TLDR
Flo's period tracker lawsuit centered on one issue: the app sent reproductive-health data to third parties after promising users it would keep that data private. The FTC acted in 2021. The later class action settlements reached a combined $59.5M. The case still matters because it exposed the limits of policy-based privacy in a cloud-based tracker.
- Class action
- A lawsuit filed by one or more plaintiffs on behalf of a larger group (the 'class') who suffered the same harm. In the Flo case, the class included US users whose reproductive health data was shared with third parties without consent. Class actions allow affected individuals to pursue claims collectively rather than filing separate suits.
DEFINITION
- FTC consent order
- A binding agreement between the Federal Trade Commission and a company that resolves an enforcement action without a trial. Flo's 2021 consent order required the company to notify affected users, direct third parties to delete improperly shared data, and implement a privacy program. Consent orders carry the force of law and violating one triggers additional penalties.
DEFINITION
- SDK (software development kit)
- Pre-built code that app developers embed to add functionality like analytics, advertising, or crash reporting. SDKs run inside the app and can transmit user data to the SDK provider's servers. The FTC found that Flo embedded Facebook and Google SDKs that automatically sent reproductive health data to those companies.
DEFINITION
- CMIA (Confidentiality of Medical Information Act)
- A California state law that protects the confidentiality of individually identifiable medical information. The Frasco v. Flo Health class action alleged violations of the CMIA because Flo shared reproductive health data — which qualifies as medical information under California law — without user authorization.
DEFINITION
- CIPA Section 632
- California Invasion of Privacy Act provision that prohibits intentional eavesdropping on confidential communications. The jury in Frasco v. Flo Health found Meta liable under this section for intercepting health data transmitted from the Flo app via Facebook's SDK. Violations carry statutory damages of $5,000 per violation or three times actual damages.
DEFINITION
- Health Breach Notification Rule
- An FTC regulation requiring non-HIPAA health apps to notify users when their health data is disclosed without authorization. Updated in July 2024 to explicitly cover health apps and define unauthorized data sharing as a breach. The Chopra-Slaughter dissent in the Flo case catalyzed its broader enforcement against GoodRx and BetterHelp.
DEFINITION
Flo’s period tracker lawsuit is not just a headline about a payout. It is the clearest recent example of what happens when a cycle-tracking app keeps intimate data on company servers, routes that data through third-party SDKs, and then tries to clean it up after the fact.
The short version is straightforward. The FTC said Flo shared reproductive-health data with Facebook, Google, and Flurry despite making privacy promises to users. The settlements that followed reached a combined $59.5M. If you are deciding whether to keep using Flo, the key question is not whether the case settled. It is whether the product architecture changed enough to remove the company-side data risk.
Timeline of the Flo Lawsuit
January 2021: FTC Enforcement Action
The Federal Trade Commission announced an enforcement action against Flo Health, Inc. The FTC found that between 2016 and 2019, Flo shared users’ reproductive health information — period dates, pregnancy status, and health symptoms — with Facebook and Google via embedded third-party SDKs.
Flo’s privacy policy at the time stated user data would not be shared with third parties except as needed to operate the service. The FTC concluded this was an unfair and deceptive practice under Section 5 of the FTC Act.
The resulting consent order required Flo to notify affected users and direct Facebook, Google, and Flurry to delete the improperly shared data.
Source: FTC press release, January 2021
June 2021: FTC Order Finalized
The FTC finalized its consent order with Flo Health. The order required Flo to implement a privacy program and obtain user consent before sharing health data with third parties going forward.
Source: FTC finalization, June 2021
March 2025: Flurry (Yahoo) Settles for $3.5M
Flurry, a Yahoo-owned analytics company that received Flo user data through its SDK, settled its portion of the class action for $3.5M.
July 2025: Google + Flo Settle for $56M
Google and Flo Health agreed to pay a combined $56M to settle the class action. Reuters reported that the settlement resolved claims that they “violated the privacy of millions of Flo app users.” The plaintiffs alleged violations of the California Confidentiality of Medical Information Act (CMIA), common law invasion of privacy, and the California Constitution’s privacy protections.
Source: Reuters, September 2025; ClassAction.org, September 2025
August 1, 2025: Jury Finds Meta Liable
During the Frasco v. Flo Health trial, Flo settled its remaining claims on July 31, 2025. The next day, August 1, 2025, the jury found Meta liable for its role in receiving Flo users’ reproductive health data through the Facebook SDK.
Source: Labaton, Frasco v. Flo Health
Combined Total: $59.5M
The HIPAA Journal reported the combined settlement figure: $3.5M (Flurry) + $56M (Google + Flo) = $59.5M. AllNet Law described it as “a $59.5 million lesson on intimate data informed consent.”
Source: HIPAA Journal, September 2025; AllNet Law, February 2026
Case Details
The full case caption is Frasco et al. v. Flo Health, Inc., et al., Case No. 3:21-cv-00757-JD, filed in the Northern District of California before Judge James Donato. Eight named plaintiffs led by Erica Frasco brought the action.
The class covered all US Flo users who entered menstruation or pregnancy data between November 1, 2016 and February 28, 2019. A California subclass brought additional claims under CIPA Section 632 and the CMIA.
Named defendants: Flo Health, Meta Platforms, Google, Flurry, and AppsFlyer. AppsFlyer was voluntarily dismissed in 2022.
The FTC Consent Order
The FTC enforcement action against Flo Health is filed as FTC File No. 192 3133, Docket C-4747. The consent order was finalized on June 22, 2021 by a 4-0-1 vote. Chair Lina Khan recused herself.
