In Lam v. Flo Health Inc., 2024 BCSC 391, the Supreme Court of British Columbia certified a proposed class action lawsuit against Flo Health Inc. for an alleged privacy breach involving users of the Flo Health & Period Tracker application. We have previously written about the use of generative artificial intelligence (AI).

Background

The Flo Health & Period Tracker is an interactive, AI-based application that assists with tracking all phases of the reproductive cycle. The application requires users to input personal and health information and to consent to a privacy policy for its use.

Flo Health's original privacy policy informed users that certain personal information would be shared with third-party analytics vendors in an anonymous format. In 2019, the company updated its privacy policy and formed partnerships with third-party analytics providers, giving them access to any information obtained from the application for advertising and product promotion purposes. In response, the plaintiff filed a proposed class action on behalf of nearly one million Canadian users, alleging breaches of privacy law, breach of confidence and negligence.

Court findings

The Court examined the requirements for a class proceeding under Section 4(1) of the Class Proceedings Act. In the process, they found that the class members' claims involved common issues under the Personal Information Protection and Electronic Documents Act (PIPEDA), particularly around the requirement for meaningful consent before sharing personal information with third parties. The Court recognized a shared concern over the violation of privacy legislation in the handling and sharing of personal information with third parties and related damages claims. The Court also noted the growing importance of privacy protection, stating:

The ever-increasing modern capacity to capture, store and retrieve information in our digital age has led to a corresponding need for the legal capacity to protect privacy. Privacy legislation has been recognized as being accorded quasi-constitutional status. In a similar manner, privacy torts – such as intrusion upon seclusion and breach of confidence – continue to evolve, and their proper scope in our modern world must continue to be addressed by our courts.

The Court concluded that the plaintiff met the requirement for certification. The Court certified the claim as a class proceeding for 1,045,586 Canadian residents (excluding Quebec) who used the application from June 1, 2016 to February 23, 2019.

Key takeaways

The class action certification against Flo Health establishes that organizations must carefully manage their personal information. The decision highlights the need for clear privacy policies, particularly when sharing data with third parties and emphasizes the importance of obtaining meaningful consent. The case serves as an important reminder for businesses to prioritize user privacy to avoid similar legal repercussions.

How we can assist you

As experienced privacy and class action lawyers, we're equipped to guide businesses through these complex issues. From advising on best practices for data handling and security to representing companies in class action lawsuits, we're here to help you navigate and stay ahead of potential legal pitfalls. We believe in a proactive defense and strive to ensure that you're not only compliant with the law but also protected against unforeseen liabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.