Meta lost a major privacy trial as the California jury ruled that they broke state privacy laws by collecting data from the popular period-tracking app Flo, including private health data and pregnancy goals. The case claimed that, among other actions, Meta used the data to create targeted advertising content. The plaintiff’s lawyers who sued Meta are calling this a “landmark” victory while the tech company contends that the jury got it all wrong.
The case goes back to 2021, when eight women sued Flo and a group of other tech companies, including Google and Facebook, now known as Meta. The stakes were extremely personal. Flo asked users about their sex lives, mental health and diets, and guided them through menstruation and pregnancy. Then, the women alleged, Flo shared pieces of that data with other companies. Originally, the lawsuit included the creators of the Flo app, Google, and the analytics company Flurry, as well as Meta. All the other companies settled, most recently Flo in late July, as is common in class action lawsuits about tech privacy. This left only Meta to continue with the trial, which has now concluded. And they lost.
The lawsuit against Meta centered on its Facebook software development kit (SDK), which Flo had integrated into its app for analytics and advertising purposes. According to the plaintiffs, between June 2016 and February 2019, Flo transmitted various “Custom App Events” to Facebook through this SDK, such as users interacting with features in the app’s “trying to conceive” section. The complaint also highlighted Facebook’s business tool terms, which indicated that the company used “event data” to tailor ads and content. In a 2022 court filing, Meta acknowledged that Flo employed its SDK during the specified timeframe and confirmed that the app shared data related to “App Events.” However, the company denied ever receiving sensitive health-related information from Flo.
“Each of the Defendants had their own purpose for collecting and using Flo user data,” the brief said. “Flo used this information to acquire new app users through advertising and marketing, including advertisements based on Flo App users’ reproductive goals (e.g., getting pregnant). Flo also sold access to the CAEs sent through SDKs to other third parties for profit. Google and Meta separately used the data they intercepted for their own commercial purposes, including to feed their machine learning algorithms that power each of their respective advertising networks.”
The jury agreed that Meta had intentionally eavesdropped on the plaintiffs when they had a reasonable expectation of privacy, and did not have consent to eavesdrop or record data in this way. Meta, however, disagrees. The company has announced plans to appeal the ruling, maintaining that the plaintiffs’ allegations are untrue. “User privacy matters to Meta,” the company stated, adding that it explicitly prohibits developers from sharing health or other sensitive data, which it claims it does not want to receive.
Meta’s opponents, on the other hand, celebrated. Michael Canty and Carol Villegas, the plaintiffs’ lawyers, praised the jury’s decision in statements sent to SFGATE. In Villegas’ words, the “verdict is a wake-up call to companies that view consent as a formality and transparency as optional.” Canty called it a “landmark moment in the effort to safeguard digital privacy rights.”
“Our clients entrusted their most sensitive information to a health app, only to have it exploited by one of the world’s most powerful tech companies,” Canty wrote.
The jury’s ruling could have far-reaching effects. Per a June filing about the case’s class action status, more than 3.7 million people in the United States registered for Flo between November 2016 and February 2019. Those potential claimants are expected to be updated via email and on a case website; it’s not yet clear what the remittance from the trial or settlements might be.
