A California jury found Meta violated state privacy laws when it collected reproductive health data from the Flo Health period tracking app and used it without consent for targeted advertising.
A California jury ruled that Meta violated the California Invasion of Privacy Act in the class action suit Frasco v. Flo Health, Inc., heard in the United States District Court of Northern California. The jury determined Meta harvested menstrual data from the Flo Health app and intentionally eavesdropped or recorded electronic conversations without consent. The jury form specifically asked whether evidence showed "Meta intentionally eavesdropped on and/or recorded" conversations through Flo's software development kits and whether users had "a reasonable expectation" the information was not "overhead and/or recorded." Meta was named as a defendant in this reproductive health data privacy case.
This case represents the latest in Meta's lengthy history of data privacy scandals. The Federal Trade Commission fined Facebook $5 billion in 2019 for failing to comply with a 2012 agreement to protect users' data. The European Union also said Meta violated EU privacy regulations. Meta's privacy issues date back to the Cambridge Analytica scandal, where the political consulting firm used breached consumer Facebook data to inform client campaigns, including the 2016 presidential campaign of then-candidate Donald Trump.
"This is a landmark moment in the effort to safeguard digital privacy rights," said Michael Canty of Labaton Keller Sucharow, the plaintiffs' legal representation. "Our clients entrusted their most sensitive information to a health app, only to have it exploited by one of the world's most powerful tech companies."
Meta legal representative Michele Johnson of Latham & Watkins reportedly said the plaintiffs agreed to Facebook's terms of service.
Meta founder, Chairman and CEO Mark Zuckerberg addressed previous privacy concerns in a 2018 Facebook post, "We have a responsibility to protect your data, and if we can't, then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again."
A Meta spokesperson told Reuters ahead of the trial that Meta does "not want health or other sensitive information," and its terms "prohibit developers from sending any."
This verdict shows a gap in healthcare data protection that HIPAA-covered entities must understand. While HIPAA protects health information within traditional healthcare settings, reproductive health apps like Flo Health operate outside HIPAA's scope, leaving users vulnerable to data harvesting by tech companies. Healthcare organizations partner with or recommend digital health tools to patients, but this case demonstrates how patient data can flow from these apps to advertising networks without HIPAA-level protections. Healthcare providers must carefully evaluate any digital health tools they endorse or integrate with their services, as patients may assume the same privacy protections apply across all health-related platforms.
Tech companies can no longer hide behind terms of service agreements when collecting sensitive reproductive health data without explicit consent. Healthcare app developers must carefully evaluate their data sharing partnerships to ensure they don't expose users' most private health information to advertising networks.
Yes, the legal reasoning could extend to any app collecting sensitive health data without proper consent.
This case was civil, but similar conduct could potentially be prosecuted under certain state or federal criminal statutes.
California’s law offers broader consumer protections than most federal statutes, especially for digital data collection.
Yes, Flo Health has faced prior FTC action and could still face additional lawsuits or regulatory penalties.
In California and some other jurisdictions, users have a right to request deletion under consumer privacy laws.