Dechert Cyber Bits

Landmark Privacy Class Action Trial: Frasco v. Flo Health

On July 21, 2025, the first Big Tech privacy class action to ever go to trial kicked off in the Northern District of California. The case centered on the #1 most downloaded mobile health app, Flo, and its use of software development kits—a standard technology used by virtually all mobile applications. Specifically, plaintiffs challenged Flo’s integration of the Facebook SDK, alleging that between November 2016 and February 2019 Facebook (now Meta) unlawfully wiretapped Flo’s communications with users and that Flo improperly disclosed sensitive health information. Google and Flurry, Inc. were also named as defendants but resolved the claims against them through pre-trial settlements.

Following Flo’s presentation of its technical expert and immediately after plaintiffs rested, Flo moved for a directed verdict on plaintiffs’ central claim against it: that Flo had violated California’s Confidential Medical Information Act (CMIA). Flo argued the CMIA did not apply because Flo is not a healthcare provider and its users are not patients. The Court agreed, explaining “there's no evidence in the case that would support a reasoned and reasonable verdict by a jury on the CMIA.” As a result, the Court declared, “The CMIA will be dismissed. It's not going to the jury.” With the CMIA claim gone, plaintiffs’ potential recovery against Flo collapsed from tens of billions to nominal damages—between one cent and one dollar per class member, at the most. The very next day, plaintiffs and Flo notified the Court that they had settled. Flo admitted no wrongdoing and denies it engaged in any unlawful conduct.

The trial continued against Meta after the Flo settlement and the jury ultimately returned a verdict against Meta on the sole claim against it.

Takeaway: Dechert represented Flo Health, Inc. throughout the litigation, including at trial, so we will not provide any comment on it. For Flo Health’s response, click here.

FTC Secures $145 Million in Settlements for Deceptive Health Insurance Marketing

On August 7, 2025, the U.S. Federal Trade Commission (“FTC”) announced that two telemarketing companies, Assurance IQ LLC (“Assurance IQ”) and MediaAlpha Inc. (“MediaAlpha”), will pay a total of $145 million to settle allegations that they misled consumers into purchasing fraudulent health insurance plans and targeted consumers with excessive telemarketing and robocalls. Neither Assurance IQ nor MediaAlpha admitted any wrongdoing as part of the settlements.

The FTC alleged that Assurance IQ’s telemarketers made deceptive statements to consumers about the coverage, cost, and benefits of short-term medical (“STM”) and limited benefit indemnity (“LBI”) health plans, in violation of the FTC Act and the Telemarketing Sales Rule. Assurance IQ allegedly mandated that its telemarketers use scripts containing alleged misrepresentations suggesting that the plans provided comprehensive health insurance coverage that satisfied the requirements of the Affordable Care Act (“ACA”) when they did not. Assurance IQ telemarketers also allegedly failed to disclose that supplemental products bundled with the plans were separate products with separate monthly fees, resulting in consumers being charged without their express, informed consent. Assurance IQ settled with the FTC for $100 million, with the payment to be used for customer refunds. As part of the settlement agreement, Assurance IQ is also prohibited from making a range of both express and implied misrepresentations regarding its health plans.

In a separate complaint, the FTC alleged that in 2024 MediaAlpha and its subsidiary QuoteLab LLC operated dozens of deceptive websites to collect the personal and contact information of consumers interested in health insurance and then sold that information to telemarketers and other lead generators. The FTC alleged that in 2024 alone, MediaAlpha sold 119 million consumer leads to telemarketers, leading to consumers being “flooded” with solicitations, including over one million robocalls that were made to numbers on the National Do Not Call Registry. The FTC also claimed that MediaAlpha used misleading domain names such as ObamacarePlans.com to make consumers believe its websites were associated with the government, in violation of the Government and Business Impersonation Rule. The FTC further alleged that MediaAlpha used advertisements to entice consumers to visit their websites, including using celebrity promotions to promote a nonexistent government “Health Insurance Give Back Program.” The settlement agreement includes a $45 million judgment, to be used to provide refunds to harmed customers, as well as restrictions on future business practices.

Takeaway: The FTC’s actions reflect a continuing laser focus on deceptive marketing and lead generation practices, in particular in the healthcare marketplace. Companies in the healthcare and telemarketing sectors should be extra cautious in how they collect and share personal and contact information—ensuring that they make truthful and substantiated claims about their products and services, that their marketing does not imply government affiliation, and that they and their business partners conduct telemarketing in compliance with the Telemarketing Sales Rule. 

