The tech giant was found to have illegally collected user info. Could this be a landmark moment for data privacy?
This article was written by Andjela Milivojevic and originally published by The Bureau Of Investigative Journalism.
Few things feel more private than what you tell your period app. Month after month, you confide your most intimate details: when your period arrived, how often you had sex, whether you masturbated, if you’re trying to have a baby. You treat it like a digital diary, believing these intimate details remain safely tucked away in your phone.
But it turns out they’re not as safe as you think. Last month, a California jury found that Meta had illegally collected reproductive health information from millions of women who use the fertility tracking app Flo Health. The data had been passed on to the tech giant without the users’ knowledge or consent – and despite repeated promises that it was private.
The case began when eight women discovered their most private health information – details about menstruation, ovulation, pregnancy attempts and sexual health – had been “surreptitiously transmitting” to Meta through a hidden tracking tool embedded in the app.
As the plaintiffs put it, “Flo allowed Meta to eavesdrop on users’ private in-app communications”.
Menstruation, contraception or fertility apps have become increasingly popular in the last few years and now form a billion-dollar industry, with some having as many as 500 million users. And the data fed into them is astonishingly valuable: the information that someone is expecting a baby is worth up to 200 times more to advertisers than data about their age or location.
Christian Levis, one of the lawyers on the case against Meta, told us that Big Tech has been working behind the scenes for years to undermine privacy rights in the US. He said the industry has been lobbying to amend the California privacy act violated by Meta in the Flo case, to exempt the collection of data for business purposes.
“This is extremely troubling,” said Levis. “That change could provide immunity for the most invasive and offensive privacy violations, like the collection of health or medical information, or financial data.”
Experts say this system, which monetises women’s most intimate information, needs to be uncovered and held accountable. But they question whether Big Tech will ever change the way it treats women’s reproductive health when companies are punished with fines that they can easily pay off.
The verdict against Meta, however, marks one of the first instances of Big Tech being held liable for misusing consumer health information. It also indicates the beginning of a trend of women pushing back on the exploitative nature of the health data industry.
Betrayed trust
The women who testified in front of the California jury said they felt violated and embarrassed when they realised Flo had shared their health data with Meta, reported MLex.
Autumn Meigs, who was a teenager when the case was filed, told the court it “has caused a lot of anxiety because I was a young girl.” Meigs said she is “a very private person”.
The millions of people who use the Flo app are asked to provide personal information along with intimate details about their sexual health, menstrual cycles and gynaecological health through a series of questions. (Do you get yeast infections? Do you have any chronic diseases? Do you have any reproductive system diseases?)
Until 2021, Meta automatically received information from each survey question and used the data for advertising, according to documents presented in court in July. The jury decided this was against California privacy law.
Each violation of the privacy law carries a penalty of $5,000. And every user of the Flo app in the US over five years could get compensation. Given that Flo had over 38 million monthly active users in 2021, Meta could owe $190bn in damages.
Meta has already taken the first step to try to overturn the verdict. And the company told us the claims against it are “simply false”. It also said “user privacy is important to Meta, which is why we do not want health or other sensitive information”.
Three other companies – Flo, Google and Flurry – were accused in the same case but settled out of court. They have never publicly admitted any wrongdoing. The details of the Google and Flo settlements were not made public but we know that Flurry, a mobile phone app data company also named in the initial complaint, agreed to pay Flo users $3.5m earlier this year.
Flo said it was “committed to protecting the privacy of its users, and any allegation otherwise has no merit”. It was also fined for sharing women’s health data in 2021 by the US Federal Trade Commission (FTC).
In the US, the safeguarding of women’s health data has become an increasingly pressing subject. Six years ago, digital rights charity Privacy International found that 61% of period tracking apps were automatically sharing data with Facebook. But by 2024, many femtech companies had changed their approach to the way they handle women’s health data, particularly after the overturning of Roe v Wade. After the supreme court’s decision in June 2022, many women decided to delete period tracking apps in fear of their data being used as evidence they had been pregnant – and to prosecute them for having an abortion.
Sarah Simms, senior policy officer at Privacy International, said the decision created a “volatile environment” and since then the apps have implemented better privacy protections, including anonymous modes and local data storage.
But the data is still being collected via users’ phones and shared with third-party companies, which can put women who are using period and pregnancy apps in danger. Information could be seized from cloud servers and used against them, particularly in places where reproductive care is criminalised or restricted.
In the UK, before abortion was decriminalised this year, women under investigation for having an illegal abortion were requested to provide “data related to menstruation tracking applications”.
In the US, Missouri’s health department tracked Planned Parenthood patients’ menstrual cycles as part of abortion investigations. During Trump’s first administration, the Office of Refugee Resettlement tracked and monitored the menstrual cycles of unaccompanied minors seeking asylum as part of efforts to prevent them from accessing abortions, even in cases of rape.
Digital goldmine
People using period and pregnancy apps are targeted because they are a “valuable commodity” for advertisers, said Simms.
Digital health data is prized because it is “super precise”, said Marek Tuszynski, executive director of digital rights charity Tactical Tech. “It is capturing your condition in a given specific timeframe and location, and that makes you a very good target for any kind of influence or advertisement.”
According to 2024 data, 70% of American women who track their periods are doing it using an app. In the UK, over 50% of women aged 18-24 were regularly using digital health apps in 2021.
This creates what Dr Stefanie Felsberger, a sociologist specialising in technology and gender, describes as a “goldmine” for advertisers. “Having a baby and becoming pregnant is one of those life events where you change your shopping habits,” she says. “You’ve gained a consumer for the next decade.”
Health data is especially valuable in the UK and Europe, where GDPR protects it more strictly than other types of demographic data.
But period tracking apps also provide a way around data protection laws because users consent to tracking when they subscribe to a premium option, for example – often without understanding the full scope of data sharing.
“There’s an assumption for a lot of users that this data doesn’t go places,” said Felsberger.
She also raises the question of how period and pregnancy apps are regulated.
Flo Health markets itself using endorsements from gynaecologists while arguing it’s not actually a medical device in its terms and conditions.
Felsberger’s research shows period tracking apps are generally classified as wellness devices rather than medical ones, allowing them to avoid privacy protections by medical regulatory bodies. This makes women’s health data vulnerable to exploitation.
Experts say the case against Meta in California sends a message to Big Tech and the femtech industry that they need to change their practices. But also that it shows people do care where their health information is going and who is using it.
George Furber, a legal officer at Privacy International, thinks this may be the beginning of a “pushback” against the way our health data is used.
“Hopefully we’ll see this happening more and more with class actions, as people are being affected more and more,” he said.
But at the same time, he says, companies are also hugely incentivised to get hold of the data – “because it’s so profitable.”
