Flo Health Lawsuit: Meta Found Liable for Tracking App Data Violations

Digital privacy concerns are rising as more apps collect deeply personal data from millions of users. Period trackers and other health apps have become especially controversial, as they store and transmit intimate details about reproductive health, sexual activity, and medical symptoms. Against this backdrop, the Flo Health lawsuit ended with a landmark Meta court ruling that found the tech giant liable for secretly tracking sensitive user data. 

At Almeida Law Group, we closely monitor data breach cases like these to keep individuals informed about how they may affect their rights and privacy. Our team is dedicated to helping consumers understand their options and hold companies accountable when personal information is compromised. 

Background on Flo Health and Its Popularity 

Flo Health is one of the most popular period tracker apps available, with over 180 million downloads and 38 million monthly users. As a period & ovulation tracking tool, Flo Health collects sensitive data about the user’s menstruation, masturbation, sexual activity, moods, health symptoms, and pregnancy. Flo Health requests this information both during sign up, as well as habitually over the course of use to predict ovulation dates and offer tailored health reproductive health suggestions to its users.  

How Meta, Google, and Others Obtained Sensitive Data  

The app explicitly promised that “sensitive reproductive health information” and answers given to its survey questions would not be disclosed outside of the platform. However, this sensitive data was shared with some of the biggest companies in the world, including Meta, Google and its parent company Alphabet, Appflyer, and Flurry.   

The Flo Health lawsuit is not an instance of a data breach or accidental violation. Instead, built-in tracking enabled the transmission of intimate health data to advertisers and analytics firms. The women’s health data lawsuit hinges upon software development kits (SDKs) from Meta, Google, and others that came embedded within the Flo app. SDKs are a bundle of code that app developers use to offer integrated services within their platforms. They can include data analytics options, advertising, and social media features. 

SDKs are often automatically enabled when you download an app onto your phone or other device. They can collect and transmit data back to the third party, like Meta or Google. This allows for data sharing beyond what users realize or can give meaningful consent to.  

About the Class Action Lawsuit Against Meta 

Google, Flurry, and Flo Health all chose to settle with the plaintiffs instead of fighting invasion of privacy claims in court. The class action lawsuit Frasco v. Flo Health, Inc. was consolidated in the N.D. of California in 2021 and was settled August 1, 2025, for an undisclosed amount. 

However, Meta chose to fight the allegations in court, which led to a jury ruling against the company issued as of August 7, 2025.  

The lawsuit alleged that Meta violated the California Invasion of Privacy Act (CIPA § 632), CMIA (Confidentiality of Medical Information Act), and California’s constitutional invasion of privacy. The jury unanimously decided that Meta was in violation of California law from its covert data collection, including reproductive health data, via SDKs embedded in the Flo Health app. The plaintiffs proved lack of consent, reasonable expectation of privacy, and intentional conduct in the case. The jury answered yes to the first two questions and no to the last:  

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device? 

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded? 

• Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it? 

Meta will almost certainly appeal.  

What Kind of Relief Will Class Members Receive From Meta? 

Class members may be on track to receive statutory damages under CIPA, which allows for $5,000 fines per violation. The Flo health decision against Meta can easily add up to millions in damages. However, the jury was not asked to award damages, so the total amount remains to be seen.  

What This Case Means for Privacy Law in the U.S. 

The US offers robust privacy protections for data shared directly with your doctor, but HIPAA does not apply to most apps like Flo. There are crucial gaps in US federal privacy laws when it comes to Big Tech and medical data sharing. While your doctor could not sell information about your last period to an advertiser, there are no regulations preventing an app from doing so. 

Meanwhile, international standards for privacy protection offer a markedly different standard. Legislation like the General Data Protection Regulation (GDPR) in the European Union sets strict rules for how data is collected, processed and stored by corporations. The GDPR also gives individuals rights over their own data and levies harsh fines against companies that violate its protections.  

Sensitive health data violations are only becoming more common as people turn to wearable tech to track their habits. The period tracker privacy case may be the tip of the iceberg when it comes to future violations in consumer data sharing. A recent study from the National Heart, Lung, and Blood Institute shares that almost 1 in 3 Americans now use a wearable device like a smart watch or ring for health monitoring. This is in addition to apps like Flo Health that require users to manually input data. Cases like the Flo Health lawsuit make it plain that additional pressure is mounting for legislative reform and stronger consumer protections, especially against the backdrop of more intrusive tech and the expanded surveillance potential it brings.  

How Almeida Law Group Fights Back Against Privacy Violations 

Almeida Law Group offers support for cases involving consumer fraud, issues with data security and privacy violations. One of the main ways that consumers can fight back is with a class action lawsuit. Class action litigation consolidates costs and allows consumers to leverage shared power against major corporations. We work with clients to recognize unauthorized data collection, surveillance and data sharing. We can then advise you about whether your case will be best pursued through a traditional lawsuit or a class action claim.  

While these cases are complex, Almeida Law Group has over fifty years of combined experience and thousands of class actions under our belt. We not only litigate consumer fraud cases, but we can also provide identity protection measures for our clients and advocate for you to receive maximum damages from your claim. Almeida Law Group can also help with: 

• Biometric Information Privacy Act Violations  

• Genetic Information Privacy Act Violations  

• False Advertising (including junk fee allegations)  

• Unfair & Deceptive Practices   

• FLSA and Wage & Hour Violations  

• Unsolicited Communications    

Flo Health Lawsuit Against Meta: Frequently Asked Questions 

Can I still join the lawsuit against Meta? 

No, the Meta court ruling has already been released. While damages have yet to be awarded, it is too late for additional plaintiffs to be added into the lawsuit.  

How can I check if I used the Flo Health app during the class period? 

U.S. users who entered menstruation or pregnancy information between the period of Nov 1, 2016 through Feb 28, 2019 (plus a California Subclass for California residents) may be included in the Flo Health settlement.  

What happens if I already deleted the Flo app; does that change anything? 

Deleting the app only removes the software from your personal device, not all of your data from the Flo system and associated SDKs. While this is bad news for your privacy, it does mean that deleting the app does not exclude you from participation in the class action lawsuit.  

Can people in states outside California still be affected by the Flo Health data sharing? 

Yes. While California offers additional privacy protections under the California Invasion of Privacy Act (CIPA § 632), the FTC also announced federal action against Flo Health. The federal settlement as well as nationwide class action claims may assist users who resided outside of California and used Flo Health during the specified period.   

What steps can I take now to protect my health data on apps? 

If you are worried about your health app data privacy, consider sending a specific data deletion or opt-out request directly to the company in question. Deactivating your account will not protect data that you have already entered. You will need to send a separate message to the customer support team and request that all information you have sent them be deleted from their system. Even then, consumers usually do not have any way to check that their request has been carried out.  

Besides requesting to delete your own data, you can also write to your senators and representatives urging them to pass data privacy protections for consumers. Currently 19 states have passed data protection statutes, but federal legislation has stalled.  

What happens next if Meta appeals the jury’s decision? 

If Meta appeals, the case will be considered in appellate court where it will be reviewed for legal errors. During the initial appeal, Meta will not be able to present new evidence. 

Contact Almeida Law Group to Learn More  

Almeida Law Group is experienced with privacy, data security, and targeted advertising lawsuits. If you believe your data was misused by an app, website, or wearable tech, contact Almeida Law Group for a consultation. Our attorneys are licensed in multiple states and federal courts. We can help you pursue justice with a consumer rights case.