rog. No. 1 at 13; 478-68 (Golbeck Rep.) at 20-43; 478-71 at 258- 59; 478-66 at 114:2-8; 478-67 at 161.

Plaintiffs also proffered evidence that the user data entered during onboarding and transmitted to Google and Meta was capable of being tied to or identified with a particular person. The evidence shows that alongside the Custom Events, Google and Meta’s SDKs collected “unique” or “persistent” identifiers. See, e.g. , Dkt. Nos. 477-38 at Resp. to Rog. No. 3; 478-26 at 904; 478-28 at 742; 478-30 at 433. The unique or persistent identifiers could be used to identify individuals. See, e.g. , Egelman Rep. ¶¶ 27, 31, 35-39; Dkt. Nos. 478-14 at 60:2-18; 478-31 at Resp. to Rog. No. 1 at 11; 478-34 at 872; 478-35 at 971. II. RULE 23(a): NUMEROSITY, TYPICALITY, & ADEQUACY

Turning to the Rule 23 factors, defendants did not bother to mention, let alone discuss, most of the requirements for certification required under Rule 23(a), namely numerosity, typicality, and adequacy. Even so, the Court has conducted an independent analysis to determine whether all the elements are satisfied.

The record demonstrates that they have been met. To start, the proposed nationwide and California classes will likely consist of millions of individuals, rendering “joinder of all members . . . impracticable.” Fed. R. Civ. P. 23(a)(1); see, e.g. , Dkt. No. 478-4. The record also establishes that all plaintiffs and class members used the Flo App and were subject to the same app and SDK practices. Consequently, the proposed class representatives’ claims are typical of the class. See Fed. R. Civ. P. 23(a)(3); Just Film, Inc. v. Buono , 847 F.3d 1108, 1116 (9th Cir. 2017). The sound performance of plaintiffs’ counsel during this complex litigation demonstrates that they are up to the task of representing the class. See Fed. R. Civ. P. 23(a)(4). There is no evidence that the named plaintiffs are inadequate or are “situated so differently from the class” that they may be “subject to a conflict.” In re Capacitors Antitrust Litig. , 2018 WL 5980139, at *10. III. RULE 23(a)(2) COMMONALITY AND RULE 23(b)(3) PREDOMINANCE

It is “appropriate to assess Rule 23(a)(2) commonality and Rule 23(b)(3) predominance together,” with a careful eye toward their differences as warranted. In re Capacitors Antitrust Litig. , 2018 WL 5980139, at *3. The analysis is grounded in “the elements of the underlying cause[s] of action,” which are discussed in greater detail below. Klein v. Meta Platforms, Inc. , --- F. Supp. 3d ---, 2025 WL 489871, at *8 (N.D. Cal. Feb. 13, 2025) (quoting Erica P. John Fund, Inc. v. Halliburton Co. , 563 U.S. 804, 809 (2011)).

Defendants flagged four “global” concerns that they believe are grounds for denying certification. These are implied consent, a contractual limitations term, a class action waiver, and standing, each of which is said to bar certification independently of the others. The Court will resolve these objections and then turn to the predominance and commonality analysis of each of plaintiffs’ legal claims.

The ensuing discussion uses the substantive law of California. Plaintiffs proposed the use of California law because Flo’s terms of use state that California law governs and Google and Meta’s principal places of business are in California, such that decisions about SDK design and advertising may reasonably be understood to have occurred there. Dkt. No. 477 at 14; see, e.g. , Dkt. Nos. 477-121 at 573; 477-122 at 584; see also Clothesrigger, Inc. v. GTE Corp. , 191 Cal. App. 3d 605, 612-13 (1987). Defendants did not oppose the use of California law or propose an alternative. They also did not object to using California law for a nationwide class or identify any conflicts that such an application might pose with the laws of other states. See In re Hyundai and Kia Fuel Econ. Litig. , 926 F.3d 539, 561-62 (9th Cir. 2019); see also Olean , 31 F.4th at 665-66.

A. Implied Consent Defendants’ first objection to (b)(3) certification concerns user consent. Defendants say

users impliedly consented to sharing their personal information “through their conduct when they continued to use the application[] despite exposure to materials that disclosed the challenged practices.” Dkt. No. 490-2 at 10 (citation omitted). In defendants’ view, “it will be impossible to adjudicate implied consent on a classwide basis” because the “defense would be based on individual, and subjective, interactions of what certain class members knew, read, saw, or encountered.” Id. at 10-11 (citation omitted).

Not so. Consent may be express or implied, but as the Court concluded earlier in this case, it must be “actual.” Frasco v. Flo Health, Inc. , No. 21-cv-00757-JD, 2024 WL 4280933, at *2 (N.D. Cal. Sept. 23, 2024). “For consent to be actual, the disclosures must ‘explicitly notify’ users of the conduct at issue.” Calhoun v. Google, LLC , 113 F.4th 1141, 1147 (9th Cir. 2024) (quoting In re Google Inc. , No. 13-md-02430-LHK, 2013 WL 5423918, at *13 (N.D. Cal. Sept. 26, 2013)). The evidence of notice that must be established before an individual may be deemed to have consented is greater than that required to show she had inquiry notice. Consent “is only effective if the person alleging harm consented ‘to the particular conduct, or to substantially the same conduct’ and if the alleged tortfeasor did not exceed the scope of that consent.” Flo Health , 2024 WL 4280933, at *2 (quoting Calhoun , 113 F.4th at 1147).

Because defendants raise implied consent as an affirmative defense, they bear the burden of “invok[ing] individualized issues and provid[ing] sufficient evidence that the individualized issues bar recovery on at least some claims, thus raising the spectre of class-member-by-class- member adjudication of the issue.” Van , 61 F.4th at 1067. To be sure, plaintiffs “retain the burden of showing that the proposed class satisfies the requirements of Rule 23,” but the Court’s predominance analysis is limited to the “defenses [a defendant] has actually advanced and for which it has presented evidence.” True Health Chiro., Inc. v. McKesson Corp. , 896 F.3d 923, 931 (9th Cir. 2018). Speculation about events or issues for which a defendant has not offered evidence will not do. See, e.g. , Miles v. Kirkland’s Stores Inc. , 89 F.4th 1217, 1222 (9th Cir. 2024).

