Jury finds Meta violated privacy law collecting health data

Federal court rules tech giant illegally gathered menstrual information through fertility app.

Jury verdict form showing Meta found guilty of privacy violations without user consent in Flo health data case.
Jury verdict form showing Meta found guilty of privacy violations without user consent in Flo health data case.

A federal jury in San Francisco delivered a verdict on August 4, 2025, finding Meta Platforms Inc. violated the California Invasion of Privacy Act by secretly collecting sensitive menstrual and reproductive health data from millions of women through the period-tracking app Flo.

According to the verdict form, the jury answered "yes" to whether Meta intentionally eavesdropped on and recorded user conversations through electronic devices. The jury also confirmed users had a reasonable expectation their conversations would not be overheard or recorded, while answering "no" to whether Meta obtained consent from all parties involved.

The unanimous verdict marks the first major jury decision against a Big Tech company in a privacy case focused on reproductive health data. Reached after just three hours of deliberation, the decision represents a significant loss for the tech giant in a closely watched civil case that could help set boundaries on how far tech firms can go in collecting personal data for use in targeted advertising.

Technical mechanisms exposed

The case centered on Meta's use of a software development kit embedded within the Flo app between June 2016 and February 2019. Plaintiffs argued that the SDK acted as a secret "recording device," capturing highly sensitive menstrual and reproductive health data that users entered into the app.

Evidence presented during the trial revealed how Meta collected this information through "custom app events" with descriptive names such as "R_SELECT_LAST_PERIOD_DATE" and "R_SELECT_CYCLE_LENGTH." These events systematically documented user interactions within the Flo app, creating detailed records of intimate health information.

The Flo app had collected extensive personal data through survey questions covering topics including menstrual cycles, sexual activity frequency, contraceptive methods, and pregnancy intentions. Users provided this information based on assurances that their intimate health data would remain protected and confidential.

The lawsuit, filed in 2021 as Erica Frasco v. Flo Health, originally named multiple defendants including Google, AppsFlyer, and Flurry. Google settled the case in July 2025, while Flo Health reached a settlement earlier in August. The class action represented users who entered menstruation and pregnancy information into the Flo app between November 2016 and February 2019.

During closing arguments, plaintiffs' attorney Michael Canty argued that Meta "collected it, recorded it, used it, exploited it, profited from it," demonstrating clear intent to violate user privacy. Meta's defense team, led by Michele Johnson from Latham & Watkins, contended that data collection resulted from Flo's programming rather than Facebook's intentional eavesdropping.

The litigation builds upon earlier regulatory action. The Federal Trade Commission filed a complaint against Flo Health in January 2021, ultimately resulting in a settlement requiring the company to obtain independent privacy reviews and user consent before sharing health data.

Industry implications

Privacy advocates view the verdict as establishing important precedent for digital privacy rights enforcement. "It sends a message to the industry, or it should, that courts are taking this seriously and considering the impact of these broadly unregulated ad tracking systems," said Suzanne Bernstein, counsel at the Electronic Privacy Information Center.

The decision could influence how companies handle software development kits and tracking technologies across mobile applications. Ian Cohen, CEO of privacy compliance provider Lokker, noted that "Very few privacy lawsuits involving tracking technologies survive long enough to be certified as a class, let alone go to trial."

Meta's spokesperson stated the company "vigorously disagrees" with the verdict and is exploring all legal options. "The plaintiffs' claims against Meta are simply false," the statement said. "User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any."

This verdict coincides with broader industry changes affecting digital advertising. Privacy regulations continue reshaping targeting capabilities, as mobile advertising faces challenges with 54% of mobile impressions now lacking identifier coverage. Companies increasingly adopt contextual targeting and first-party data strategies to maintain advertising effectiveness while complying with evolving privacy requirements.

The case reflects growing regulatory scrutiny of health data practices across platforms. European authorities have imposed significant fines on companies for improper health data transfers to Meta, while German courts recently awarded individual compensation for Meta's data protection violations.

The specific amount of damages Meta will pay remains unclear, as the verdict addresses liability rather than compensation. The case now moves to the damages phase, where monetary awards will be determined for the class members affected by the privacy violations.

Timeline

  • June 2016: Meta begins collecting data from Flo app through SDK implementation
  • February 2019: Wall Street Journal reports Flo Health sharing intimate health data with Facebook and Google
  • January 13, 2021: Flo Health settles with FTC over privacy violations
  • January 29, 2021: Initial class action complaint filed against Flo Health
  • June 6, 2022: Court grants Flo Health's motion to dismiss some claims while denying others
  • March 24, 2022: Parties file joint declaration confirming discovery cooperation
  • July 2025: Google settles case before trial
  • August 2025: Flo Health reaches settlement agreement
  • August 4, 2025: Jury delivers unanimous verdict against Meta

Key Terms Explained

California Invasion of Privacy Act (CIPA) The California Invasion of Privacy Act represents one of the most comprehensive state privacy laws in the United States, originally enacted in the 1960s. This wiretapping law prohibits the intentional recording or eavesdropping on confidential communications without consent from all parties involved. In the digital age, courts have increasingly applied CIPA to electronic data collection practices, establishing that companies cannot secretly intercept user communications through apps or websites. The law provides for significant penalties including statutory damages and potential criminal liability for violations.

