Jury finds Meta violated privacy law collecting health data

A federal jury in San Francisco delivered a verdict on August 4, 2025, discovering Meta Platforms Inc. violated the California Invasion of Privateness Act by secretly gathering delicate menstrual and reproductive well being information from tens of millions of girls via the period-tracking app Flo.

In response to the decision kind, the jury answered “sure” as to if Meta deliberately eavesdropped on and recorded person conversations via digital gadgets. The jury additionally confirmed customers had an affordable expectation their conversations wouldn’t be overheard or recorded, whereas answering “no” as to if Meta obtained consent from all events concerned.

The unanimous verdict marks the primary main jury resolution in opposition to a Large Tech firm in a privateness case centered on reproductive well being information. Reached after simply three hours of deliberation, the choice represents a big loss for the tech big in a carefully watched civil case that would assist set boundaries on how far tech companies can go in gathering private information to be used in focused promoting.

Technical mechanisms uncovered

The case centered on Meta’s use of a software program improvement package embedded throughout the Flo app between June 2016 and February 2019. Plaintiffs argued that the SDK acted as a secret “recording machine,” capturing extremely delicate menstrual and reproductive well being information that customers entered into the app.

Proof introduced throughout the trial revealed how Meta collected this info via “customized app occasions” with descriptive names similar to “R_SELECT_LAST_PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH.” These occasions systematically documented person interactions throughout the Flo app, creating detailed information of intimate well being info.

The Flo app had collected in depth private information via survey questions protecting subjects together with menstrual cycles, sexual exercise frequency, contraceptive strategies, and being pregnant intentions. Customers offered this info primarily based on assurances that their intimate well being information would stay protected and confidential.

Authorized proceedings and sophistication motion

The lawsuit, filed in 2021 as Erica Frasco v. Flo Well being, initially named a number of defendants together with Google, AppsFlyer, and Flurry. Google settled the case in July 2025, whereas Flo Well being reached a settlement earlier in August. The category motion represented customers who entered menstruation and being pregnant info into the Flo app between November 2016 and February 2019.

Throughout closing arguments, plaintiffs’ legal professional Michael Canty argued that Meta “collected it, recorded it, used it, exploited it, profited from it,” demonstrating clear intent to violate person privateness. Meta’s protection group, led by Michele Johnson from Latham & Watkins, contended that information assortment resulted from Flo’s programming somewhat than Fb’s intentional eavesdropping.

The litigation builds upon earlier regulatory motion. The Federal Commerce Fee filed a grievance in opposition to Flo Well being in January 2021, in the end leading to a settlement requiring the corporate to acquire impartial privateness evaluations and person consent earlier than sharing well being information.

Business implications

Privateness advocates view the decision as establishing necessary precedent for digital privateness rights enforcement. “It sends a message to the trade, or it ought to, that courts are taking this severely and contemplating the affect of those broadly unregulated advert monitoring methods,” stated Suzanne Bernstein, counsel on the Digital Privateness Info Middle.

The choice might affect how firms deal with software program improvement kits and monitoring applied sciences throughout cellular functions. Ian Cohen, CEO of privateness compliance supplier Lokker, famous that “Only a few privateness lawsuits involving monitoring applied sciences survive lengthy sufficient to be licensed as a category, not to mention go to trial.”

Meta’s spokesperson said the corporate “vigorously disagrees” with the decision and is exploring all authorized choices. “The plaintiffs’ claims in opposition to Meta are merely false,” the assertion stated. “Person privateness is necessary to Meta, which is why we don’t need well being or different delicate info and why our phrases prohibit builders from sending any.”

This verdict coincides with broader trade modifications affecting digital promoting. Privacy regulations continue reshaping targeting capabilities, as cellular promoting faces challenges with 54% of cellular impressions now missing identifier protection. Firms more and more undertake contextual concentrating on and first-party information methods to take care of promoting effectiveness whereas complying with evolving privateness necessities.

The case displays rising regulatory scrutiny of well being information practices throughout platforms. European authorities have imposed significant fines on companies for improper health data transfers to Meta, whereas German courts recently awarded individual compensation for Meta’s data protection violations.

The precise quantity of damages Meta can pay stays unclear, as the decision addresses legal responsibility somewhat than compensation. The case now strikes to the damages part, the place financial awards shall be decided for the category members affected by the privateness violations.

Timeline

• June 2016: Meta begins gathering information from Flo app via SDK implementation
• February 2019: Wall Road Journal stories Flo Well being sharing intimate well being information with Fb and Google
• January 13, 2021: Flo Well being settles with FTC over privateness violations
• January 29, 2021: Preliminary class motion grievance filed in opposition to Flo Well being
• June 6, 2022: Courtroom grants Flo Well being’s movement to dismiss some claims whereas denying others
• March 24, 2022: Events file joint declaration confirming discovery cooperation
• July 2025: Google settles case earlier than trial
• August 2025: Flo Well being reaches settlement settlement
• August 4, 2025: Jury delivers unanimous verdict in opposition to Meta

Key Phrases Defined

California Invasion of Privateness Act (CIPA) The California Invasion of Privateness Act represents some of the complete state privateness legal guidelines in the US, initially enacted within the Sixties. This wiretapping legislation prohibits the intentional recording or eavesdropping on confidential communications with out consent from all events concerned. Within the digital age, courts have more and more utilized CIPA to digital information assortment practices, establishing that firms can not secretly intercept person communications via apps or web sites. The legislation supplies for vital penalties together with statutory damages and potential legal legal responsibility for violations.