This was the first time the FTC ordered a company to notify affected users of a privacy enforcement action. The order required Flo to instruct third-party recipients to destroy the shared data, obtain affirmative express consent before any future health data sharing, and complete an independent privacy review within 180 days.
Commissioners Chopra and Slaughter dissented in part. They argued the Health Breach Notification Rule already covered Flo’s conduct and should have been enforced directly. Their dissent catalyzed subsequent HBNR enforcement actions against GoodRx and BetterHelp in 2023.
The Meta Verdict
On August 1, 2025, the jury deliberated approximately three hours before finding Meta liable under CIPA Section 632. The jury concluded that Meta intentionally eavesdropped on private health communications transmitted from the Flo app via Facebook’s SDK.
The jury found that users had a reasonable expectation of privacy when entering reproductive health data into Flo, and that Meta did not obtain consent to intercept that data.
Under CIPA Section 637.2, each violation carries potential statutory damages of $5,000 or three times actual damages. Given the class size — millions of Flo users during the relevant period — the potential damages reach into the billions.
Judge Donato denied all Meta post-trial motions on September 15, 2025. Meta’s appeal is pending as of April 2026.
Settlement Details
The settlement administrator is A.B. Data, Ltd. The claims website is periodtrackerdataprivacylitigation.com. The individual settlement amounts break down as follows: Flurry (Yahoo) paid $3.5M in March 2025, Google paid $48M on July 3, 2025, and Flo Health paid $8M on July 31, 2025.
California residents receive twice the pro rata share of non-California class members. The preliminary approval hearing is scheduled for April 16, 2026.
What This Means for Current Flo Users
The settlement resolved the financial claims from the original data sharing conduct. It did not change how Flo works.
Flo introduced Anonymous Mode after the FTC action, which claims to decouple cycle data from user identity. It requires a paid premium subscription. The core architecture remains the same: Flo stores your cycle data on its servers. Servers can be subpoenaed.
The FTC consent order added policy requirements — notification, consent, a privacy program. These are procedural controls. They do not change the fact that a server holding your data can be compelled to produce it via court order.
The Architectural Difference
The Flo case exposed the gap between policy-based privacy and architectural privacy.
Policy-based privacy means a company promises not to share your data. That promise can be broken (as Flo demonstrated) or overridden by legal process (subpoena, court order).
Architectural privacy means your data never reaches the company’s servers. There is no database to breach, no server to subpoena, no employee who can be compelled to produce records. Law enforcement can only obtain data a company possesses.
Floriva stores all cycle data on your device using encrypted local storage. No Floriva servers hold your reproductive health data.
Q&A
What was the Flo period tracker lawsuit about?
The Flo period tracker lawsuit alleged that Flo Health shared users' reproductive health data — including period dates, pregnancy status, and symptoms — with Facebook, Google, and Flurry via embedded SDKs, without users' knowledge or meaningful consent. The FTC took enforcement action in January 2021 after finding this violated Flo's own privacy promises. A parallel class action (Frasco v. Flo Health) sought damages under California's Confidentiality of Medical Information Act and common law invasion of privacy.
Q&A
How much was the Flo lawsuit settlement?
The combined settlement totaled $59.5M. Flurry (Yahoo) settled for $3.5M in March 2025. Google and Flo Health settled for $56M in July 2025. On August 1, 2025, a jury separately found Meta liable for its role in receiving Flo user data via the Facebook SDK. The settlement covers affected US users of the Flo app. Source: HIPAA Journal, September 2025; Reuters, September 2025.
Q&A
Did Flo sell user data to Facebook?
The FTC found that Flo transmitted reproductive health events — such as pregnancy status and symptom data — to Facebook's analytics platform via an embedded SDK. Whether this constitutes 'selling' depends on the legal definition, but the practical effect was the same: Facebook received intimate health data without users' consent. The Inside Privacy analysis noted that Flo 'improperly incorporated software development kits that shared menstruation and pregnancy information along with unique identifiers to third parties, like Google, without obtaining users' consent.'
Q&A
Is Flo still safe to use after the lawsuit?
The settlement resolved the financial claims but did not change Flo's data architecture. Your data is still stored on Flo's servers. Flo introduced Anonymous Mode after the FTC action, but it requires a paid subscription and does not change where data is stored. Any data on a company's server can be accessed via court order or government subpoena. On-device trackers eliminate this risk by never sending data to a server in the first place.
Q&A
Where do I file a claim for the Flo settlement?
The settlement administrator is A.B. Data, Ltd. Claims can be filed at periodtrackerdataprivacylitigation.com. The combined $59.5M settlement covers US Flo users whose data was shared with third parties between November 1, 2016 and February 28, 2019. California residents receive twice the pro rata share of non-California members.
Q&A
How much did each company pay in the Flo settlement?
Flurry (Yahoo) settled for $3.5M in March 2025. Google settled for $48M on July 3, 2025. Flo Health settled for $8M on July 31, 2025 — the day before the jury returned its Meta verdict. The combined total is $59.5M. Sources: HIPAA Journal and Reuters, September 2025.
“The FTC's case against Flo Health should send a message to companies that handle sensitive health data.”
Source: HIPAA Journal, September 2025
Source: Google settlement, July 3, 2025
Take back your privacy.
The Floriva app is built on the architecture you just read about.
See plans & pricingWant a tracker built on real privacy architecture?
- Plan-first pricing
- No account required
- Data never leaves your device
Frequently asked