On 6 August 2025, a federal jury in California found that Meta illegally collected highly sensitive health data from users of the Flo women’s health app, breaching California’s Invasion of Privacy Act (CIPA). The class-action case, which began in 2021, accused Flo Health, Google, Meta, and analytics firm Flurry of harvesting intimate details such as menstrual cycles and pregnancy status without clear or informed user consent.
Flo, Google, and Flurry settled before trial, but Meta chose to defend itself in court. The jury concluded that between 2016 and 2019, Meta knowingly intercepted user inputs through “Custom App Events” embedded in Flo’s software development kit. This was deemed a direct violation of state law, as users had a reasonable expectation of privacy and were not adequately warned that such data would be shared.
The verdict could lead to significant financial penalties for Meta and underscores the growing legal scrutiny of how technology companies handle sensitive health data. It also highlights the increasing enforcement of privacy laws when it comes to personal information collected through mobile apps.