Defendants rely on three buckets of evidence as the ostensible proof of consent. The first bucket is press coverage involving a Wall Street Journal article from February 22, 2019, and other subsequent news articles reporting on Flo’s alleged misconduct. App’x 688-705. ^[8] Defendants made no effort to demonstrate that a meaningful portion of the proposed classes might have seen or read these three specific articles with, for example, evidence about the readership of the newspapers or articles. This shortfall is in distinct contrast to the presentation of such evidence in the cases defendants cite. See Brown v. Google, LLC , No. 20-cv-3664-YGR, 2022 WL 17961497, at *18-19 (N.D. Cal. Dec. 12, 2022) (evidence about how frequently the sources of the asserted disclosures were viewed and by whom); In re Google Inc. Gmail Litig. , No. 13-md-02430-LHK, 2014 WL 1102660, at *17 (N.D. Cal. Mar. 18, 2014) (same). Moreover, the earliest of the three articles was published less than a week before the end of the class period. App’x 688. Consequently, only class members who completed the onboarding process in that narrow timeframe might be covered. Such a tiny fraction of the class can be readily handled by the Court later in the case, as circumstances warrant. See Ruiz Torres , 835 F.3d at 1137. Defendants have not demonstrated otherwise and did not contend that implied consent can be retroactive under California law to the start of the class period.

The second bucket of evidence consists of privacy disclosures by each of the defendants. In making this argument, defendants came unacceptably close to misrepresentation. They say that “Flo’s June 2016 privacy policy explained Flo ‘may share information, including [users’] personally identifying information’ with third parties, ‘including . . . Facebook,” Dkt. No. 490-2 at 8 (alteration in original) (quoting App’x 1510), but they omitted, presumably purposefully, adjacent statements that Flo would not “sell or rent any of your personal information to third parties” and that disclosures will be “to help provide, understand and improve our application.” App’x 1510. Defendants also say Flo’s “May 2018 privacy policy informed users that ‘[a]mong others we may share your Personal Data with . . . Facebook and Google,” Dkt. No. 490-2 at 8 (alteration in original) (quoting App’x 1519-20), but they again omitted adjacent language stating that “[Flo] may share certain Personal Data, excluding information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share, with third party vendors who supply software applications, web hosting and other technologies for the App,” App’x 1519. The omissions subvert anything of potential value in defendants’ statements about the privacy disclosures and raise a troubling question of defendants’ candor with the Court.

It also bears mention that the evidence of Flo’s privacy disclosures is common to the class. The common disclosures will permit a jury to conclude in one fell swoop whether a reasonable person would have been on notice of, and so could impliedly consent to, “the particular conduct, or to substantially the same conduct.” Calhoun , 113 F.4th at 1147 (citation omitted). The relevance of Google and Meta’s privacy disclosures is not obvious in light of plaintiffs’ evidence of secret data sharing, but those disclosures, too, are subject to common proof.

Defendants’ third bucket of evidence consists of publications and studies from outside the United States or before the class period -- in some cases even before Flo was in business. App’x 708-11, 730-32, 737-43. Defendants did not say how foreign materials might reasonably have put a Flo App user in the United States on notice of the challenged conduct, or establish their consent “to the particular conduct, or to substantially the same conduct.” Calhoun , 113 F.4th at 1147 (citation omitted). The same goes for the materials dating from before the class period or Flo’s corporate existence. Moreover, the record indicates that, well after the older materials were published, Flo expressly represented to its users that it would “never share . . . any data related to your health with any third parties.” Dkt. No. 477-112 at 992. It is a riddle how publications pre- dating these representations could be a basis of subsequent notice or consent, especially in light of the plain meaning of “never” in Flo’s statement. And once again, defendants did not provide evidence of readership that might show that a meaningful portion of the class saw any of these publications. App’x 734-35, 745-47.

B. Contractual Limitations Period Defendants’ second overarching objection to (b)(3) certification concerns a contractual

limitations term. Plaintiffs mark February 28, 2019, as the end of the class period, and the original complaint was filed in January 2021. Dkt. Nos. 1; 477 at 1. Defendants say plaintiffs’ claims are “presumptively untimely” under a one-year deadline for filing a claim in the Flo App terms of service. Dkt. No. 490-2 at 7; App’x 1531, 1538. Defendants add that plaintiffs’ tolling argument, based on Flo’s alleged fraudulent concealment, poses an impediment to certification because “there is no way to figure out who knew what, and when, without a mini-trial for each Flo app user.” Dkt. No. 490-2 at 7.

The point is not well taken. To start, defendants were unduly vague about which party among them might permissibly assert the contractual defense. The provision is in Flo’s terms of service, but defendants suggest that Google and Meta might somehow benefit from it as well. See Dkt. No. 490-2 at 7. Why that might be so was never explained, and nothing in the plain language of the one-year period in Flo’s terms of service indicates that it might apply to Google and Meta. App’x 1531-39. Defendants made a vague aside that “there are various other (short) statutory limitations periods,” Dkt. No. 490-2 at 7 n.1, but that too was not explained or developed into a meaningful argument. The Court declines to take up plaintiffs’ equally underdeveloped suggestion, also buried in a footnote, that the limitations provision is unenforceable. Dkt. No. 496-3 at 3 n.4.

With respect to Flo, the one-year period in the terms of service is not a bar to certification. As a general rule, “the presence of individual issues of compliance with the statute of limitations” does not necessarily “defeat the predominance of the common questions.” Cameron v. E.M. Adams & Co. , 547 F.2d 473, 478 (9th Cir. 1976). That is particularly true when, as here, Flo’s representations to each class member were the same, which permits the question of fraudulent concealment to be answered on a classwide basis. See, e.g. , Dkt. Nos. 477-111; 477-112; 478-7 at 803; see also Bernson v. Browning-Ferris Indus. , 7 Cal. 4th 926, 931 (1994) (under the principle of fraudulent concealment, a “defendant’s fraud in concealing a cause of action against him tolls the applicable statute of limitations, but only for that period during which the claim is undiscovered by plaintiff or until such time as plaintiff, by the exercise of reasonable diligence, should have discovered it.” (quotations and citation omitted)).

The question of whether and when putative class members might have had inquiry notice, see Dkt. No. 490-2 at 7-10, is also amenable to a classwide answer of “yes” or “no” based on common proof. The standard for inquiry notice under California law is an objective one. See Brewer v. Remington , 46 Cal. App. 5th 14, 24 (2020). The jury here will need only to look to the Flo App’s privacy representations and the news articles that Flo believes provided notice to decide whether a reasonable person was on inquiry notice of the alleged wrongdoing. ^[9] See Jolly v. Eli Lilly & Co. , 44 Cal. 3d 1103, 1110-11 (1988); Brewer , 46 Cal. App. 5th at 24. Assuming in Flo’s favor purely for discussion that the hurdle of proving widespread readership has been crossed, the answer will be common to all users. See Unruh-Haxton v. Regents of Univ. of Cal. , 162 Cal. App. 4th 343, 364 (2008). ^[10]

In all other respects, the issue of actual notice cannot do the work Flo asks of it. “The existence of a statute of limitations issue does not compel a finding that individual issues predominate over common ones” where there is “a sufficient nucleus of common questions.” Williams v. Sinclair , 529 F.2d 1383, 1388 (9th Cir. 1975); see Cameron , 547 F.2d at 478. As discussed, plaintiffs have established such a nucleus. Consequently, the Court cannot conclude that the questions raised by the contractual limitations defense are “more prevalent or important” than “the common, aggregation-enabling, issues in the case.” Olean , 31 F.4th at 664.

