Meta exploited user data from Flo period tracking app for advertising purposes, as determined by the jury
In a significant ruling for digital privacy rights, a California jury has found Meta liable for violating state digital privacy laws, specifically the California Invasion of Privacy Act. The jury concluded that Meta covertly collected and used private menstrual health data from Flo users for advertising purposes without their consent.
The lawsuit, filed in 2021, alleged unauthorized data collection of menstrual cycle dates, fertility goals, and other sensitive health data via the Flo app. Flo Health, the developer of the popular menstrual and fertility tracking app, settled in late July 2025, denying any wrongdoing but agreeing to resolve claims related to the California Confidentiality of Medical Information Act (CMIA) and related allegations. Google also settled its involvement earlier in July 2025.
However, Meta, the parent company of Facebook, disputes the verdict and denies collecting or eavesdropping on sensitive health information. They argue that their terms prohibit developers from sending such data and that they value user privacy. Meta is exploring all legal options to challenge the ruling.
The original privacy statement of Flo claimed that it would not transmit any personal data to third parties, except for providing the service to users. However, it was found that Flo allowed third parties, including Meta, to harvest data from "Custom App Events," which could include information such as the user's week of pregnancy or the fact that their period had started on a certain day.
Flo Health's app is used by about 70 million people each month. The app can track not only period cycles and ovulation, but also sexual activity and health issues. A class-action lawsuit was filed against Flo in 2021, citing invasion of privacy, breach of contract, unjust enrichment, and violations of the Stored Communications Act and California medical information laws.
The lawsuit was filed in the Northern California district court. AppsFlyer was dismissed from the class-action lawsuit in 2022, and both Flurry and Google agreed to settle. Michael Canty, lead trial attorney at Labaton Keller Sucharow LLP, made a statement about the verdict, stating that it sends a strong message to tech companies about the importance of protecting user privacy.
The FTC has also been involved in the case, with a formal complaint issued in 2021. The FTC complaint mentions that Meta disagrees with the verdict and is exploring all legal options. Flo settled with the FTC without an admission of guilt, agreeing to certain measures to protect user data.
Privacy advocates and the plaintiffs’ attorneys view the jury’s decision against Meta as a significant legal precedent reinforcing protections for digital health data. The case against Flo and Google is settled, but Meta remains liable according to the jury and continues defending itself and planning appeals or further legal actions.
[1] The Verge
[2] TechCrunch
[3] CNBC
[4] Reuters
[5] Wall Street Journal
- The jury's decision against Meta, a tech giant, could set a significant legal precedent for digital privacy rights, especially in the realm of health-and-wellness data, such as menstrual health data, that is often handled by AI software within data-and-cloud-computing environments.
- Meta, in response to the verdict, maintains that they value user privacy and denies any claims of collecting or eavesdropping on sensitive health information, despite allegations that their platforms covertly harvest data for advertising purposes.
- The growing field of analytics, including science and technology, has been put under the microscope following the California jury's decision, raising concerns about privacy and the handling of personal data, including data from women's health apps like Flo.
- In a joint effort to promote transparency and protect user privacy, several tech companies, including Google and Flo, have agreed to settle related lawsuits and allegations, while Meta continues to explore legal options to challenge the verdict, arguing that their terms of service prohibit developers from sending such sensitive data.
