SAN FRANCISCO (CN) — A jury found Friday that Meta violated the California Invasion of Privacy Act when it intentionally recorded the sensitive health information of millions of women through the period tracking app Flo.

"This is a landmark moment in the effort to safeguard digital privacy rights," said Michael P. Canty of the New York-based firm Labaton Keller Sucharow, who represented the plaintiffs. "Our clients entrusted their most sensitive information to a health app, only to have it exploited by one of the world’s most powerful tech companies.”

Jurors were given three questions — and on each one, they ruled against Meta. They said that yes, Meta had intentionally eavesdropped and that yes, users could have reasonably expected that their sensitive menstrual information was not being shared. Finally, the jurors ruled that no, Meta did not have consent for its actions.

In closing arguments, Canty had urged the jury to hold Big Tech accountable and send a message that Meta's data collection was unacceptable.

“Today, you get to decide how seriously Big Tech takes privacy," Canty said. "You have the opportunity today to tell Meta: you don't get a pass."

In contrast, Meta asked the jury to consider only one question: Did Facebook intentionally eavesdrop upon or record plaintiffs' confidential communications without consent? 

“The evidence is crystal clear,” argued Michele D. Johnson of Austin, Texas-based Latham & Watkins, who is representing Meta. “Based on the actual evidence we have seen, the answer is no.”

The Flo app launched in 2016 to help users track their periods, ovulation and pregnancy. Users answer a series of questions about their cycle, including the date and length of their last period. 

In a lawsuit in 2021, a class of app users sued Flo Health, claiming the company was improperly sharing personal identifying information and private health data with third parties. Among them: fellow defendants Facebook (now known as Meta), Google, ad analytics company AppsFlyer and defunct analytics company Flurry.

Earlier this month, Google said it had reached a settlement in principle with the class. Flurry settled with the users in March, and the class voluntarily dismissed its claims against AppsFlyer in 2022.

On Thursday, Flo announced it had also reached a settlement. The company admitted no wrongdoing.

“We have always maintained that the claims lacked merit,” it wrote in a statement. “We can now put the matter behind us so we can continue to focus on serving our customers and delivering our mission to advance the future of women’s health.”

During the trial, plaintiffs focused on software development kits or SDKs — prewritten bits of code that developers use to build apps and track analytics.

They argued that Flo's SDKs effectively worked like recording devices. “In 2025, recording devices come in all shapes and sizes,” Canty said.

Plaintiffs argued Meta intentionally used SDKs to record women’s communications through 12 “custom app events” with names like “R_SELECT_LAST_PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH.” They claimed Meta received event data for each survey question users filled out and used the data for advertising. 

Meta "collected it, recorded it, used it, exploited it, profited from it," Canty said. "Ladies and gentlemen of the jury, that is intent."

Lastly, the users also argued they had a reasonable expectation of privacy on the app and that Meta did not have consent to record their personal information.

“Does a reasonable person think they were consenting to what happened here?” Canty said. “Show me in the [Meta] data policy where it says you give us permission to secretly record your private conversations with the Flo app.”

Meta began closing statements by highlighting the role the Flo app played in collecting users' data.

“The plaintiffs mixed a lot of things together that Flo did and Flo programmed, and [they] tried to ascribe the blame to Facebook,” Johnson said.

Johnson said Flo created the custom app events and determined what was sent to Facebook.

She described SDKs as like an envelope rather than a recording device, noting that an SDK can “sit on the app and do nothing unless a developer reaches out, puts information in and sends it." She added that Facebook did not receive specific questions and answers like a recording might provide and instead merely received coded information.

Johnson also rebuffed arguments that Facebook intentionally recorded users’ conversations.

Facebook prohibited Flo from sending any health data, she said, and required Flo to provide notice, obtain consent, and allow users to opt out of any data sharing. She claimed the plaintiffs intentionally omitted efforts by Facebook to mitigate the risk of sensitive data being shared.

As for users’ consent, Johnson said the plaintiffs agreed to Facebook’s terms of service. She speculated the suit was launched by attorneys.

Canty rebuked that claim on rebuttal, calling it an “insult to the women that got up here and testified about this private health data.”

The trial took place at the Philip Burton Federal Courthouse. U.S. District Judge James Donato, a Barack Obama appointee, presided.
Follow @mhattridge_

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Additional Reads

• 

  Texas Senate passes THC ban despite previous veto August 1, 2025

• 

  Judge clears path for trial over Navy fuel spills that contaminated water July 31, 2025