C. Class Action Waiver The third overarching objection to certification concerns a waiver of class actions. The Flo

App’s terms of service state that “[a]ll claims between the parties related to this Agreement will be litigated individually and the parties will not consolidate or seek class treatment for any claim, unless previously agreed to in writing by the parties.” ^[11] App’x 1531, 1538.

Plaintiffs’ challenge to the waiver on grounds of unconscionability, Dkt. No. 496-3 at 15, is sustained. “Under California law, a contract provision is unenforceable due to unconscionability only if it is both procedurally and substantively unconscionable.” Shroyer v. New Cingular Wireless Servs., Inc. , 498 F.3d 976, 981 (9th Cir. 2007). Procedural unconscionability focuses on “oppression or surprise due to unequal bargaining power,” while substantive unconscionability is concerned with “overly harsh or one-sided results.” Discover Bank v. Superior Court , 36 Cal. 4th 148, 160 (2005) (cleaned up), abrogated on other grounds by AT&T Mobility LLC v. Concepcion , 563 U.S. 333 (2011). Each element need not be present in equal degrees; “the more substantively oppressive the contract term, the less evidence of procedural unconscionability is required . . . and vice versa.” Armendariz v. Found. Health Psychcare Servs., Inc. , 24 Cal. 4th 83, 114 (2000). The basic “notion [is] that unconscionability requires a substantial degree of unfairness beyond ‘a simple old-fashioned bad bargain .’” Sanchez v. Valencia Hold. Co., LLC , 61 Cal. 4th 899, 911 (2015) (emphasis in original) (citation omitted). Although class action waivers are not categorically unconscionable in California, enforcement may be denied when they are “found in a consumer contract of adhesion in a setting in which disputes between the contracting parties predictably involve small amounts of damages, and when it is alleged that the party with the superior bargaining power has carried out a scheme to deliberately cheat large numbers of consumers out of individually small sums of money.” Discover Bank , 36 Cal. 4th at 162.

Flo says that Discover Bank does not apply here and that the waiver should be enforced because the claims do not involve small sums of money. Dkt. No. 490-2 at 25. As Flo points out, plaintiffs seek thousands of dollars in statutory damages. Id.

But the California Court of Appeal has expressly concluded that Discover Bank did not “hold that class action waivers are unconscionable only in the circumstances it described” and has found such waivers unenforceable due to unconscionability even when the plaintiffs’ recovery would not be insubstantial. See, e.g. , Cohen v. DIRECTV, Inc. , 142 Cal. App. 4th 1442, 1451, 1453-55 (2006) (discussing cases); Indep. Ass’n of Mailbox Ctr. Owners, Inc. v. Superior Court , 133 Cal. App. 4th 396, 404 n.4, 409-10 (2005); see also Shroyer , 498 F.3d at 983 (“[T]here are most certainly circumstances in which a class action waiver is unconscionable under California law despite the fact that all three parts of the Discover Bank test are not satisfied.”). ^[12]

As the Supreme Court of California has determined, the unconscionability analysis is “highly dependent on context.” Sanchez , 61 Cal. 4th at 911. The specific context of Flo’s conduct reveals a high degree of procedural unconscionability. The waiver is in a contract of adhesion which was offered to users on a “take it or leave it” basis. See, e.g. , Ronderos v. USF Reddaway, Inc. , 114 F.4th 1080, 1089-90 (9th Cir. 2024). It is presented under the heading “Miscellaneous” as a single sentence at the end of the terms of use. See, e.g. , App’x 1531; Dkt. Nos. 447-121 at 573; 477-122 at 585. It is not visually highlighted or differentiated in any way, even though other liability-limiting terms were presented in all caps and with much more specific headings such as “Limitation of Liability” or “Medical Services Disclaimer.” See, e.g. , App’x 1529-31; Dkt. Nos. 477-121 at 571-73; 477-123 at 551, 553-555. In effect, the waiver was buried in a manner that made it likely a user’s attention was not drawn to it. That is a hallmark of procedural unconscionability. See OTO, LLC v. Kho , 8 Cal. 5th 111, 126 (2019); Discover Bank , 36 Cal. 4th at 160.

In light of the marked degree of procedural unconscionability, “less evidence of [substantive] unconscionability is required.” Shroyer , 498 F.3d at 981-82 (citation omitted). That bar is met. The waiver’s effect is “to deny a procedural benefit only [Flo’s] customers would employ,” which suggests the term is “manifestly and shockingly one-sided,” Ingle v. Circuit City Stores, Inc. , 328 F.3d 1165, 1176 (9th Cir. 2003), abrogated on other grounds by Concepcion , 563 U.S. 333, as app developers “typically do not sue their customers in class action lawsuits,” Szetela v. Discover Bank , 97 Cal. App. 4th 1094, 1101 (2002). The waiver “serves as a disincentive for [Flo] to avoid the type of conduct that might lead to class action litigation in the first place,” which compounds the term’s “one-sided” nature. Discover Bank , 36 Cal. 4th at 159 (quoting Szetela , 97 Cal. App. 4th at 1101).

Overall, the waiver is unconscionable on procedural and substantive grounds for many of the same reasons as those given in Discover Bank and the California cases that followed. Under the context-specific analysis California law requires, see Sanchez , 61 Cal. 4th at 911, the Court concludes the class action waiver in Flo’s terms of use cannot be enforced to bar certification.

D. Standing Defendants liberally sprinkled comments about plaintiffs’ standing to sue in their brief.

See, e.g. , Dkt. No. 490-2 at 12:8-16, 14 at 14:10-19, 15:10, 16:2-3. These are less than they may seem because the standing contentions for the most part simply repeated the same points made with respect to the merits of a claim. For example, defendants said a class member lacks standing if she “cannot prove sensitive information was disclosed.” Dkt. No. 490-2 at 12. This and similar statements merely repackage defendants’ arguments about the merits as ostensible standing concerns, which adds nothing meaningful to the certification analysis. If anything, this tactic simply underscored that defendants’ standing arguments are inextricably intertwined with the merits for determination later in the case. See Patel v. Facebook, Inc. , 290 F. Supp. 3d 948, 956 (N.D. Cal. 2018); Callaghan v. BMW of N.A., LLC , No. 13-cv-04794-JD, 2014 WL 6629254, at *3 (N.D. Cal. Nov. 21, 2014).

The only potential standing issue that warrants further discussion concerns anonymized data. A plaintiff suffers an injury in fact from “‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc. v. Robins , 578 U.S. 330, 339 (2016) (citation omitted). Defendants suggest that the interception of anonymized information is not a “concrete” injury within the meaning of these requirements, and so certification should be denied across the board. Dkt. No. 490-2 at 18 (citing TransUnion LLC v. Ramirez , 594 U.S. 413 (2021)).

