The British Columbia Supreme Court recently certified additional causes of action in a national class action against Flo Health Inc., the operator of a popular menstrual health tracking app. The decision in Lam v. Flo Health Inc., 2025 BCSC 993 underscores the growing judicial scrutiny of how companies handle sensitive personal data, especially in the context of digital health platforms. This case is notable for its focus on intentional data sharing rather than data breaches or hacking, and for its willingness to allow novel contractual claims.
Background facts & earlier certification decision
The case centers on allegations that Flo intentionally shared highly sensitive personal and health information provided by users of its Flo Health & Period Tracker App (the “App”) with unrelated third parties, without proper notice or consent. The representative plaintiff, on behalf of a class of all Canadian residents (excluding Quebec), alleged that she relied on Flo’s assurances that her data would remain private when entering information such as menstrual cycles, pregnancies, and symptoms into the App.
In Lam v. Flo Health Inc., 2024 BCSC 391, the court previously certified claims for breach of statutory privacy acts, intrusion upon seclusion (outside British Columbia and Alberta), and breach of confidence, but found the breach of contract claim insufficiently pleaded. On leave from the court, the plaintiff subsequently amended her claim to address these deficiencies, specifically alleging that Flo breached both express and implied contractual terms, failed to obtain meaningful consent for data sharing, and violated the duty of good faith and honest performance.
Analysis of breach of contract
The plaintiff argued that Flo’s privacy policy, which users accepted through standard “click-wrap” agreements, expressly promised not to share, sell, barter, or rent users’ personal information to third parties.
The court found that the amended pleadings now clearly identified these express terms, referencing specific language from the various versions of the privacy policy in effect during the class period. In the alternative, the plaintiff contended that even if the contract did not explicitly prohibit sharing, it was an implied term that Flo would not share users’ sensitive information with third parties. The court accepted these arguments, holding that breach of the alleged express and implied terms was not bound to fail.
A further aspect of the breach of contract claim was the allegation that Flo failed to obtain “meaningful consent” for the sharing of personal data, as required by the Personal Information Protection and Electronic Documents Act (PIPEDA). The court accepted that PIPEDA’s standards could inform whether Flo had obtained meaningful consent from its users. Although novel, the court held that this approach to the breach of contract claim was also not bound to fail. Flo, for its part, argued that its privacy policies permitted disclosure of personal information to third parties and that the plaintiff’s claims were overly broad. However, the court declined to interpret the policies at the certification stage, finding that such issues should be determined at trial based on a full evidentiary record.
Analysis on breach of duty of good faith and honest performance
Turning to the breach of the duty of good faith and honest performance, the plaintiff alleged that Flo misled users about its data sharing practices, thereby undermining the central purpose of the contract protection of privacy. The claim also included allegations that Flo acted dishonestly in the performance of its contractual obligations by assuring users their data would not be shared, while in fact sharing it with third parties. The court found that the pleadings adequately set out material facts to support both a breach of the duty of good faith and the duty of honest performance. The court emphasized that these duties require more than mere non-performance; they require active dishonesty or conduct that nullifies the contract’s core benefit. The court was satisfied that the plaintiff’s allegations, if proven, could meet this threshold.
The plaintiff also sought the remedy of disgorgement, asking the court to require Flo to surrender any profits made from the alleged misuse of user data. The court held that, in exceptional circumstances where compensatory damages are inadequate and the plaintiff has a legitimate interest in preventing the defendant’s profit-making activity, disgorgement may be available. The pleadings were found sufficient to allow this remedy to proceed to trial.
Key takeaways
This case signals a robust approach by courts to privacy and contractual claims in the digital age, with significant implications for any organization that relies on a privacy policy on its website or in an app. Organizations collecting sensitive personal data should review their data-sharing practices to ensure they are appropriately addressed in any privacy policy and consent mechanisms, to ensure they align with evolving legal standards.