Popular period-tracking app Flo Health shared users’ intimate health data—such as menstrual cycles and fertility information—with Google and Meta, allegedly for targeted advertising purposes, according to multiple class-action lawsuits filed in the US and Canada.

Between 2016 and 2019, the developers of Flo Health shared intimate user data with companies including Facebook and Google, mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. 

Google and Flo Health reached settlements with plaintiffs in July, just before the case went to trial. The terms, disclosed this week in San Francisco federal court, stipulate that Google will pay $48 million and Flo Health will pay $8 million to compensate users who entered information about menstruation or pregnancy between November 2016 and February 2019.

In an earlier trial, co-defendant Meta was found liable for violating the California Invasion of Privacy Act by collecting the information of Flo app users without their consent. Meta is expected to appeal the verdict.

The FTC investigated Flo Health and concluded in 2021 that the company misled users about its data privacy practices. This led to a class-action lawsuit which also involved the now-defunct analytics company Flurry, which settled separately for $3.5 million in March.

Flo and Google denied the allegations despite agreeing to pay settlements. Big tech companies have increasingly chosen to settle class action lawsuits while explicitly denying any wrongdoing or legal liability—a common trend in high-profile privacy, antitrust, and data breach cases.

It depicts a worrying trend where big tech pays off victims of privacy violations and other infractions. High-profile class-action lawsuits against, for example, Google, Meta, and Amazon, grab headlines for holding tech giants accountable. But the only significant winners are often the lawyers, leaving victims to submit personal details yet again in exchange for, at best, a token payout.

By settling, companies can keep a grip on the potential damages and avoid the unpredictability of a jury verdict, which in large classes could reach into billions. Moreover, settlements often resolve legal uncertainty for these corporations without setting a legal precedent that could be used against them in future litigation or regulatory actions.

Looking at it from a cynical perspective, these companies treat such settlements as just another operational expense and continue with their usual practices.

In the long run, such agreements may undermine public trust and accountability, as affected consumers receive minimal compensation but never see a clear acknowledgment of harm or misconduct.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

A jury has ruled that Meta accessed sensitive information from a woman’s reproductive health tracking app without consent.

The app in question is called Flo Health. Developed in 2015 in Belarus to track menstrual cycles, it has evolved over the years as a tracking app for highly detailed, intimate aspects of women’s reproductive health.

Flo Health user Erica Frasco bought a class action lawsuit against the company in 2021, following a damning report about its privacy infractions by the Wall Street Journal in 2019.

Since she downloaded the app in 2017, Frasco, like its other users, regularly answered highly intimate questions. These ranged from the timing and comfort level of menstrual cycles, through to mood swings and preferred birth control methods, and their level of satisfaction with their sex life and romantic relationships. The app even asked when users had engaged in sexual activity and whether they were trying to get pregnant.

According to the complaint, Flo Health promised not to share this data with third parties unless it was necessary for the provision of its services. Even then, it would not only share information relevant to web hosting and app development, it promised. It would not include “information regarding your marked cycles, pregnancy, symptoms, notes and other information entered by [users]”, reported the original complaint.

Yet between 2016 and 2019 Flo Health shared that intimate data with companies including Facebook and Google, along with mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. Whenever someone opened the app, it would be logged. Every interaction inside the app was also logged, and this data was shared.

Flo Health didn’t impose rules on how these third parties could use the data. “In fact, the terms of service governing Flo Health’s agreement with these third parties allowed them to use the data for their own purposes, completely unrelated to services provided in connection with the App,” the complaint went on.

By December 2020, 150 million people were using the app, according to court documents. Flo had promised them that they could trust it.

Users were “trusting us with intimate personal information,” it said in its privacy policy. “We are committed to keeping that trust, which is why our policy as a company is to take every step to ensure that individual user’s data and privacy rights are protected.”

The Federal Trade Commission investigated these allegations and settled with Flo Health in 2021, imposing an independent review of its privacy policy and mandating that it not misrepresent its app.

The class action lawsuit claims common law invasion of privacy, breach of contract and implied contract, unjust enrichment, and breach of the Stored Communications Act and the California Confidentiality of Medical Information Act. It seeks damages for plaintiffs, along with some of the company’s profit.

Google and Flo Health have both settled with plaintiffs already, but Meta has not. The jury ruled that Meta intentionally “eavesdropped on and/or recorded their conversations by using an electronic device,” and that it did so without consent.

This case is important on so many levels. Aside from general privacy concerns, women’s menstrual health is an area of particular contention after the US Supreme Court removed the constitutional right to abortion in June 2022. That year, Meta came under scrutiny for providing police with private message data between a mother and her daughter planning medication to abort a pregnancy.

We could simply say “Don’t use Flo Health”, but the app was trusted until it was found out. How many others are sharing data in similarly irresponsible ways? Increasingly, we lean toward simply not using apps to track sensitive data of this kind at all.

However, then there are the websites to worry about. A report by Propublica found that online pharmacies selling abortion pills were sharing sensitive data with Google and others. This could give law enforcement evidence in cases against women, it said. Technology promised us convenience, but its misuse also brings serious dangers to users.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.