Jury finds Meta illegally collected data from women's health app Flo — what you need to know

a photo of a woman using the Flo period tracking app
(Image credit: Shutterstock)

On Friday, a federal jury ruled that Meta – the last defendant in a lawsuit that initially also included Google, Flo Health and Flurry – had illegally collected user health data from period and pregnancy tracking app Flo.

The jury found that Meta violated California’s Invasion of Privacy Act by collecting data from Flo without user consent which violates the state's wiretap law.

The lawsuit was filed in 2021 against Flo Health, the maker of the app which tracks periods, ovulation and pregnancy; later other defendants were added including Meta, Google and Flurry, which is an app analytics company. The plaintiff’s trial brief stated that Flo’s onboarding survey required users to select a goal: whether they were currently pregnant, wanted to be pregnant, wanted to track a period or input other information (about pregnancy or a menstrual cycle).

While Flo said it would not disclose the information provided to it, it then gave access to both Google and Meta through CAEs (Custom App Events) in their respective SDKs (Software Development Kits) that were incorporated into the Flo App. The plaintiff’s brief said that each company had its own purpose in collecting and using the user data from the Flo app: Flo used it to acquire new users through advertising and marketing and also sold access to the CAEs to other third parties for profit.

Meanwhile Google and Meta each used the data for their own commercial purposes, including “to feed their machine learning algorithms that power each of their respective advertising networks.” This activity occurred between November 2016 and February 2019. The plaintiffs proved by a preponderance of evidence that Meta had intentionally eavesdropped on and/or recorded conversations using an electronic device, and that the company did not have consent from all parties to do so.

According to the verdict released by the U.S. District Court for the Northern District of California, the plaintiffs proved they had a reasonable expectation of privacy. Flo Health’s trial brief, although it was filed before that company’s settlement, stated the plaintiffs had consented to the very policies and practices they were now attacking and that “every version of the Flo Privacy Policy explicitly permitted Flo to use third-party analytics to monitor and improve the App and permitted Flo to share de-identified information for any purpose.”

The plaintiffs brief countered that Flo did not disclose it would share users' private health data with third parties, and that in fact, it promised the opposite.

The other defendants – Flo Health, Google and Flurry – all settled with the plaintiffs before the trial, though no details about two of those have been provided, the Flurry settlement is said to have been for $3.5 million and is still pending court approval.


Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.

More from Tom's Guide

TOPICS
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.