Software program Growth Package (SDK) A Software program Growth Package features as a set of software program instruments that allows third-party firms to combine their companies into cellular functions. SDKs include code libraries, documentation, and APIs that app builders can embed so as to add performance like analytics monitoring, promoting, or social media integration. On this case, Meta’s SDK allowed the corporate to gather information instantly from the Flo app with out customers’ information. These toolkits have change into normal in cellular app improvement however elevate privateness issues after they transmit delicate person info again to the SDK supplier.

Customized App Occasions Customized App Occasions signify particular person interactions inside cellular functions that builders can observe and analyze. Not like normal occasions similar to app opens or crashes, customized occasions are programmed to seize explicit person behaviors distinctive to every utility. Within the Flo app, these occasions had descriptive names like “R_SELECT_LAST_PERIOD_DATE” that exposed intimate well being details about customers’ menstrual cycles and reproductive selections. The systematic assortment of those occasions enabled Meta to construct detailed profiles of customers’ well being standing and intimate private choices.

Class Motion Lawsuit A category motion lawsuit permits a consultant plaintiff to sue on behalf of a bigger group of people that suffered related hurt from the identical defendant’s conduct. This authorized mechanism proves important in privateness circumstances the place particular person damages could be small however collective hurt is substantial. The Frasco v. Flo Well being case represented tens of millions of girls who used the fertility monitoring app and had their well being information improperly shared with Meta. Class actions present effectivity in litigation whereas guaranteeing accountability for firms that trigger widespread hurt via their enterprise practices.

Federal Commerce Fee (FTC) The Federal Commerce Fee serves as the first federal company liable for client safety and privateness enforcement in the US. The FTC investigates firms for misleading practices and violations of client privateness rights, with authority to impose penalties and require modifications to enterprise practices. On this case, the FTC’s earlier motion in opposition to Flo Well being for privateness violations offered regulatory precedent that supported the plaintiffs’ authorized arguments. The company’s involvement demonstrates the intersection between regulatory enforcement and personal litigation in addressing privateness violations.

Menstrual and Reproductive Well being Information Menstrual and reproductive well being information encompasses extremely delicate private details about girls’s fertility cycles, being pregnant intentions, contraceptive use, and associated well being signs. This info is taken into account notably personal as a result of it reveals intimate particulars about sexual exercise, household planning choices, and well being situations that might be used for discrimination or undesirable concentrating on. The sensitivity of this information sort has prompted particular authorized protections in lots of jurisdictions, with courts recognizing that unauthorized assortment of such info represents a critical invasion of privateness requiring sturdy authorized cures.

Information Privateness Compliance Information privateness compliance refers to adherence to legal guidelines and rules governing the gathering, use, and sharing of non-public info. This contains acquiring correct consent, implementing safety measures, offering transparency about information practices, and respecting person rights to manage their info. The digital promoting trade faces growing complexity in compliance as privateness legal guidelines proliferate globally with totally different necessities. Firms should navigate a number of regulatory frameworks whereas sustaining enterprise performance, usually requiring vital technical and operational modifications to information dealing with practices.

Focused Promoting Focused promoting entails delivering customized ads to customers primarily based on their demographics, pursuits, behaviors, or different traits derived from information assortment. This observe has change into elementary to the digital promoting ecosystem, enabling advertisers to achieve particular audiences extra successfully whereas permitting platforms to command larger promoting charges. Nonetheless, the usage of delicate well being information for concentrating on raises moral and authorized issues about exploitation of intimate private info for business functions with out specific person consent or consciousness.

Person Consent Person consent represents the authorized and moral basis for gathering and processing private information in most privateness frameworks. Legitimate consent should be freely given, particular, knowledgeable, and unambiguous, with customers understanding precisely what information is collected and the way will probably be used. On this case, the jury discovered that Meta lacked correct consent for gathering well being information via the Flo app, as customers had been unaware their info was being transmitted to the social media firm. The consent requirement has change into more and more strict underneath trendy privateness legal guidelines like GDPR and state laws.

Digital Privateness Rights Digital privateness rights embody the basic precept that people ought to have management over their private info in digital environments. These rights embrace figuring out what information is collected, understanding the way it’s used, being able to entry or delete private info, and receiving safety from unauthorized information sharing. The Meta verdict represents a big enforcement of those rights within the well being information context, establishing that firms can not secretly gather intimate private info no matter technical strategies used. Privateness advocates view such choices as important for sustaining particular person autonomy in an more and more data-driven financial system.

Abstract

Who: Meta Platforms Inc. was discovered liable by a federal jury, whereas customers of the Flo period-tracking app had been the affected plaintiffs on this class motion lawsuit.

What: The jury decided Meta violated the California Invasion of Privateness Act by deliberately gathering delicate menstrual and reproductive well being information with out person consent via its software program improvement package embedded within the Flo app.

When: The information assortment occurred between June 2016 and February 2019, with the decision delivered on August 4, 2025.

The place: The case was determined in the US District Courtroom for the Northern District of California in San Francisco.

Why: Meta collected this well being information via customized app occasions for analysis, improvement, advertising, and promoting functions, exploiting intimate private info to reinforce its focused promoting capabilities with out acquiring correct person consent.