The point is not well taken. Individuals have a time-honored right to control access to their private information and affairs. See Patel , 290 F. Supp. 3d at 954. “The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others.” U.S. Dep’t of Just. v. Reporters Comm. for Freedom of Press , 489 U.S. 749, 763 n.15 (1989) (quoting Warren & Brandeis, The Right to Privacy, 4 H ARV . L. R EV . 193, 198 (1890-1891)). Consequently, the legal injury at the heart of plaintiffs’ case -- the capture of personal information without a user’s consent -- occurs when the personal information is obtained in the first instance. The fact that misappropriated data may be anonymized by stripping it from its owner and blending it with other data does not cure or wash away the original violation. A stolen diamond remains stolen even if it makes its way into a bag with legal stones or the thief does not know from whom he took it. To conclude otherwise would give carte blanche to obtaining and exploiting consumers’ private and sensitive information without consent.

Our case law underscores the principle that the privacy injury occurs at the point of interception without consent, irrespective of whether the misappropriated data is anonymized. For example, the Ninth Circuit consults the Restatement (Second) of Torts to determine if harms are “concrete” because they “bear a ‘close relationship’ to [harms] that have ‘traditionally been regarded as providing a basis for a lawsuit.’” Campbell v. Facebook, Inc. , 951 F.3d 1106, 1117 (9th Cir. 2020) (quoting Spokeo , 578 U.S. at 341); see, e.g. , Wakefield v. ViSalus, Inc. , 51 F.4th 1109, 1118, n.6 (9th Cir. 2022); see also Hill v. Nat’l Collegiate Athletic Ass’n , 7 Cal. 4th 1, 24 (1994) (“California common law has generally followed Prosser’s classification of privacy interests as embodied in the Restatement [Second].”). The Restatement provides that intrusion upon seclusion -- one of the claims plaintiffs allege -- “consists solely of an intentional interference with [a person’s] interest in solitude or seclusion, either as to his person or as to his private affairs or concerns.” Restatement 2d (Am. Law Inst. 1977) § 652B cmt. a. It is the “intrusion itself [that] makes the defendant subject to liability,” such as “the use of the defendant’s senses, with or without mechanical aids, to oversee or overhear the plaintiff’s private affairs, as by . . . tapping his telephone wires.” Id. cmt. b. The fact that misappropriated information might be laundered in some way to hide the owner’s identity is of no moment to the commission of the tort.

Consequently, the harm made actionable at common law was an individual’s loss of control over her “private affairs or concerns” by an interloper’s tortious “intentional interference.” Restatement 2d § 652B cmt. a; see also In re Facebook, Inc. Internet Tracking Litig. ( In re Facebook ), 956 F.3d 589, 599 (9th Cir. 2020) (“Facebook’s tracking practices allow it to amass a great degree of personalized information. . . . without affording users a meaningful opportunity to control or prevent the unauthorized exploration of their private lives.”). Put in terms of standing, the loss of control over one’s personal information is the “concrete” harm, whether from stealing access to a personal diary in 1916 or obtaining user information in a healthcare app in 2016. In each case, a person has lost control over her private information because of another’s intentional actions.

Defendants’ reliance on TransUnion does not lead to a different conclusion. Dkt. No. 490-2 at 18-19. TransUnion reaffirmed that intrusion upon seclusion is a tort “traditionally recognized as providing a basis for lawsuits in American courts.” 594 U.S. at 425. The Supreme Court determined that the injuries claimed by many class members there were not sufficiently analogous to the common law tort of defamation because the harms against which the common law protected stemmed from the publication or disclosure of false or misleading information. Id. at 433-39. TransUnion had nothing to say about the surreptitious appropriation of private yet anonymized data, nor did it substantively address the tort of intrusion upon seclusion. And despite defendants’ suggestions to the contrary, TransUnion did not affect a sea change in the law of standing. See, e.g. , Wakefield , 51 F.4th at 1118 (“In TransUnion , the Supreme Court reaffirmed the preexisting rule that an intangible injury qualifies as ‘concrete’ when that injury bears a ‘close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.’” (citation omitted)).

The other cases cited by defendants also fall short. See Dkt. No. 490-2 at 18-19. In Dinerstein v. Google LLC , the plaintiff abandoned an intrusion-upon-seclusion claim to pursue a novel medical-confidentiality theory, “the closest comparator” to which was “probably the tort of publicity given to private life.” 73 F.4th 502, 512-13 (7th Cir. 2023). There, the Seventh Circuit concluded that “the dissemination of anonymized information” would not give rise to an injury in fact because “[a]bsent an ability to identify the complainant, there can be no communication and hence, no publicity.” Id. at 513-14 (emphasis in original) (quoting Harris ex rel. Harris v. Easton Publ’g Co. , 335 Pa. Super. 141, 157 (1984)). That observation has no application to this case, which does not involve any publicity torts. Similarly, Cahen v. Toyota Motor Corp , 717 Fed. App’x. 720, is also distinguishable. There, in the context of affirming a 12(b)(6) dismissal, the Ninth Circuit stated in an unpublished decision that plaintiffs had failed to plead “sufficient facts demonstrating how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data causes an actual injury,” where “there [were] no specific allegations as to why this data [was] sensitive or individually identifiable.” Id. at 724. Here, as discussed above, plaintiffs have pleaded and offered common proof of their allegations that their highly personal health information was disclosed without their consent, along with data that could be used to identify individuals.

Consequently, defendants’ standing arguments pose no barrier to certification. With these overarching objections resolved, the Court now turns to the certification analysis for the specific claims for which plaintiffs seek certification.

E. Intrusion Upon Seclusion and California Constitutional Privacy Claim Plaintiffs seek (b)(3) certification of a nationwide class for their intrusion upon seclusion

claim, and a California subclass for their claim of invasion of privacy under the California Constitution. These claims are alleged against Flo only. The Court will analyze commonality and predominance for these two claims together, as the parties have done. When, as here, these claims are brought on the same factual basis, “it is appropriate to assess the two claims together and examine the largely parallel elements of these two claims which call on the Court to consider (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests.” Cherkin v. PowerSchool Holdings, Inc. , No. 24-cv-02706-JD, 2025 WL 844378, at *2 (N.D. Cal. Mar. 17, 2025) (cleaned up) (citation omitted).

“The Supreme Court of California has emphasized the ‘context specific nature of the inquiry’ for these claims.” Id. (citation omitted). It has stated that “privacy interests and accompanying legal standards are best viewed flexibly and in context” and “[a] plaintiff’s expectation of privacy in a specific context must be objectively reasonable under the circumstances, especially in light of the competing social interests involved.” Hill , 7 Cal. 4th at 26-27, 31. “For the offensiveness or seriousness of the intrusion on privacy, ‘California tort law provides no bright line,’ and ‘each case must be taken on its facts.’” Cherkin , 2025 WL 844378, at *2 (citation omitted). The salient question is whether the invasion was “highly offensive to a reasonable person, and sufficiently serious and unwarranted so as to constitute an egregious breach of the social norms.” In re Facebook , 956 F.3d at 606 (quotations and citation omitted).

