{"id":24514,"date":"2025-08-06T17:09:33","date_gmt":"2025-08-06T21:09:33","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=24514"},"modified":"2025-08-06T17:09:35","modified_gmt":"2025-08-06T21:09:35","slug":"meta-found-liable-for-secretly-collecting-period-tracker-app-data","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/facebook\/meta-found-liable-for-secretly-collecting-period-tracker-app-data.html","title":{"rendered":"Meta Found Liable for Secretly Collecting Period Tracker App Data"},"content":{"rendered":"\n<p>Key Takeaways:<\/p>\n\n\n\n<ul>\n<li>A California jury ruled that Meta violated state privacy laws by collecting data from Flo app users without consent.<\/li>\n\n\n\n<li>The data included menstrual cycles, sexual activity, and pregnancy-related details, shared via Facebook\u2019s embedded SDK.<\/li>\n\n\n\n<li>Over 3.7 million U.S. users may be affected; Meta could face significant financial penalties.<\/li>\n\n\n\n<li>Flo Health, Google, and Flurry settled earlier, while Meta went to trial and lost.<\/li>\n\n\n\n<li>The ruling is seen as a landmark moment for consumer health data privacy and digital consent enforcement.<\/li>\n<\/ul>\n\n\n\n<p>A federal jury has found that Meta unlawfully collected sensitive health data from users of the Flo period and pregnancy tracking app, ruling that the company violated California\u2019s Invasion of Privacy Act. At the heart of the case is Meta\u2019s use of Facebook\u2019s Software Development Kit (SDK), embedded in the Flo app between 2016 and 2019, to intercept private data without user permission.<\/p>\n\n\n\n<p>The decision came after jurors unanimously agreed that Meta \u201ceavesdropped\u201d on Flo users by intercepting event-based data like \u201cR_SELECT_LAST_PERIOD_DATE\u201d and \u201cR_SELECT_CYCLE_LENGTH.\u201d These app interactions were ruled to be personal communications under California law, and Meta was found to have recorded them without the users\u2019 knowledge or consent.<\/p>\n\n\n\n<p>Meta had argued that it does not knowingly collect sensitive health data and that developers are contractually prohibited from sending it. But the jury concluded otherwise, determining that Meta\u2019s infrastructure did, in fact, capture the information. Legal analysts say the ruling could have far-reaching consequences: statutory damages in California are $5,000 per violation, and with millions of affected users, the financial exposure could be substantial.<\/p>\n\n\n\n<p>Flo Health, the app\u2019s developer, was also named in the suit but chose to settle before the trial. Google and analytics company Flurry reached similar settlements. Meta, however, opted to defend itself in court\u2014and lost.<\/p>\n\n\n\n<p>The ruling has prompted renewed scrutiny of how digital platforms and app developers handle reproductive health data. While Meta considers an appeal, privacy advocates are calling the outcome a critical step forward in enforcing accountability for large tech platforms that integrate third-party data tools into sensitive apps.<\/p>\n\n\n\n<p>Experts warn this is part of a growing trend where health and wellness apps collect deeply personal data while users remain unaware of how it\u2019s shared. What set this case apart was not just the sensitivity of the information, but that users were led to believe their data would remain confidential. The lawsuit accused the companies of false assurances and deceptive practices.<\/p>\n\n\n\n<p>If you\u2019re concerned about the handling of your own health data, security experts suggest reviewing permissions for health and fitness apps, removing unused apps, and disabling third-party tracking where possible. More broadly, this verdict signals that U.S. courts are increasingly willing to hold tech giants responsible for data practices that bypass informed consent.<\/p>\n\n\n\n<p>While the verdict doesn\u2019t impose immediate financial penalties\u2014damages will be assessed in a separate proceeding\u2014it sets a precedent. Companies using SDKs or analytics tools in apps tied to health or reproductive data will need to assess risk and compliance more carefully moving forward.<\/p>\n\n\n\n<p>Developers, too, may feel the ripple effects. Embedding third-party SDKs is standard practice, but doing so without clear user disclosures\u2014especially in apps dealing with intimate data\u2014can now carry substantial legal risk. As more regulators and courts focus on data privacy violations tied to health and wellness tools, the industry may see a shift toward more transparent practices and tighter controls.<\/p>\n\n\n\n<p>The broader implication is clear: the consent model many platforms rely on\u2014often buried in terms of service\u2014may no longer be enough<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways: A federal jury has found that Meta unlawfully collected sensitive health data from users of the Flo period and pregnancy tracking app, ruling that the company violated California\u2019s Invasion of Privacy Act. At the heart of the case is Meta\u2019s use of Facebook\u2019s Software Development Kit (SDK), embedded in the Flo app between<\/p>\n","protected":false},"author":44,"featured_media":24515,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[161,3147],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24514"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=24514"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24514\/revisions"}],"predecessor-version":[{"id":24516,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/24514\/revisions\/24516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/24515"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=24514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=24514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=24514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}