Dressing old laws in class-action suits: Tracking technologies that disclose personal information

As discussed in the first part in this series, the plaintiff's bar continues to repurpose old laws in the context of emerging technologies, attempting to enforce privacy rights using class-action lawsuits. Recent legal theories have applied the California Invasion of Privacy Act and the Video Privacy Protection Act to prevent the disclosure of personal information through tracking technology. One of these suits resulted in a rare jury verdict and another in a novel class certification. 

CIPA violation gets a plaintiff-friendly jury verdict

Software development kits allow app developers to incorporate ready-made features into their products. That said, "SDKs have caused particular regulatory consternation due to their role in tracking location" and those that enable real time interception of CIPA covered communications carry real risk for developers and vendors alike. 

In August, a unanimous jury found that Meta violated CIPA Section 632 in the case of Frasco v. Flo Health by intentionally eavesdropping on plaintiffs' confidential communications without consent. Plaintiffs alleged Flo Health, the developers of a sexual and reproductive health app, shared personal information with Meta and Google without their consent, including menstrual cycle timing, preferred birth control methods, and details about sexual activity. The app allegedly recorded user interactions that were then intercepted by the SDKs and collected by Meta and Google for advertising, marketing, and research and development purposes.