Plaintiffs’ privacy claims pose a number of questions common to all class members, such as: (1) Did the Custom Events generated during user onboarding share private health information?; (2) Was private information transmitted to Google and Meta?; (3) Did Flo assure users via the terms of service and other statements that it would not share private health information?; and (4) Was the transmission of such information and defendants’ subsequent commercial exploitation of it highly offensive to a reasonable person? These classwide questions inform the resolution of the privacy claims, and they may be answered by evidence common to the class, namely the evidence proffered by plaintiffs that was summarized above. This includes evidence with respect to the Custom Events, Flo’s solicitations of user information, the functionality of the SDKs, and defendants’ use of the disclosed information. Much of this evidence comes from the defendants themselves, which bolsters the case for certification. See Just Film , 847 F.3d at 1121 n.3 (“These issues are appropriate for classwide litigation because they focus on [defendants’] conduct.”). Consequently, commonality and predominance are satisfied for plaintiffs’ intrusion upon seclusion and California constitutional privacy claims.

Defendants resist this conclusion on three main grounds: (1) determining whether the transmitted data included health information entails individualized questions; (2) plaintiffs did not consider the transmitted data to be private; and (3) there are questions of whether the transmitted data was accurate and actually about the user. None of the objections are well taken.

To start, defendants say that “most of the challenged Custom Events reflect only whether a user entered certain information” and “[t]here are no data that can be used to determine what Custom Events the Flo app sent to” Google and Meta for each Flo App user. Dkt. No. 490-2 at 12-13 (emphasis omitted). Defendants contend there will need to be individualized inquiries about each users’ onboarding responses to determine if those responses conveyed private health information. Id. at 12. In effect, defendants object that plaintiffs are wrong on the merits about the communication of personal health information.

Defendants misunderstand the Rule 23 inquiry. See Lytle v. Nutramax Labs., Inc. , 114 F.4th 1011, 1026 (9th Cir. 2024). Although there must be a “rigorous assessment of the available evidence,” Olean , 31 F.4th at 666 (quoting In re Hydrogen Peroxide Antitrust Litig. , 552 F.3d 305, 312 (3d Cir. 2008)), “[t]he focus of the predominance inquiry ‘is whether the method of proof would apply in common to all class members,’ ‘not whether the method of proof would or could prevail.’” Lytle , 114 F.4th at 1026 (citation omitted); see Stockwell v. City & Cnty. of San Francisco , 749 F.3d 1107, 1112 (9th Cir. 2014). As discussed, the evidence with respect to user onboarding and Custom Events is all of one stripe for the class. Plaintiffs’ evidence about the transmission of Custom Events, the names of the Custom Events, and whether the words used in those names can be understood to convey sensitive health information, demonstrate that they have a classwide method of resolving the merits questions. That is all that is presently required. See Lytle , 114 F.4th at 1026. Consequently, the question of whether health information was conveyed is answerable with common evidence, and defendants have not shown otherwise.

Defendants suggest that users did not share the same information during onboarding (e.g., some users chose “get pregnant” while others chose “track my cycle”), and so a variation in expectations of privacy necessarily arises. Dkt. No. 490-2 at 13-14. Defendants also make the somewhat duplicative argument that the privacy claims necessarily entail individual inquiries because they require users to have “conducted themselves in a manner consistent with an actual expectation of privacy.” Id. at 15 (cleaned up). In defendants’ view, this means certification should be denied because plaintiffs “cannot prove, on a classwide basis, that each Flo user treated the information sent to Google and Meta as private,” and evidence on this point can be obtained only “through plaintiff-specific discovery.” Id. at 15-17 (cleaned up).

These objections are in conflict with the evidence and the law. With respect to the facts, defendants did not proffer any evidence indicating that the choice of a specific Custom Event by a user necessarily entailed a different or lesser expectation of privacy. Given the evidence that the Custom Events involved information like a user’s last menstrual period and number of weeks of pregnancy and that Flo made the same substantive representations to all users about their personal information, it is not obvious that fine degrees of privacy expectations are in play. In effect, defendants merely speculate on this point, which is not a basis to deny certification. See True Health , 896 F.3d at 932. It also bears repeating that evidence of the Custom Events and related facts are subject to classwide proof.

California law also undercuts defendants’ theory. The Supreme Court of California has concluded that “[a] ‘reasonable’ expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms” and that “customs, practices, and physical settings surrounding particular activities may create or inhibit reasonable expectations of privacy.” Sheehan v. San Francisco 49ers, Ltd. , 45 Cal. 4th 992, 1000 (2009) (alteration omitted) (quoting Hill , 7 Cal. 4th at 36-37). Defendants pluck a single sentence from Hill to the effect that “the plaintiff in an invasion of privacy case must have conducted him or herself in a manner consistent with an actual expectation of privacy.” 7 Cal. 4th at 26; Dkt. No. 490-2 at 15. But as plaintiffs point out, this language “merely confirm[s] that consent is a defense” and so does not suggest that individual issues will predominate. Dkt. No. 496-3 at 9; see Hill , 7 Cal. 4th at 26 (“[T]he plaintiff in an invasion of privacy case must have conducted himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant.” (emphasis added)). Consent does not turn on individual class members’ subjective understandings of privacy disclosures, see Calhoun , 113 F.4th at 1147, and is not a bar to predominance for the reasons discussed in Section III.A, supra .

Defendants’ final challenge to predominance for these privacy claims is a hash of overlapping propositions. They say that plaintiffs cannot prove on a classwide basis that the information transmitted was: (1) about the user and not another person; (2) accurate about the user and not made up; and (3) capable of identifying a particular user. Dkt. No. 490-2 at 18-19. In effect, defendants say that the collection of an actual user’s personal health information cannot be demonstrated by anything less than individualized inquiries. Id. at 18.

The record again rebuts defendants’ theory. To start with the first proposition -- the authenticity of user information provided during the onboarding process -- defendants rely on four sentences of deposition testimony stating: “[W]e have at least 15 percent of users who are male and they’re using our apps. I don’t know why. There’s like some suggestions. I mean, like, ideas why they use it and in most of the cases it’s like to learn about the human body.” Dkt. No. 490-2 at 19; App’x 1501. Defendants take this testimony to mean that the proposed classes include imposters who were not subject to privacy violations, which they believe bars certification.

