Meta's Illegal Data Collection from Women's Health App Flo — Key Details

Meta Found Liable in Health Data Privacy Violation Case

A recent ruling by a federal jury has determined that Meta, the last remaining defendant in a multi-company lawsuit, illegally collected user health data from the Flo period and pregnancy tracking app. This case initially involved other tech giants like Google, Flo Health, and Flurry, but the final verdict focused on Meta’s role in the data collection.

The jury found that Meta violated California’s Invasion of Privacy Act by collecting data from Flo without obtaining proper user consent. This action also breached the state's wiretap law, which prohibits the unauthorized interception of private communications.

The lawsuit was first filed in 2021 against Flo Health, the company behind the Flo app, which is designed to help users track their menstrual cycles, ovulation, and pregnancy. Over time, additional defendants were added, including Meta, Google, and Flurry, an app analytics company. According to the plaintiff’s trial brief, Flo’s onboarding process required users to select a goal, such as being pregnant, wanting to become pregnant, or tracking a menstrual cycle. Users were also given the option to input other information related to pregnancy or their menstrual cycle.

Despite Flo’s claims that it would not disclose the information provided by users, the app shared this data with both Google and Meta through Custom App Events (CAEs) integrated into their respective Software Development Kits (SDKs). The plaintiffs’ brief explained that each company had different intentions for using the data: Flo used it for advertising and marketing, while also selling access to CAEs to third parties for profit. Meanwhile, Google and Meta utilized the data for commercial purposes, including training their machine learning algorithms that power their advertising networks. This activity took place between November 2016 and February 2019.

During the trial, the plaintiffs presented evidence that Meta had intentionally eavesdropped on and/or recorded conversations using electronic devices without obtaining consent from all parties involved. The court ruled in favor of the plaintiffs, stating that they had a reasonable expectation of privacy.

Flo Health’s trial brief, submitted before its settlement, argued that the plaintiffs had consented to the policies and practices they later challenged. It claimed that every version of the Flo Privacy Policy allowed the company to use third-party analytics to monitor and improve the app, as well as share de-identified information for any purpose. However, the plaintiffs countered that Flo did not inform users it would share their private health data with third parties and, in fact, made promises to the contrary.

All other defendants — Flo Health, Google, and Flurry — settled with the plaintiffs before the trial. While details about two of these settlements remain undisclosed, the Flurry settlement is reported to be $3.5 million and is still pending court approval.

This case highlights the growing concerns around data privacy, especially when it comes to sensitive health information. As more users rely on apps to track personal health data, questions about how this information is collected, stored, and shared continue to raise important legal and ethical issues.