UK Data Regulator Fines Charity £18,000 for Destroying Personal Records

Birthlink, a charity offering post-adoption support and advice, was fined £18,000 by the UK Information Commissioner’s Office (“ICO”) for a personal data breach after destroying approximately 4,800 personal records. These included handwritten letters from birth parents, photographs, and copies of birth certificates—up to 10% of which may be irreplaceable. According to the ICO, the destruction, carried out in 2021 to free storage space, was undertaken without applying proper retention rules, and reflected inadequate data protection knowledge, ineffective procedures, and poor internal policies.

Birthlink only realized that irreplaceable records had been destroyed after an inspection in 2023, at which point the charity reported the incident to the ICO. The fine was originally set at £45,000 but was reduced by the ICO following Birthlink’s representations. Since the breach, the charity has implemented corrective measures, including digitizing records, appointing a Data Protection Officer, and delivering staff training.

Takeaway: This incident underscores the legal and reputational consequences of failing to safeguard personal data. High profile data breaches often centre around accidental disclosure (i.e. human error) or unauthorized access. However, accidental destruction of personal data can also constitute a personal data breach under the GDPR. Organizations—especially those holding sensitive data including records of significant emotional and historical value—must maintain robust retention policies, effective record management procedures, and proper record-keeping.

New UK Guidance on Secure Disclosure of Documents to the Public

The ICO has published new guidance to help organizations prevent accidental data breaches involving hidden personal data when disclosing documents to the public. The guidance follows significant data breaches involving accidental disclosures by the Police Service of Northern Ireland and the Ministry of Defence, both of these cases involving hidden information in spreadsheets.

It offers practical advice (including in checklist and instructional video format) such as checking documents for hidden / embedded personal information or track changes, selecting appropriate disclosure formats, converting files into simpler formats, and considering redactions. While recommending the use of software-based inspection tools, such as Microsoft Document Inspector, the ICO emphasizes that technology alone is insufficient—procedural safeguards and well-trained staff are essential.

Takeaway: The underlying principles and advice in the guidance—such as how to treat metadata, filters and hidden elements in files—are valuable in any context where documents are shared, whether externally or internally. By combining effective technology solutions with robust processes and trained staff, organizations can reduce the likelihood of data breaches.

First-Ever CPPA Court Action Provides Insight Into Future Enforcement

On August 6, 2025, the California Privacy Protection Agency (“CPPA”) announced that it had filed its first judicial action seeking to enforce an investigative subpoena against Tractor Supply Company (“Tractor Supply”), a Fortune 500 company operating over 2,000 stores nationwide (including approximately 90 in California) that primarily sell farm, pet, and home improvement supplies.

As part of its investigation into whether Tractor Supply had properly updated its privacy policy after the California Consumer Privacy Act (“CCPA”) went into effect and whether the opt-out link on Tractor Supplies’ website was actually honoring consumers’ requests to opt out of the sale and sharing of their personal information, the CPPA served Tractor Supply with an investigative subpoena in January 2025 requesting information about the company’s privacy practices from January 1, 2020—the effective date of the CCPA—to the present. The CPPA filed a petition to enforce the investigative subpoena on August 6, 2025 because it alleged that Tractor Supply had refused to provide responses regarding its business practices before July 1, 2023. Tractor Supply argued that the subpoena’s five-year lookback period was overbroad and burdensome, and that its practices before 2023 are outside the CPPA’s authority because the agency had not yet issued its 2023 regulations regarding the CCPA’s opt-out provisions. Importantly, the company was given more than six months to respond before the CPPA sought to enforce the subpoena.

Takeaway: This marks the first time that the CPPA has publicly disclosed an ongoing investigation into a company, and the first time it has taken judicial action to enforce an investigative subpoena. Companies operating in California should be aware that, even if investigations may proceed deliberately, the CPPA is active and willing to seek court assistance if it does not feel a company is complying with an investigation. In this case, the CPPA indicated that, while it allowed a fair amount of flexibility as to the timing of the company’s subpoena responses, it was not willing to compromise on its broad interpretation of its own authority, including with regard to potential CCPA violations before the publication of clarifying regulations.

Dechert Tidbits

UK Parliamentary Committee Launches Inquiry into Human Rights and AI

The UK Parliament’s Joint Committee on Human Rights has launched an inquiry into the impact of AI on human rights. The inquiry will focus on privacy, data usage, discrimination, bias, and remedies for violations. The inquiry will assess whether existing legal and regulatory frameworks (including the UK Government's AI Opportunities Action Plan) sufficiently protect human rights and will consider potential reforms to strengthen accountability and provide redress for AI-related breaches. Submissions are open until September 5, 2025.