Flo Health, the company behind one of the most popular period and fertility tracking apps in the world, has agreed to pay $8 million as part of a combined $59.5 million settlement after sharing deeply personal health data — including pregnancy status, menstrual cycles, and sexual activity — with Google, Facebook, and other third parties without user consent. Google is paying $48 million and Flurry is paying $3.5 million in the same settlement, which arose from the federal case Frasco v. Flo Health, Inc. in the U.S. District Court for the Northern District of California.
The data sharing, which ran from at least November 2016 through February 2019, was exposed not by regulators or the company itself, but by a news article published in February 2019. Flo had repeatedly assured its users that their health information would remain private, confidential, and would never be shared with third parties without explicit consent. Those promises turned out to be hollow. The FTC took action against Flo in 2021, and a class action lawsuit followed, culminating in a jury trial in mid-2025 where Meta was found to have violated California privacy law. This article covers the full scope of the settlement, who qualifies, how to file a claim, and what the case means for the broader landscape of health data privacy.
Table of Contents
- How Did Flo Share User Data With Google and Facebook Without Consent?
- What Happened at Trial and Why Did Meta Lose?
- The FTC’s 2021 Enforcement Action Against Flo Health
- Who Is Eligible for the Flo Settlement and How to File a Claim
- Why Health App Data Privacy Remains a Serious Gap
- The Broader Pattern of App Data Sharing Through SDKs
- What Comes Next for the Flo Settlement and Data Privacy Enforcement
- Conclusion
- Frequently Asked Questions
How Did Flo Share User Data With Google and Facebook Without Consent?
Flo Health embedded software development kits — commonly called SDKs — from Facebook (Meta), Google, AppsFlyer, and Flurry directly into the Flo app. These SDKs transmitted sensitive health data in the form of “app events” to those companies. Every time a user logged a period, tracked ovulation symptoms, or recorded sexual activity, that information was potentially being funneled to advertising and analytics platforms. The data was granular and intimate: pregnancy status, menstrual cycle details, health symptoms, and more. Users had no idea this was happening, and Flo’s own privacy policy explicitly stated the opposite.
What makes this case particularly egregious is the gap between Flo’s public promises and its actual practices. The company marketed itself on trust and privacy — understandable given the sensitivity of reproductive health data. Yet behind the scenes, user data was flowing freely to some of the largest data-harvesting companies on the planet. Compare this to a hypothetical scenario where a therapist recorded your sessions and sold the transcripts to advertisers. The violation of trust is of the same character, even if the legal framework differs. Flo did not stop sharing user data until after the February 2019 news report forced its hand.
What Happened at Trial and Why Did Meta Lose?
A jury trial began in July 2025 before Judge James Donato. During the proceedings, Google and Flurry reached settlements before the trial concluded — Google for $48 million and Flurry for $3.5 million. Flo Health itself settled on July 31, 2025, just one day before the trial wrapped up on August 1. But Meta chose to fight the case in court, and it lost. On August 7, 2025, a California jury found that Meta violated the California Invasion of Privacy Act (CIPA) by collecting sensitive data from Flo app users.
The Meta verdict is significant beyond this single case. It establishes that a company receiving data through SDKs can be held liable for privacy violations — not just the app developer that embedded the SDK in the first place. However, it is worth noting that Meta’s separate liability and any damages from the jury verdict are distinct from the $59.5 million settlement involving Google, Flurry, and Flo Health. If you are tracking your potential payout, do not conflate the two. The settlement funds come from the three settling defendants, not from Meta’s trial loss. A motion for preliminary approval of the $59.5 million settlement was filed on September 23, 2025.
The FTC’s 2021 Enforcement Action Against Flo Health
Before the class action settlement, federal regulators had already taken Flo Health to task. The FTC filed a complaint in January 2021 alleging that Flo had disclosed health data from millions of users to third-party companies in the form of app events. The complaint painted a clear picture: Flo knew what it was doing, users did not consent, and the company’s privacy representations were deceptive. The FTC finalized its order against Flo Health in June 2021.
The terms were pointed. Flo was required to notify all affected users about the unauthorized data sharing, instruct the third parties that received the data to destroy it, obtain affirmative user consent before sharing any health data going forward, and submit to an independent privacy review. For example, the destruction requirement meant that Google, Facebook, and others were supposed to purge the reproductive health data they had collected through Flo’s SDKs. Whether that data was actually and fully destroyed is a question that independent privacy auditors, not the companies themselves, were tasked with verifying.
Who Is Eligible for the Flo Settlement and How to File a Claim
The class includes all U.S. users who used the Flo app at any point between November 1, 2016 and February 28, 2019. No proof of purchase is needed to file a claim. If you downloaded and used Flo during that window, you are likely a class member regardless of whether you had a free or paid account. Here is the critical caveat as of early 2026: the claim form is not yet available.
