Favor Allowed Third Parties to Access Sensitive Health Data: Class Action
Health website Favor disclosed and allowed third parties to access users’ personal identifiable information (PII) without their consent, alleged a class action Thursday (docket 3:23-cv-59) in U.S. District Court for Northern California in San Francisco.
Favor “knowingly and intentionally” disclosed and allowed third parties Meta, TikTok and data analytics company FullStory, also named in the suit as “advertising and analytics defendants,” to “intercept” users’ health data and other highly sensitive information, the complaint alleges. That included information on whether class members were prescribed birth control, and answers to questions about blood pressure readings, cancer history, medication side effects, allergies, age and weight, it said.
Favor “disclosed and allowed FullStory to intercept all the users’ interactions on the Favor Platform,” including clicks, keystrokes and mouse movements, the complaint alleged. Interactions included answers to highly sensitive medical questions, which weren’t aggregated or “deidentified," and third parties weren't prohibited from using the information for their own benefit, which Favor had claimed, plaintiff alleged.
Plaintiff “Jane Doe,” of Hempstead County, Arkansas, used Favor in the summer of 2021 to buy birth control prescriptions, emergency contraception and condoms, said the complaint. Answers she gave to medical questions were disclosed to third parties without her consent, and “directly contrary to the representations made by Favor,” she said.
Favor intentionally incorporated tracking technology for marketing and analytics purposes on its platform without disclosing it to users, including the Meta software development kit, the Meta Pixel, the TikTok Pixel and Session Replay software from analytics company FullStory, the plaintiff alleged. As an example, it said Meta gives app developers like Favor, which use the Meta Pixel and its software developer kit (SDK), access to the collected data from users and gives them tools and analytics to reach users through Facebook ads, it alleged. TikTok Pixel has similar advertising functionality, it said.
Though Meta said in November 2021 it would remove functionality on Facebook that targeted users based on sensitive topics, that was limited to individuals’ interactions with content and didn’t apply to data gathered via Meta Pixel or SDK or other means, the complaint alleged. Advertisers were allowed to use “website custom audiences” and “lookalike” audiences to target users based on information received through Meta Pixel and SDK, it said.
A Meta “Health Terms Integrity System,” designed to filter out sensitive data, isn't successful at preventing interception of health data, said the complaint. It referenced findings from The Markup that found, while investigating the use of Meta Pixel on abortion-related websites, that Meta’s filtering system “failed to discard even the most obvious forms of sexual health information,” including URLs with phrases such as “post-abortion,” “I think I’m pregnant” and “abortion pill,” it said.
The complaint cited a report from Princeton researchers finding Walgreen’s use of Session Replay code was leaking website visitors’ medical conditions and prescriptions to FullStory, and it was able to link users’ identities to the medicine they were prescribed. That happened even though Walgreens used additional manual redaction tools to keep website visitors’ information private, said the complaint. Walgreens stopped using FullStory “out of an abundance of caution,” it said.
Plaintiff and class members wouldn't expect their information to be disclosed or intercepted without their consent, said the complaint, noting Favor’s “consistent representations” that users’ information would remain “private and confidential." The company maintained users’ data was held to a stricter privacy standard than required by federal and state laws and no “personal information” would be disclosed to third parties, including analytics companies.
The class likely consists of “millions” of individuals, said the complaint, stating claims for privacy violations and unjust enrichment. It noted companies like Pfizer spend $12 million annually to buy health data, and the medical data industry was valued at over $2.6 billion in 2014. The plaintiff seeks injunctive relief, court and attorneys’ fees and damages of $1,000 to $250,000 per violation.