Meta Found Liable for Secretly Collecting Period Tracker App Data

Key Takeaways:

  • A California jury ruled that Meta violated state privacy laws by collecting data from Flo app users without consent.
  • The data included menstrual cycles, sexual activity, and pregnancy-related details, shared via Facebook’s embedded SDK.
  • Over 3.7 million U.S. users may be affected; Meta could face significant financial penalties.
  • Flo Health, Google, and Flurry settled earlier, while Meta went to trial and lost.
  • The ruling is seen as a landmark moment for consumer health data privacy and digital consent enforcement.

A federal jury has found that Meta unlawfully collected sensitive health data from users of the Flo period and pregnancy tracking app, ruling that the company violated California’s Invasion of Privacy Act. At the heart of the case is Meta’s use of Facebook’s Software Development Kit (SDK), embedded in the Flo app between 2016 and 2019, to intercept private data without user permission.

The decision came after jurors unanimously agreed that Meta “eavesdropped” on Flo users by intercepting event-based data like “R_SELECT_LAST_PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH.” These app interactions were ruled to be personal communications under California law, and Meta was found to have recorded them without the users’ knowledge or consent.

Meta had argued that it does not knowingly collect sensitive health data and that developers are contractually prohibited from sending it. But the jury concluded otherwise, determining that Meta’s infrastructure did, in fact, capture the information. Legal analysts say the ruling could have far-reaching consequences: statutory damages in California are $5,000 per violation, and with millions of affected users, the financial exposure could be substantial.

Flo Health, the app’s developer, was also named in the suit but chose to settle before the trial. Google and analytics company Flurry reached similar settlements. Meta, however, opted to defend itself in court—and lost.

The ruling has prompted renewed scrutiny of how digital platforms and app developers handle reproductive health data. While Meta considers an appeal, privacy advocates are calling the outcome a critical step forward in enforcing accountability for large tech platforms that integrate third-party data tools into sensitive apps.

Experts warn this is part of a growing trend where health and wellness apps collect deeply personal data while users remain unaware of how it’s shared. What set this case apart was not just the sensitivity of the information, but that users were led to believe their data would remain confidential. The lawsuit accused the companies of false assurances and deceptive practices.

If you’re concerned about the handling of your own health data, security experts suggest reviewing permissions for health and fitness apps, removing unused apps, and disabling third-party tracking where possible. More broadly, this verdict signals that U.S. courts are increasingly willing to hold tech giants responsible for data practices that bypass informed consent.

While the verdict doesn’t impose immediate financial penalties—damages will be assessed in a separate proceeding—it sets a precedent. Companies using SDKs or analytics tools in apps tied to health or reproductive data will need to assess risk and compliance more carefully moving forward.

Developers, too, may feel the ripple effects. Embedding third-party SDKs is standard practice, but doing so without clear user disclosures—especially in apps dealing with intimate data—can now carry substantial legal risk. As more regulators and courts focus on data privacy violations tied to health and wellness tools, the industry may see a shift toward more transparent practices and tighter controls.

The broader implication is clear: the consent model many platforms rely on—often buried in terms of service—may no longer be enough


 

Loading
Share via
Copy link
Powered by Social Snap