Tech giant Meta has been found guilty by a California jury in a class-action lawsuit brought by the users of period-tracking app Flo, who alleged the company collected private menstrual data without users’ consent, for ad-tracking purposes. The plaintiffs claim that Flo and Meta collected private data including period dates and fertility goals via Flo’s app without permission, therefore violating California Invasion of Privacy Act.
The lawsuit was originally filed in 2021 against Flo. It also named Meta, Google, and ad analytics companies AppsFlyer and Flurry as defendants though Google settled the case in July, and Flo did so earlier this month.
READ: Superintelligence Labs: Meta’s AI bet is already paying off (July 31, 2025)
The plaintiffs’ trial brief stated that “Flo allowed Google and Meta to eavesdrop on users’ private in-app communications” between November 2016 and February 2019. Flo app users had to complete an onboarding survey requiring them “to select a ‘goal’ indicating whether they are pregnant, want to be pregnant, or want to track their period, as well as input other information about their pregnancy or menstrual cycle.” While Flo claimed it wouldn’t be sharing this information with third parties, it gave Google and Meta access to this data via Custom App Events (CAEs) sent through their respective Software Development Kits (SDKs), incorporated in the Flo App, according to the brief.
“This verdict sends a clear message about the protection of digital health data and the responsibilities of Big Tech,” said Michael P. Canty and Carol C. Villegas, lead trial attorneys in the case. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable. Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data,” they added.
Meta said it disagreed with the verdict. “We vigorously disagree with this outcome and are exploring all legal options. The plaintiffs’ claims against Meta are simply false. User privacy is important to Meta, which is why we do not want health or other sensitive information, and why our terms prohibit developers from sending any,” a company spokesperson said in a statement.
READ: Mark Zuckerberg reaches settlement on $8 billion privacy litigation (July 17, 2025)
This is not the first time Meta landed in trouble over alleged breaches of privacy. Last month, the tech giant agreed to settle claims seeking $8 billion for the damage they allegedly caused the company by allowing repeated violations of Facebook users’ privacy. Shareholders accused Zuckerberg and other top executives of breaching fiduciary duties by ignoring privacy violations that stemmed from the Cambridge Analytica scandal and violations of a 2012 FTC consent decree. The trial began in July 2025 but abruptly ended after a confidential settlement was reached, avoiding public testimony from Zuckerberg, Sheryl Sandberg, and others.
In 2019, Meta paid a $5 billion fine to the U.S. Federal Trade Commission (FTC), marking one of the largest penalties ever imposed for privacy violations. This fine addressed Meta’s violation of its earlier agreement with the FTC to protect user data and came in the wake of revelations that personal information from 87 million users was improperly shared with Cambridge Analytica. In 2024, Meta agreed to a $1.4 billion settlement with Texas in 2024 over the illegal collection of biometric data under the Texas Capture or Use of Biometric Identifier (CUBI) Act. The lawsuit alleged Meta used facial recognition features without user consent.