{"id":9611,"date":"2025-10-16T16:17:22","date_gmt":"2025-10-16T16:17:22","guid":{"rendered":"https:\/\/journals.law.unc.edu\/ncjolt\/?p=9611"},"modified":"2025-10-16T16:17:22","modified_gmt":"2025-10-16T16:17:22","slug":"tracking-periods-and-consumer-data-a-look-at-the-costs-of-privacy-non-compliance-for-health-apps","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/tracking-periods-and-consumer-data-a-look-at-the-costs-of-privacy-non-compliance-for-health-apps\/","title":{"rendered":"Tracking Periods and Consumer Data: A Look at the Costs of Privacy Non-Compliance for Health Apps"},"content":{"rendered":"\n

12:17 PM, 10\/16\/2025<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Women\u2019s health app developer Flo Health, Inc. (\u201cFlo\u201d) and Google LLC (\u201cGoogle\u201d) have reached a proposed settlement<\/a> to resolve a class action lawsuit alleging that Flo unlawfully shared private health data with Google, Meta Platforms, Inc. (\u201cMeta\u201d), and Flurry, Inc. (\u201cFlurry\u201d) through online tracking technologies. Flo collected highly sensitive<\/a> data from users, including but not limited to menstrual cycle details, sexual activity, and location information. Flo, Google, and Flurry opted to settle with the plaintiffs before the jury verdict, while Meta proceeded to trial and lost<\/a>.\u00a0<\/p>\n\n\n\n

Since smartphones have become indispensable devices, health-adjacent apps like Flo, which track personal information, have become increasingly popular. From sleep, to food intake, to fertility, almost every aspect of one\u2019s health can be monitored through a specially designed app.\u00a0<\/p>\n\n\n\n

To protect consumers’ data in this sensitive marketplace, a number of sector-specific privacy<\/a> laws have emerged in various states across the United States. There is a common misconception<\/a> that the Health Insurance Portability and Accountability Act (\u201cHIPAA\u201d) protects health app data, but the majority of these apps do not fall within its purview. Rather, the Act applies only to specifically covered healthcare entities. As such, the suit against Flo and Google was brought under the California Invasion of Privacy Act<\/a> (\u201cCIPA\u201d), alleging that the unauthorized collection of users\u2019 health data was unlawful.<\/p>\n\n\n\n

As part of the settlement, Google has agreed to pay $48 million while Flo has agreed to pay $8 million, totaling $56 million in relief for the plaintiffs. Neither entity admitted liability as part of the settlement. Meta, after losing a jury verdict, plans to appeal the decision. This verdict could cost Meta up to $5,000 per violation, a number that could total in the billions. A spokesperson<\/a> for Meta stated they \u201cdisagree with the verdict and believe the plaintiffs\u2019 claims are false.\u201d\u00a0<\/p>\n\n\n\n

The plaintiffs in this case were able to present evidence that device identifiers could link the data back to individual users.\u00a0Accordingly, experts claim that the verdict serves as a warning<\/a> for technology companies who deal in consumer health data, even if such data is considered \u201cde-identified.\u201d <\/p>\n\n\n\n

As settlements like this emerge, the question arises: will health apps fight or fold against litigation?\u00a0<\/p><\/blockquote>\n\n\n\n

Privacy statutes are often accompanied by large statutory penalties<\/a> imposed on a per-violation basis. Regulators can slap whopping multi-million dollar fees to deter companies from violating regulations. While this may seem unreasonable, regulators’ deterrence function must outweigh the economic benefit from ignoring the law, given that compliance creates increased costs<\/a> as companies must heighten transparency, confidentiality, and security. Without such severe penalties, privacy laws would be useless. <\/p>\n\n\n\n

One concern with fines is that larger companies may choose to avoid true accountability by paying their way out of any violations. In fact, an enforcement tracker<\/a> for the General Data Protection Regulation, the primary privacy law for Europe, indicates that Meta has been issued five out of ten of the all-time highest fines issued to an individual\/entity. Other critics claim that the reputational damage<\/a> a brand suffers is the true penalty. Companies may face loss of customer trust, operational disruptions, and increased scrutiny from regulators for future audits. <\/p>\n\n\n\n

In the present case, despite not admitting liability, Flo has agreed to display<\/a> a \u201cprominent notice about Flo\u2019s commitment to privacy\u201d on their website for one year after the finalization of the settlement. <\/p>\n\n\n\n

The debate between incurring costs of compliance versus paying regulator fees has made its rounds within Big Tech. With this settlement, health technology companies will be forced to join the conversation. Many apps collecting sensitive data similar to Flo have successfully evaded regulators such as the Federal Trade Commission<\/a> by working outside the scope of HIPAA. This settlement indicates that, despite HIPAA not governing<\/a> the data at issue, collecting any health-related information requires explicit and informed consent.\u00a0<\/p>\n\n\n\n

As this issue progresses, health technology companies must navigate new costs. These companies do not always have the financial resources of a technology giant (*cough* Meta *cough*) and may choose to settle more often than pursuing expensive litigation. Such a legal strategy may leave the door open for frivolous lawsuits from opportunistic plaintiffs seeking deeper pockets.\u00a0<\/p>\n\n\n\n

Ultimately, the options come down to choosing between the costs of compliance or non-compliance. Given the reputational harms of litigation, the wisest option for budding companies is pursuing compliance or, following in the footsteps of Flo, a settlement.\u00a0<\/p>\n\n\n\n

<\/p>\n\n\n\n

Shreya Patel<\/strong><\/p>\n\n\n\n

Shreya is a 2L at the University of North Carolina School of Law. Before law school, Shreya attended the University of North Carolina at Chapel Hill, majoring in Psychology with minors in Neuroscience and Philosophy. In her free time, Shreya enjoys spending time with her friends and family.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

As settlements like this emerge, the question arises: will health apps fight or fold against litigation? <\/p>\n","protected":false},"author":4,"featured_media":9612,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[659,567,658,133,624,163,657],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9611"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=9611"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9611\/revisions"}],"predecessor-version":[{"id":9613,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/9611\/revisions\/9613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/9612"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=9611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=9611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=9611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}