Meta’s internal practices raised major concerns over private user data and transparency.
A federal jury in San Francisco ruled that Meta broke California committed a privacy violation by secretly gathering sensitive health information from users of the Flo app. The case centered on the way period tracking data was shared between Flo Health and tech platforms, particularly Meta, the parent company of Facebook. The jury found that Meta had knowingly recorded private details from millions of women without getting proper consent, violating the California Invasion of Privacy Act.
The privacy violation case began after a class-action lawsuit was filed in 2021, accusing Flo Health of sharing private data with outside companies, including Meta, Google, and analytics firms. Over the course of the case, several of the companies settled or were dropped from the lawsuit. Flo reached a settlement just before the verdict, admitting no wrongdoing. Google settled earlier this month, and other parties exited in earlier phases. Meta, however, fought the allegations in court and lost.
At trial, the focus turned to the app’s use of software development kits, which are pieces of reusable code often embedded into mobile apps to help developers track usage. According to attorneys for the plaintiffs, these SDKs acted as silent tools committing a privacy violation by passing personal information directly to Meta without user permission. Examples of the shared data included selections made in Flo’s survey questions—details like cycle length or last period date. Each time a user answered, Meta allegedly collected and recorded that information through the SDKs.
Meta denied any wrongdoing, claiming it had not knowingly recorded anyone’s communications. The company’s attorney argued that the SDKs functioned more like envelopes than recording devices—harmless until a developer fills them with data and sends them off. Meta said Flo was the one responsible for creating the app events and choosing which data to transmit. In Meta’s view, the jury should have focused only on whether Facebook directly eavesdropped without consent. They argued it had not.
But the jury saw things differently. All three questions presented to them came back with a clear answer: Meta acted intentionally, users had a right to expect privacy, and no valid consent had been given. Testimony during the trial supported the idea that users were unaware their health information was being collected and used in ways not clearly described in any data policy. One plaintiff’s attorney argued that Meta had quietly profited from intimate details of people’s lives and that this behavior was deliberate.
Meta’s defense tried to shift the responsibility to Flo Health, saying Facebook had safeguards in place to stop the sharing of health data. They also pointed to Flo’s responsibility to notify users and collect consent. However, the plaintiffs argued that such defenses didn’t hold up, especially when real users testified that they never agreed to have their data shared with Facebook. They said no ordinary person would assume that answering a question about their menstrual cycle meant their answers would end up in Meta’s systems.
The jury’s verdict is being described as a rare win for digital privacy. Advocates for the plaintiffs say this outcome could force tech companies to take user privacy more seriously. It also raises questions about how health apps collect and share information, particularly in an age where many rely on such platforms for sensitive personal tracking.
The case was heard at the Phillip Burton Federal Courthouse, with U.S. District Judge James Donato presiding. The outcome may lead other companies to review their partnerships and data sharing practices, especially when it involves apps that deal with health, reproductive tracking, or personal wellness.
The decision shows that jurors are paying attention to how tech companies handle data and may no longer accept vague disclosures or general terms of service as meaningful consent. For Meta, this marks another legal setback involving user data. For users of digital health tools, the case serves as a reminder of how little control they may have over where their private information actually ends up.
Sources:
Meta violated privacy law, jury says in menstrual data fight
Join the conversation!