Software Development Kit (SDK) A Software Development Kit functions as a collection of software tools that enables third-party companies to integrate their services into mobile applications. SDKs contain code libraries, documentation, and APIs that app developers can embed to add functionality like analytics tracking, advertising, or social media integration. In this case, Meta's SDK allowed the company to collect data directly from the Flo app without users' knowledge. These toolkits have become standard in mobile app development but raise privacy concerns when they transmit sensitive user information back to the SDK provider.

Custom App Events Custom App Events represent specific user interactions within mobile applications that developers can track and analyze. Unlike standard events such as app opens or crashes, custom events are programmed to capture particular user behaviors unique to each application. In the Flo app, these events had descriptive names like "R_SELECT_LAST_PERIOD_DATE" that revealed intimate health information about users' menstrual cycles and reproductive choices. The systematic collection of these events enabled Meta to build detailed profiles of users' health status and intimate personal decisions.

Class Action Lawsuit A class action lawsuit allows a representative plaintiff to sue on behalf of a larger group of people who suffered similar harm from the same defendant's conduct. This legal mechanism proves essential in privacy cases where individual damages might be small but collective harm is substantial. The Frasco v. Flo Health case represented millions of women who used the fertility tracking app and had their health data improperly shared with Meta. Class actions provide efficiency in litigation while ensuring accountability for companies that cause widespread harm through their business practices.

Federal Trade Commission (FTC) The Federal Trade Commission serves as the primary federal agency responsible for consumer protection and privacy enforcement in the United States. The FTC investigates companies for deceptive practices and violations of consumer privacy rights, with authority to impose penalties and require changes to business practices. In this case, the FTC's earlier action against Flo Health for privacy violations provided regulatory precedent that supported the plaintiffs' legal arguments. The agency's involvement demonstrates the intersection between regulatory enforcement and private litigation in addressing privacy violations.

Menstrual and Reproductive Health Data Menstrual and reproductive health data encompasses highly sensitive personal information about women's fertility cycles, pregnancy intentions, contraceptive use, and related health symptoms. This information is considered particularly private because it reveals intimate details about sexual activity, family planning decisions, and health conditions that could be used for discrimination or unwanted targeting. The sensitivity of this data type has prompted specific legal protections in many jurisdictions, with courts recognizing that unauthorized collection of such information represents a serious invasion of privacy requiring strong legal remedies.

Data Privacy Compliance Data privacy compliance refers to adherence to laws and regulations governing the collection, use, and sharing of personal information. This includes obtaining proper consent, implementing security measures, providing transparency about data practices, and respecting user rights to control their information. The digital advertising industry faces increasing complexity in compliance as privacy laws proliferate globally with different requirements. Companies must navigate multiple regulatory frameworks while maintaining business functionality, often requiring significant technical and operational changes to data handling practices.

Targeted Advertising Targeted advertising involves delivering personalized advertisements to users based on their demographics, interests, behaviors, or other characteristics derived from data collection. This practice has become fundamental to the digital advertising ecosystem, enabling advertisers to reach specific audiences more effectively while allowing platforms to command higher advertising rates. However, the use of sensitive health data for targeting raises ethical and legal concerns about exploitation of intimate personal information for commercial purposes without explicit user consent or awareness.

User Consent User consent represents the legal and ethical foundation for collecting and processing personal data in most privacy frameworks. Valid consent must be freely given, specific, informed, and unambiguous, with users understanding exactly what data is collected and how it will be used. In this case, the jury found that Meta lacked proper consent for collecting health data through the Flo app, as users were unaware their information was being transmitted to the social media company. The consent requirement has become increasingly strict under modern privacy laws like GDPR and state legislation.

Digital Privacy Rights Digital privacy rights encompass the fundamental principle that individuals should have control over their personal information in digital environments. These rights include knowing what data is collected, understanding how it's used, having the ability to access or delete personal information, and receiving protection from unauthorized data sharing. The Meta verdict represents a significant enforcement of these rights in the health data context, establishing that companies cannot secretly collect intimate personal information regardless of technical methods used. Privacy advocates view such decisions as essential for maintaining individual autonomy in an increasingly data-driven economy.

Summary

Who: Meta Platforms Inc. was found liable by a federal jury, while users of the Flo period-tracking app were the affected plaintiffs in this class action lawsuit.

What: The jury determined Meta violated the California Invasion of Privacy Act by intentionally collecting sensitive menstrual and reproductive health data without user consent through its software development kit embedded in the Flo app.

When: The data collection occurred between June 2016 and February 2019, with the verdict delivered on August 4, 2025.

Where: The case was decided in the United States District Court for the Northern District of California in San Francisco.

Why: Meta collected this health data through custom app events for research, development, marketing, and advertising purposes, exploiting intimate personal information to enhance its targeted advertising capabilities without obtaining proper user consent.