According to a jury in a federal California lawsuit, Meta violated California privacy laws by eavesdropping and recording confidential communications without the consent of millions of individuals who used Flo Health’s fertility app embedded with Meta’s software tools and tracking pixels.
Flo Health created an app to help users track menstrual cycles and pregnancies. Google and Meta provided Flo Health with software development kits (SDKs) to enhance data gathering. Flurry, a data analytics company, also supported the app.
The lawsuit, Frasco v. Flo Health, was originally brought by a group of consumer app users against Flo Health, Google, Meta, and Flurry. A federal district court certified the case as a class action, and it went to trial on July 21, 2025. Before the trial started, Google and Flurry settled the claims against them. After the trial started, Flo Health settled the claims against it on July 31, but Meta chose not to settle and let the case go to the jury. The jury reached its verdict on August 1.
According to the lead plaintiffs’ counsel, law firm Labaton Keller Sucharow LLP:
“On August 1, 2025, the jury found Meta liable for its role in the unauthorized collection and commercial use of highly personal health data, which plaintiffs argued was used to strengthen Meta’s targeted advertising business. The jury verdict applies solely to Meta.”
Web Trackers in Healthcare Present Risk
When healthcare companies engage big tech companies like Google and Meta to enhance their data gathering, there is a risk of unauthorized disclosures of private personal health information of individuals who use the company’s websites, apps or patient portals. Although Flo Health is not a HIPAA covered entity it is still required to protect privacy under California law.
Last week we wrote about a web tracker lawsuit against BJC HealthCare, where BJC settled the case for $9.25 million rather than go to trial. BJC is a hospital system and healthcare provider, so it is a covered entity, and subject to HIPAA.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and the Federal Trade Commission (FTC) have both stated that web trackers in healthcare settings may violate HIPAA and other federal consumer protection laws. See HIPAA Enforcement of Website Tracking Breaches and FTC and OCR Target Health Privacy.
In fact, Flo Health defended an FTC enforcement action in 2021 involving similar allegations. In its settlement with the FTC, Flo Health agreed to revise its privacy policies, including obtaining app users’ consent before sharing their health information.
Meta Faces Other Web Tracker Lawsuits
Meta is also defending several other consolidated class action data privacy-related lawsuits involving the use of its Pixel tracking code in other health related websites and apps. See also Judge Gives Green Light to Meta Pixel Web Tracker Lawsuit.
The Frasco v. Flo Health case is a good example of other similar health data breach class actions currently playing out in California federal courts. Plaintiffs file cases in California to take advantage of its strict privacy laws, and Meta requires users of its services to agree to bring disputes exclusively in California.
Meta Contends it Was Not at Fault
Meta is the only defendant in the Flo Health case that refused to settle and is likely to appeal the decision. Meta will likely contend that it is protected by its terms of service, which establish a contract with its users, including Flo Health.
Meta’s position is that Flo Health failed to comply with terms, which Meta says are designed to protect the consumers’ private and sensitive information. Its appeal of the case will be a test for the level of protection provided by Meta’s carefully written terms and conditions.
