On August 1, 2025, a California federal jury found Meta Platforms Inc. liable for wiretapping under the California Invasion of Privacy Act (CIPA). Meta was charged with collecting reproductive health data from users of the period-tracking app, Flo, for targeted advertising purposes. 

The trial marked one of the first instances of a wiretap claim making it all the way to a jury decision against a Big Tech firm, setting a potentially precedential example for how courts will handle similar privacy violations.

Background: From App Data-Sharing to Jury Trial

Launched in 2016, Flo’s period-tracking app prompts users to share intimate details upon downloading, including period dates, sexual activity, and pregnancy plans.

But in 2019, The Wall Street Journal revealed that Flo was sharing this data with Facebook (now Meta) through hidden analytics tools. This prompted a Federal Trade Commission (FTC) investigation, which Flo settled in 2021 by agreeing to obtain users’ affirmative consent before sharing health data and to notify them of past disclosures.

Not long after the FTC’s intervention, Flo users filed a class-action lawsuit in California federal court in 2021. They alleged that Flo violated user privacy by transmitting personal health information to third parties, including Meta, Google, and Yahoo’s analytics arm Flurry, for advertising and profiling purposes. Plaintiffs listed all four companies as original defendants in the case.

But over the course of pretrial litigation, most bowed out. Flurry reached a settlement in March 2025, and Google similarly agreed to settle weeks before trial. Flo settled with plaintiffs on July 31, 2025, just one day before the verdict, while admitting no wrongdoing. By the time the case reached the jury’s decision, Meta was the only remaining defendant. 

The Alleged Wiretap: How Meta Collected Flo Users’ Data

At trial, jurors needed to determine whether Meta eavesdropped on communications between Flo users and the app without consent, conduct prohibited by CIPA’s all-parties-consent wiretap rule. 

In the plaintiffs’ trial brief, plaintiffs’ attorneys outlined how the wiretap occurred. 

Flo assured users that their sensitive reproductive health data, including details collected during the app’s onboarding process, would remain private. Yet during the Class Period (November 1, 2016, through February 28, 2019), the company shared this information with Google and Meta. The data was transmitted through Custom App Events (“CAEs”) sent via the companies’ Software Development Kits (“SDKs”), which had been built into the Flo app.

The trial brief reads: “Flo specifically named the CAEs to convey health information users entered in the app and designed its app to execute Google and Meta’s SDK code whenever these CAEs were triggered. As a result, Flo allowed Google and Meta to eavesdrop on users’ private in-app communications.” 

For example, when a user answered a prompt about the date of her last period or selected her cycle length, Meta’s SDK logged events with names like “R_SELECT_LAST_PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH” corresponding to those answers.

According to evidence, twelve such custom event signals were embedded in the app, capturing highly sensitive menstrual and reproductive data point by point. Plaintiffs argued this was the digital equivalent of planting a recording device in a private conversation: as women confided personal health details to the Flo app, Meta was secretly listening in real time. 

Additionally, the data was not collected for benign purposes; Meta exploited this information for targeted advertising and user profiling, capitalizing on details like whether a user might be trying to get pregnant. “Meta collected it, recorded it, used it, exploited it, profited from it,” Michael P. Canty, plaintiffs’ lead trial attorney from Labaton Keller Sucharow, argued to the jury, emphasizing that the company’s intent to capture this data was clear.

Meta’s Defense: “Flo Did It,” Consent, and an Old Law’s Scope

Meta’s defense hinged on casting the company as a passive recipient of data, shifting blame to the Flo app. The tech giant argued that Flo’s developers alone decided what user information to send through the SDK; at most, Meta was an unwitting mailbox for data that Flo chose to forward. 

An SDK is like “an envelope that sits on the app and does nothing unless a developer puts information in and sends it,” Meta’s attorney, Michele D. Johnson, said, insisting that Meta did not receive raw answers or intimate details “like a recording might provide,” but only some coded bits of information. 

In other words, if sensitive health data was transmitted, it was due to Flo acting outside of Meta’s rules, not an intentional interception by Meta (Meta’s developer terms do indeed forbid app makers from sending health or sensitive data, and Flo’s transmission of such data would have violated those terms.)

Meta also maintained that users consented to any data collection that did occur. The company pointed out that Flo users, like all Facebook users, agree to Meta’s terms of service and privacy policy, which says that Meta may receive data about users’ activities in third-party apps. By this logic, users were aware that their Flo app interactions could be shared with Meta for analytics or ads. The defense also noted that Flo’s privacy disclosures mentioned data sharing, and the data sent was reportedly pseudonymized (tied to device advertising IDs rather than names), downplaying the privacy intrusion. Meta asserted it never intended to capture personal health details, arguing that any sensitive information it received was transmitted by Flo and that Meta should not be held liable for data it instructed Flo app developers not to send.

The Verdict

The jury's final verdict found Meta liable on three points. First, they found that Meta did intentionally eavesdrop on or record the app users’ confidential communications. Second, the jury agreed that users had a reasonable expectation of privacy for the sensitive health data they entered into Flo; i.e., an ordinary person using the app would not expect that information to be shared with an outside company. Finally, jurors concluded that Meta did not have the users’ consent to collect and use this information. 

Each “yes” for the plaintiffs and “no” to Meta amounted to a rejection of Meta’s defenses. The jury held Meta liable under CIPA’s anti-wiretapping provisions, which require all parties to consent to intercept communications. The jury also found Meta in violation of California’s Confidentiality of Medical Information Act for its role in obtaining the women’s health information.

Significance of the Verdict: Privacy Rights and Accountability

It’s incredibly rare for a consumer privacy class action to go all the way to a jury trial; most such cases settle long before a verdict due to the high stakes on both sides. In fact, Meta’s loss in this case is one of the first major jury verdicts dictating how tech companies can handle consumers’ health data. 

The case also points out a regulatory gap: consumer health apps, like Flo, are not subject to HIPAA. Apps collecting health information fall into a loophole with no federal law to govern data handling, so state privacy laws are used instead. The jury’s verdict affirms that users maintain a reasonable expectation of privacy when disclosing health information to consumer apps and that companies can be held liable for collecting and using it unlawfully.

“It sends a message to the industry… that courts are taking this seriously,” said Suzanne Bernstein, counsel at the Electronic Privacy Information Center, emphasizing that broadly “unregulated ad tracking systems” are now firmly on the legal radar.

Plaintiffs’ attorneys likewise praised the verdict as a resounding affirmation of the fundamental right to privacy. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” said Canty, adding that the outcome “reinforces the fundamental right to privacy, especially when it comes to sensitive health data.” 

For Meta, the verdict is a significant legal defeat and potentially a costly one. CIPA provides for statutory damages of $5,000 per violation (per incident of interception), which, in a class of millions of users, can multiply into staggering figures. Prior to trial, plaintiffs’ counsel suggested Meta’s exposure could reach as high as $190 billion if each of the 38 million class members is counted once. Meta has stated it “vigorously” disagrees with the jury’s findings and is exploring all legal options, signaling a likely post-trial appeal or motions to overturn the verdict.