Not so. Taking all of defendants’ proffers at face value for present purposes, defendants did not demonstrate that a certain rate of “fakes” would so overwhelm common questions and answers that class certification would be inappropriate. See Olean , 31 F.4th at 669; Ruiz-Torres , 835 F.3d at 1136. In addition, the fact that Flo was able to measure the 15% figure indicates that it can identify “fakes” based on its own classwide data. That is all that is required for purposes of Rule 23. An aside by a putative expert for defendants that “[s]omeone could be navigating the app for another person (a loved one) or out of curiosity about the app,” App’x 1667; see Dkt. No. 490- 2 at 19, is of no moment. The comment is purely speculative and does not establish a need for individualized inquiries. See Miles , 89 F.4th at 1222.

So too for the suggestion of fictitious information. Defendants offer a mishmash of random tidbits for this objection, such as a handful of birth dates that are said to look odd. See Dkt. No. 490-2 at 19; App’x 810-11; Dkt. No. 478-4 at 019. Some of the tidbits are simply baffling. Defendants cite testimony by Flo’s Chief Product Officer that “we have, like, quite a lot of users who, like, just in case you’re there and clicks like all like buttons for like event and so their decisions.” Dkt. No. 490-2 at 19 (quoting App’x 1501). The remark is literally incomprehensible and properly disregarded for that reason. Overall, defendants again did not demonstrate that individual questions will overwhelm the common inquiries and answers.

The same goes for a comment made by one of plaintiffs’ experts to the effect that her husband uses the Flo App “to mess around with data that may be getting analyzed . . . in light of the overturning of Roe versus Wade,” and that she had heard other men do the same. App’x 470- 71, 508-09; Dkt. No. 490-2 at 19. Random anecdotes are not proof that individualized inquiries will overwhelm the proposed classes here. In addition, the Supreme Court overruled Roe v. Wade , 410 U.S. 113 (1973), over three years after the end of the class period. See Dobbs v. Jackson Women’s Health Org. , 597 U.S. 215 (2022).

Defendants’ references to a couple of consumer surveys did not strengthen their position. The first is a generic survey of consumers in the United Kingdom. App’x 765-70. Defendants favor the survey because it says that consumers “are deliberately giving brands false data” and “60% of consumers intentionally provide incorrect information when submitting their personal details online.” App’x 767-6. Defendants did not tie this generalized observation in any meaningful way to the behavior of Flo App users in the United States. Moreover, critical information about the survey’s methodology, validity, and reliability was not provided. So too for a second survey, again unrelated to Flo, purporting to find that “72% of our respondents say they sometimes provide fake personal information to access website content.” App’x 750, 753. This observation is again untethered to the behavior of plaintiffs or class members here, who downloaded an app for the express purpose of tracking information related to conception and pregnancy, menstruation, and the like.

For user identifiability, defendants say “[t]here are many reasons why data associated with a device may not have been associated with a specific person, including because some people may share devices or reset their device identifiers.” Dkt. No. 490-2 at 19. This is said to require individual inquiries into whether data tied to a persistent identifier in fact identified an individual user. But defendants did not proffer any evidence to establish that a meaningful number of putative class members either changed their device’s persistent identifier or shared with another person the device on which they used the Flo App. See True Health , 896 F.3d at 932. For their part, plaintiffs cited evidence to the contrary stating that “only 2.3% of US Android users accessed these settings to opt out of ad personalization.” Egelman Rep. ¶ 30. The Court will not “root through the record” for other evidence that defendants did not identify. CZ Servs., Inc. v. Express Scripts Hold. Co. , No. 18-cv-04217-JD, 2020 WL 4368212, at *3 (N.D. Cal. July 30, 2020).

In sum, commonality and predominance are satisfied for the nationwide class’s intrusion upon seclusion claim, and the California subclass’s California constitutional privacy claim. F. Confidentiality of Medical Information Act (CMIA) Plaintiffs seek the certification of a nationwide class against Flo for the claim under

California’s Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §§ 56 et seq . The statute states that “[n]o provider of health care . . . shall disclose medical information regarding a patient of the provider of health care . . . without first obtaining an authorization.” Regents of Univ. of Cal. v. Superior Court , 220 Cal. App. 4th 549, 559 (2013) (quoting Cal. Civ. Code § 56.10(a)). Individuals may sue an “entity who has negligently released confidential information or records concerning him or her in violation of this part, for . . . nominal damages of one thousand dollars,” and “it is not necessary that the plaintiff suffered or was threatened with actual damages.” Cal. Civ. Code § 56.36(b)(1). “[A] breach of confidentiality under the CMIA requires a showing that an unauthorized party viewed the confidential information.” Vigil v. Muir Med. Grp. IPA, Inc. , 84 Cal. App. 5th 197, 213 (2022).

“Medical information” is defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care . . . regarding a patient’s medical history, mental health application information, reproductive or sexual health application information, mental or physical condition, or treatment.” Cal. Civ. Code § 56.05(j). “Reproductive or sexual health application information” refers to “information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual health, or gender identity.” Id. § 56.05(q). “‘Individually identifiable’ means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual . . . [including] other information that, alone or in combination with other publicly available information, reveals the identity of the individual.” Id. § 56.05(j). “Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . for purposes of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.” Id. § 56.06(b).

Plaintiffs have adduced evidence demonstrating commonality and predominance for this claim. The question of whether Flo was a healthcare provider can be answered on a classwide basis by common proof of Flo’s services and practices. See, e.g. , Dkt. Nos. 478-5 at 090; 478-83 at 629; 478-84 at 557. The common evidence of Flo’s privacy representations, the surreptitious transmission of the onboarding-process Custom Events, and the subsequent commercial appropriation of that data can be offered as common proof that Flo was at least negligent in sharing medical information without users’ authorization, see Berkley v. Dowds , 152 Cal. App. 4th 518, 526 (2007), and that the information was viewed.

Flo suggests there may be individualized issues about “actual damages,” Dkt. No. 490-2 at 20, but that makes scant sense. Plaintiffs are seeking statutory damages under the CMIA, a fact which is the same for all class members. See Cal. Civ. Code § 56.36(b)(1) (“In order to recover [statutory damages], it is not necessary that the plaintiff suffered or was threatened with actual damages.”).

Flo also says that predominance cannot be shown because “determining whether Flo app users ‘took measures to protect against the misuse of their information’ and whether ‘third parties could have obtained this information through other means’” are inherently individualized inquiries. Dkt. No. 490-2 at 15 (citing Vigil , 84 Cal. App. 5th at 222). Not so. Vigil held the CMIA requires showing that an unauthorized person viewed the medical information and the healthcare provider’s negligence was the cause. 84 Cal. App. 5th at 213-15. As discussed above, plaintiffs here have offered common proof of those elements. While the Vigil court denied certification because the plaintiff there “presented no evidence indicating whose information was viewed” for the nearly 5,500 putative class members, id. at 221, the circumstances here are different. Plaintiffs have satisfied commonality and predominance for the CMIA claim.