Judge Donato has held up the preliminary approval process over a dispute about how to properly notify class members. Until the court grants preliminary approval, no formal notice or claim form will be issued. Claim periods in settlements like this typically run 60 to 120 days from the date of notice. If you believe you are eligible, the best step right now is to contact the settlement administrator at [email protected] or call (866) 778-9626 and ask to be kept informed. Do not pay anyone who claims they can file a claim on your behalf at this stage — the process has not started yet.
Why Health App Data Privacy Remains a Serious Gap
One of the most troubling aspects of the Flo case is that period and fertility tracking data is not protected by HIPAA. Many consumers assume that any health-related data falls under federal medical privacy law, but HIPAA applies only to covered entities like hospitals, doctors, insurers, and their business associates. Consumer health apps like Flo, Clue, Ovia, and dozens of others operate almost entirely outside that framework. The primary legal protections for users come from state privacy laws, FTC enforcement against deceptive trade practices, and whatever promises the app company makes in its own terms of service.
This gap means that the legal remedies available to Flo users depend heavily on where they live and what specific laws their state has enacted. California’s CIPA, which was central to the Meta verdict, is one of the stronger state privacy statutes. But users in states without comparable laws may have weaker claims in future cases. If you are currently using any health tracking app, read the privacy policy carefully and look for specific language about third-party data sharing, SDK usage, and advertising partners. Vague assurances like “we take your privacy seriously” are not legally binding protections — they are marketing copy.
The Broader Pattern of App Data Sharing Through SDKs
The Flo case is not an isolated incident. SDKs from major tech companies are embedded in hundreds of thousands of apps across every category — fitness, finance, mental health, dating, and more.
The business model is straightforward: app developers integrate SDKs to access analytics, crash reporting, or advertising revenue, and in exchange, user data flows to the SDK provider. In many cases, app developers do not fully understand or disclose what data the SDKs are transmitting. The Flo settlement may push other health app developers to audit their own SDK integrations, but absent stronger federal regulation, the incentive structure that led to this breach of trust remains intact.
What Comes Next for the Flo Settlement and Data Privacy Enforcement
The immediate next step is Judge Donato’s ruling on preliminary approval and the class notification plan. Once that is resolved, eligible users will have a defined window to submit claims. Given the $59.5 million total fund and the potentially millions of class members, individual payouts will depend on the number of claims filed — a common dynamic in consumer class actions where large classes dilute per-person recovery.
Beyond this case, the Meta jury verdict could embolden future plaintiffs to go after not just app developers but the tech companies on the receiving end of improperly shared data. Federal privacy legislation remains stalled in Congress, but cases like Flo v. Frasco are building a body of case law that may eventually force legislative action or at minimum make companies think twice before treating user health data as a commodity.
Conclusion
The $59.5 million Flo Period Tracker settlement stands as one of the largest privacy-related class action recoveries involving a consumer health app. Google, Flo Health, and Flurry are paying for a data-sharing scheme that treated users’ most intimate health information as advertising fodder, while Meta lost at trial on similar claims. The FTC had already forced Flo to change its practices in 2021, but the financial consequences from the class action add real teeth to the accountability effort.
If you used Flo between November 2016 and February 2019, keep an eye on the settlement administrator’s communications and be prepared to file a claim once the form becomes available. Contact [email protected] or (866) 778-9626 for updates. And regardless of whether you are part of this particular class, take a hard look at what health apps you are currently using and what data they are sharing. The Flo case proved that privacy promises from app developers are only as good as the enforcement mechanisms behind them.
Frequently Asked Questions
How much money will I receive from the Flo settlement?
Individual payouts have not been determined yet. The total settlement fund is $59.5 million, but the per-person amount will depend on how many eligible users file claims and the court-approved distribution plan. No proof of purchase is required.
Is the Flo settlement claim form available now?
No. As of early 2026, Judge Donato has not yet granted preliminary approval due to a dispute over the class notification process. Once approved, a formal claim form and notice will be issued, and the claim period will likely run 60 to 120 days.
Do I need to have paid for Flo to be eligible?
No. The class includes all U.S. users who used the Flo app between November 1, 2016 and February 28, 2019, regardless of whether they had a free or paid account. No proof of purchase is required.
What data did Flo share with Facebook and Google?
Flo shared sensitive health data including pregnancy status, menstrual cycle information, sexual activity, and health symptoms. This data was transmitted through SDKs embedded in the app in the form of “app events.”
Is Flo safe to use now?
The FTC’s 2021 order required Flo to obtain affirmative user consent before sharing health data and to undergo independent privacy reviews. However, HIPAA does not cover consumer health apps, so protections remain limited compared to traditional medical records. Review Flo’s current privacy policy before deciding.
What happened with Meta in this case?
Meta chose not to settle and went to trial. On August 7, 2025, a California jury found that Meta violated the California Invasion of Privacy Act by collecting sensitive data from Flo app users. Meta’s liability is separate from the $59.5 million settlement involving Google, Flurry, and Flo Health.