Meta used Flo menstruation app data to sell ads, jury finds
(2025/08/05)
- Reference: 1754428947
- News link: https://www.theregister.co.uk/2025/08/05/meta_flo_data/
- Source link:
A jury has unanimously found Meta guilty of violating the California Invasion of Privacy Act by using data from menstruation and fertility app Flo to sell advertising to the social network.
"This is a landmark moment in the effort to safeguard digital privacy rights," said Michael Canty, lead trial attorney at Labaton Keller Sucharow LLP, representing the plaintiffs, in an emailed statement to The Register .
"Our clients entrusted their most sensitive information to a health app, only to have it exploited by one of the world’s most powerful tech companies. This verdict is a wake-up call to companies that view consent as a formality and transparency as optional."
[1]
Founded in 2015, Flo Health makes an iOS and Android app that about 70 million people use each month, according to the company. It can track not only period cycles and ovulation, but also sexual activity and health issues, should the user add in that data.
[2]
[3]
However, in 2019, the Wall Street Journal [4]reported Flo was sharing health events with Meta.
The discovery prompted the Federal Trade Commission to investigate the matter in 2020, and it issued a formal [5]complaint [PDF] in 2021. The complaint shows Meta, Fabric (formerly Twitter's SDK but later folded into Google's Firebase), and analytics biz Flurry had been using Flo data since 2016, and Google and marketing concern AppsFlyer since 2018.
[6]
Flo settled with the FTC without an admission of guilt but with an [7]agreement [PDF] to tell the third parties involved to destroy the data, submit a legally binding compliance report for five years after the decision, and undergo a full privacy audit.
[8]Mozilla finds 18 of 25 popular reproductive health apps share your data
[9]One year after Roe v Wade overturned and 'uterus surveillance' looks grim
[10]FTC sues data broker for selling millions of people's 'precise' location info
[11]Sneaky phone apps just about obey the law, still have no trouble guzzling your data, says Which?
That might have satisfied the government, but outraged users filed a class-action [12]lawsuit [PDF] over the case in 2021, citing invasion of privacy, breach of contract, unjust enrichment, and breaking the Stored Communications Act, as well as California medical information laws. The court documents from the Northern California district court cite Flo's original privacy statement in the complaint:
"WILL NOT TRANSMIT ANY OF YOUR PERSONAL DATA TO THIRD PARTIES, EXCEPT IF IT IS REQUIRED TO PROVIDE THE SERVICE TO YOU (E.G. TECHNICAL SERVICE PROVIDERS), UNLESS WE HAVE ASKED FOR YOUR EXPLICIT CONSENT," the app claimed in all capital letters.
In 2017, the terms were amended to say that some third parties would get data but only for "supply[ing] software applications, web hosting, and other technologies for the App," which "exclud[ed] information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share."
But instead, Flo allowed third parties, including Meta, to harvest data from what was known as "Custom App Events," which could include information such as the user's week of pregnancy or the fact that their period had started on a certain day, according to the original FTC complaint.
[13]
AppsFlyer was dismissed from the class-action lawsuit in 2022, and both Flurry and Google agreed to settle. But Meta is taking the case forward and seems determined to fight.
"We vigorously disagree with this outcome and are exploring all legal options," a Meta spokesperson told The Register . "The plaintiffs’ claims against Meta are simply false. User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any."
Facebook's Business Tools Terms stated: "You will not share Customer Data with us that you know or reasonably should know ... includes health," according to the FTC complaint. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636
[5] https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_complaint.pdf
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf
[8] https://www.theregister.com/2022/08/17/mozilla_pregnancy_app/
[9] https://www.theregister.com/2023/06/27/post_dobbs_uterus_surveillance/
[10] https://www.theregister.com/2022/08/29/ftc_sues_kochava/
[11] https://www.theregister.com/2018/09/26/sneaky_apps_toe_the_line_of_lawfulness_says_which/
[12] https://regmedia.co.uk/2025/08/05/flo.pdf
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
"This is a landmark moment in the effort to safeguard digital privacy rights," said Michael Canty, lead trial attorney at Labaton Keller Sucharow LLP, representing the plaintiffs, in an emailed statement to The Register .
"Our clients entrusted their most sensitive information to a health app, only to have it exploited by one of the world’s most powerful tech companies. This verdict is a wake-up call to companies that view consent as a formality and transparency as optional."
[1]
Founded in 2015, Flo Health makes an iOS and Android app that about 70 million people use each month, according to the company. It can track not only period cycles and ovulation, but also sexual activity and health issues, should the user add in that data.
[2]
[3]
However, in 2019, the Wall Street Journal [4]reported Flo was sharing health events with Meta.
The discovery prompted the Federal Trade Commission to investigate the matter in 2020, and it issued a formal [5]complaint [PDF] in 2021. The complaint shows Meta, Fabric (formerly Twitter's SDK but later folded into Google's Firebase), and analytics biz Flurry had been using Flo data since 2016, and Google and marketing concern AppsFlyer since 2018.
[6]
Flo settled with the FTC without an admission of guilt but with an [7]agreement [PDF] to tell the third parties involved to destroy the data, submit a legally binding compliance report for five years after the decision, and undergo a full privacy audit.
[8]Mozilla finds 18 of 25 popular reproductive health apps share your data
[9]One year after Roe v Wade overturned and 'uterus surveillance' looks grim
[10]FTC sues data broker for selling millions of people's 'precise' location info
[11]Sneaky phone apps just about obey the law, still have no trouble guzzling your data, says Which?
That might have satisfied the government, but outraged users filed a class-action [12]lawsuit [PDF] over the case in 2021, citing invasion of privacy, breach of contract, unjust enrichment, and breaking the Stored Communications Act, as well as California medical information laws. The court documents from the Northern California district court cite Flo's original privacy statement in the complaint:
"WILL NOT TRANSMIT ANY OF YOUR PERSONAL DATA TO THIRD PARTIES, EXCEPT IF IT IS REQUIRED TO PROVIDE THE SERVICE TO YOU (E.G. TECHNICAL SERVICE PROVIDERS), UNLESS WE HAVE ASKED FOR YOUR EXPLICIT CONSENT," the app claimed in all capital letters.
In 2017, the terms were amended to say that some third parties would get data but only for "supply[ing] software applications, web hosting, and other technologies for the App," which "exclud[ed] information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share."
But instead, Flo allowed third parties, including Meta, to harvest data from what was known as "Custom App Events," which could include information such as the user's week of pregnancy or the fact that their period had started on a certain day, according to the original FTC complaint.
[13]
AppsFlyer was dismissed from the class-action lawsuit in 2022, and both Flurry and Google agreed to settle. But Meta is taking the case forward and seems determined to fight.
"We vigorously disagree with this outcome and are exploring all legal options," a Meta spokesperson told The Register . "The plaintiffs’ claims against Meta are simply false. User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any."
Facebook's Business Tools Terms stated: "You will not share Customer Data with us that you know or reasonably should know ... includes health," according to the FTC complaint. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636
[5] https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_complaint.pdf
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf
[8] https://www.theregister.com/2022/08/17/mozilla_pregnancy_app/
[9] https://www.theregister.com/2023/06/27/post_dobbs_uterus_surveillance/
[10] https://www.theregister.com/2022/08/29/ftc_sues_kochava/
[11] https://www.theregister.com/2018/09/26/sneaky_apps_toe_the_line_of_lawfulness_says_which/
[12] https://regmedia.co.uk/2025/08/05/flo.pdf
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJJ-6NyrcYQB0dTHxTdWLwAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/