G. Comprehensive Data Access and Fraud Act (CDAFA) Plaintiffs seek certification of a nationwide class for claims under California’s

Comprehensive Data Access and Fraud Act (CDAFA), Cal. Pen. Code § 502, against Flo, Meta, and Google. The statute provides a cause of action for “owner[s] or the lessee[s] of the computer . . . or data[,] who suffer[] damage or loss” by virtue of a violation of CDAFA, against anyone who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network” and anyone who “[k]nowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.” Id. §§ 502(c)(2), (c)(6), (e)(1).

Plaintiffs’ bid for certification falters here because they did not proffer classwide evidence of “damage or loss” under CDAFA. Plaintiffs’ sole contention is that their data had financial value, which they base entirely on the opinions of a putative expert, David Hoffman. See Dkt. No. 477 at 18-19. The Court has determined that Hoffman may not provide opinions or testimony at trial under FRE 702. Dkt. No. 597. Even if Hoffman’s testimony were admissible, it would not show that Flo App users “ever attempted or intended to participate in [the women’s health data market], or otherwise derive economic value from their [health data].” Moore v. Centrelake Med. Grp., Inc. , 83 Cal. App. 5th 515, 538 (2022). ^[13]

Contrary to plaintiffs’ suggestion, the Court did not conclude that CDAFA does not require “proof of ‘loss of income’ or other ‘actual’ injury beyond [a] privacy violation.” Dkt. No. 496-3 at 13. The summary judgment order determined that Google had not met its burden of establishing it was “entitled to judgment as a matter of law” under Rule 56(a) on the CDAFA claim. Flo Health , 2024 WL 4280933, at *3. This was because Google did not cite California state cases and did not engage with the plain language of the statute, among other shortfalls. See Dkt. No. 338 at 20-21. Plaintiffs now bear the burden of establishing commonality and predominance for certification. See Google Play Store , 2022 WL 17252587, at *4. The sole evidentiary basis they advanced to show “damage or loss” for their CDAFA claims does not demonstrate the issue can be decided on a classwide basis, and the individualized inquiry that Moore requires will predominate over other common questions. Certification for the CDAFA claims is denied. ^[14]

H. Breach of Contract For the breach of contract claim against Flo, which plaintiffs seek to litigate on behalf of a

nationwide class, California law requires evidence of “the existence of the contract, performance by the plaintiff or excuse for nonperformance, breach by the defendant and damages.” First Comm’l Mortg. Co. v. Reece , 89 Cal. App. 4th 731, 745 (2001). Plaintiffs’ evidence can answer the various questions posed by this claim on a classwide basis: (1) whether use of the Flo App was governed by a contract and the terms of that contract; (2) whether Flo promised users it would not share their health information; and (3) whether Flo breached that promise by sharing users’ health information with Google and Meta. The answers to the first and second questions are ascertainable by a review of Flo’s terms of use and privacy disclosures during the class period, and the third can be shown by evidence relating to the Custom Events, the SDKs, and the data that Google and Meta did or did not receive during the class period.

Contrary to Flo’s contention, see Dkt. No. 490-2 at 20 (citing Aguilera v. Pirelli Armstrong Tire Corp. , 223 F.3d 1010 (9th Cir. 2000)), California law does not require a showing of “actual damage” for a breach of contract claim. Recent rulings by the California Court of Appeal expressly disagreed with Aguilera and held that “California courts have applied section 3360 to conclude that ‘[a] plaintiff is entitled to recover nominal damages for the breach of a contract, despite inability to show that actual damage was inflicted upon him.’” ^[15] Elation Sys., Inc. v. Fenn Bridge LLC , 71 Cal. App. 5th 958, 965-67 (2021) (quoting Sweet v. Johnson , 169 Cal. App. 2d 630, 632 (1959)); Garcia v. Bank of Stockton , No. F084375, 2023 WL 8795765, at *8 (Cal. Ct. App. Dec. 20, 2023) (unpub.); see also Cal. Civ. Code § 3360 (“When a breach of duty has caused no appreciable detriment to the party affected, he may yet recover nominal damages.”). Flo did not present a good argument that the California Supreme Court would reach a contrary conclusion, so the Court will follow these decisions as the statements of California law. See Cherkin , 2025 WL 844378, at *1. In consequence, individual questions about actual damages do not defeat predominance because no such questions are posed.

I. California Invasion of Privacy Act (CIPA) Plaintiffs seek the certification of a California subclass for claims against Google and Meta

under the California Invasion of Privacy Act (CIPA), Cal. Pen. Code §§ 631-32. Section 631 prohibits the use, or attempted use, of “electronic means to ‘learn the contents or meaning’ of any ‘communication’ ‘without consent’ or in an ‘unauthorized manner.’” In re Facebook , 956 F.3d at 607 (quoting Cal. Pen. Code § 631(a)). Section 632 makes it unlawful to “intentionally and without consent of all parties to a confidential communication” use a “recording device to eavesdrop upon or record the confidential communication.” Cal. Pen. Code § 632(a). A “confidential communication” is one “carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.” Id. § 632(c).

Plaintiffs’ evidence is capable of showing on a classwide basis that (1) Google and Meta intercepted and recorded users’ communications with Flo via their SDKs’ transmission of the Custom Events; (2) users expected those communications to be private based on Flo’s representations; (3) the interception and recordings were without users’ consent; (4) Google and Meta used the intercepted and recorded communications for their own commercial gain; and (5) Google and Meta intended to do so, as evinced by the design of their SDKs and their attempts to continue collecting the same information even after Flo sought to remove the SDKs.

Google and Meta say individual issues will predominate because plaintiffs will need to prove the communications were “being sent from, or received at any place within” California. Cal. Pen. Code § 631(a). They state that most of the servers for the SDKs are located outside California and there is no classwide method of determining whether California resident users completed the onboarding process while they were in California. Dkt. No. 490-2 at 22-23. Defendants do not explain why this might be relevant to the § 632 claim as nothing in the plain text of that section suggests such a geographic limitation, but the point is well taken for plaintiffs’ claim under § 631.

Plaintiffs say they have evidence demonstrating that “Flo’s location data shows which users were in California,” Dkt. No. 496-3 at 12, but they fall short of showing which users completed the onboarding process in California. The evidence consists of a few exhibits containing hundreds of lines of incomprehensible code, and a line or two reading something like “‘time_zone’:‘America/New_York.’” Dkt. No. 478-44 at 004. What this evidence might mean or how it is germane to certification is unexplained. Consequently, it does not resolve the server location question in a reasonable manner for the putative class. Plaintiffs make the passing comment that they have evidence that Google and Meta are “based in California, where they designed their SDKs and use the data intercepted through that technology.” Dkt. No. 496-3 at 12. That also does not answer the salient question. The case plaintiffs cite is inapposite because the complaint there alleged the defendants “received the interception” in California and “intercepted Plaintiff’s and Class members’ communications and data with Favor, who is headquartered in California, in real time.” Doe v. FullStory, Inc. , 712 F. Supp. 3d 1244, 1260 (N.D. Cal. 2024). Plaintiffs lack similar evidence here.

Commonality and predominance are demonstrated for the CIPA § 632 claim, but not for the § 631 claim. IV. RULE 23(b)(3) SUPERIORITY

“The final certification question [for certification under Rule 23(b)(3)] is whether the ends of justice and efficiency are served by certification.” DZ Reserve v. Meta Platforms, Inc. , No. 18- cv-04978-JD, 2022 WL 912890, at *9 (N.D. Cal. Mar. 29, 2022), aff’d in part by 96 F.4th 1223 (9th Cir. 2024), cert. denied 145 S.Ct. 1051 (Mem.) (2025). There is no doubt that a class action is the superior method of adjudicating the users’ claims, compared to those millions of users individually suing the three remaining defendants.

The record amply demonstrates discovery was complicated and voluminous, to say the least, and defendants are represented by law firms with deep resources, all of which demonstrate that litigating these claims entails “relatively high costs.” Just Film , 847 F.3d at 1123; see DZ Reserve , 2022 WL 912890, at *9 (noting the “cost and other resources required to litigate against a company like Meta”). Resolution of the common questions discussed in this order on a classwide basis will promote efficiency by (1) bypassing the need to relitigate identical questions and conduct nearly identical discovery in parallel litigations and (2) avoiding the strain on scarce judicial resources that suits by individual Flo App users would impose. See Just Film , 847 F.3d at 1123-24; Valentino v. Carter-Wallace, Inc. , 97 F.3d 1227, 1234-35 (9th Cir. 1996). Superiority is satisfied. V. RULE 23(b)(2)

Plaintiffs’ cursory request to certify nationwide and California classes for injunctive relief under Rule 23(b)(2), Dkt. No. 477 at 24-25, is denied. A Rule 23(b)(2) class is “appropriate only where the primary relief sought is declaratory and injunctive.” Zinser , 253 F.3d at 1195. The focus for most of the plaintiffs’ claims was on some sort of monetary relief, and plaintiffs’ motion papers hardly gave the proposed injunctive relief classes any attention. The denial is without prejudice to “the possibility of an injunction ancillary to an award of damages, which may be considered later in the case as warranted by developments.” Google Play Store , 2022 WL 17252587, at *15.

CONCLUSION

The following nationwide class is certified under FRCP Rule 23(b)(3) for plaintiffs’ CMIA, breach of contract, and intrusion upon seclusion claims against Flo: All Flo App users in the United States who entered menstruation and/or pregnancy information into the Flo Health App between November 1, 2016, and February 28, 2019, inclusive.

Plaintiffs Erica Frasco, Sarah Wellman, Jennifer Chen, Tasha Gamino, and Autumn Meigs are appointed as named representatives for the nationwide class.

The following California subclass is certified under Rule 23(b)(3) for plaintiffs’ invasion of privacy claim against Flo under Art. 1, Sec. 1 of the California Constitution, and CIPA § 632 claim against Meta and Google:

All Flo App users in California who entered menstruation and/or pregnancy information into the Flo Health App while residing in California between November 1, 2016, and February 28, 2019, inclusive.

Plaintiffs Wellman, Chen, and Gamino are appointed as named representatives for the California subclass.

Pursuant to Rule 23(g), the interim co-lead counsel -- Carol C. Villegas of Labaton Keller Sucharow LLP, Diana J. Zinser of Spector Roseman & Kodroff, P.C., and Christian Levis of Lowey Dannenberg, P.C. -- are confirmed as class counsel for both the nationwide class and the California subclass. // // // //

The parties are directed to jointly file by May 27, 2025, a proposed plan to give notice to the certified classes and an opportunity to opt out.

IT IS SO ORDERED.

Dated: May 19, 2025

JAMES DONATO

United States District Judge

NOTES

[1] The complaint names “Facebook, Inc.” as a defendant, but Meta is the current corporate name, 28 which will be used here. Dkt. No. 98.

[2] Plaintiffs Wellman, Chen, and Gamino are residents of California. Dkt. No. 64 ¶¶ 42, 56, 63.

[3] Following the termination of all FRE 702 motions in connection with the first round of certification briefing, Dkt. No. 419, the parties designated a more limited number of experts and did not renew their FRE 702 challenges. See Dkt. Nos. 425-26. There are consequently no pending FRE 702 challenges to any expert evidence proffered in connection with the present certification request.

[4] Plaintiffs did not say why named plaintiffs Pietrzyk, Ridgway, and Kiss are not seeking appointment as class representatives under Rule 23. The Court construes this to mean that they remain in the case as class members only.

[5] Citations to plaintiffs’ exhibits refer to the exhibit’s docket number and the last three digits of 28 the document’s internal Bates number for pagination.

[6] Available at: https://womenshealth.gov/menstrual-cycle/your-menstrual-cycle-and-your-health 26 (last accessed May 16, 2025). 27

[7] Available at: https://www.ftc.gov/system/files/documents/public_statements/1596364/ statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf 28 (last accessed May 16, 2025).

[8] All citations to “App’x” refer to defendants’ Joint Appendix and use the appendix’s internal 28 pagination. Dkt. Nos. 490-3; 491-1.

[9] Defendants cite the same news articles discussed in the implied consent section for the notice contention.

[10] Flo made a passing aside to the effect that the news reports it presented were only a few of the 26 “many ways users could have learned about the challenged data-sharing practices.” Dkt. No. 490-2 at 1, 7. This comment again was not developed with evidence of what the other sources 27 might have been, and Flo’s vague conjecture is of no moment for certification purposes. See True Health , 896 F.3d at 932. 28

[11] Google and Meta made no effort to say why this provision in Flo’s terms of service might apply 28 to them. The Court addresses the argument solely with respect to Flo.

[12] As with Discover Bank , all three of these cases were abrogated in part by Concepcion , only with respect to the invalidation of class action waivers in arbitration agreements due to unconscionability. Flo does not seek to enforce an arbitration agreement, and Concepcion did not affect general unconscionability principles outside of the arbitration context. See Sonic-Calabasas A, Inc. v. Moreno , 57 Cal. 4th 1109, 1143 (2013) (“ Concepcion clarifie[d] the limits the FAA places on state unconscionability rules as they pertain to arbitration agreements.”).

[13] Moore addressed the claimed financial value of personal information in the context of 26 California’s Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §§ 17200 et seq., but its reasoning on this issue applies in full here. 27

[14] To be clear, none of the other claims for which certification is granted require a showing of 28 actual damages beyond the violation of a legal right.

[15] “Circuit precedent interpreting state law . . . ‘is only binding in the absence of any subsequent indication from the California courts that our interpretation was incorrect.’” AGK Sierra De Montserrat, L.P. v. Comerica Bank , 109 F.4th 1132, 1136 (9th Cir. 2024) (citation omitted).