The decades-old California law central to a class of Flo menstrual app users’ win over
The first-of-its-kind verdict on Aug. 1 for users of the popular period tracking app Flo by a San Francisco jury used a 1960s era wiretapping law, the California Invasion of Privacy Act, to win a decision that carries a $5,000 penalty per violation. With a certified class of California-based Flo users, Meta has said damages could reach multiples of billions of dollars.
The plaintiffs alleged Meta’s software development kits embedded in the Flo app recorded user answers to questions about their pregnancy goals and details of their last period without their consent. While users have sued Meta and Big Tech firms over privacy and user consent issues for decades now, this case uniquely reached a jury which was ultimately convinced that third-party collectors acted as illegal eavesdroppers on private communications about reproductive health.
Judge James Donato of the US District Court for the Northern District of California will determine total damages in the coming months.
“The verdict shows that there’s significant liability for companies that engage in this type of behavior,” said attorney Adam Polk of Girard Sharp LLP who litigates CIPA cases against tech companies. “It also tells me that everyday Americans are not okay with this.”
Meta has indicated it plans to file a motion to toss out the jury verdict, and trials don’t establish legal precedent that could alter the litigation landscape in the way a court ruling does. Still, the outcome could embolden class action attorneys to attempt to mimic the CIPA strategy.
The verdict could also bolster efforts by the tech industry to push through CIPA reforms to quell the onslaught of lawsuits. Over a month before the start of the trial against Meta, the California Senate passed SB 690, a bill that would exempt data tracking technologies from CIPA liability if they are used for “a commercial business purpose.”
Internet ‘Eavesdropping’
Starting around 2021, class action attorneys began deploying what was then a novel legal theory arguing that modern internet data tracking technology is a form of wiretapping or eavesdropping that is barred by CIPA. That law, passed in 1967, was originally meant to protect Californians from secret and unauthorized recordings of telephone calls.
But the new wave of litigation targeted websites and apps that use data tracking technology including chatbots, cookies, pixels, and software development kits often provided by major tech companies.
“Class action attorneys have filed hundreds of lawsuits and sent out probably many thousands of demand letters to websites,” said data privacy attorney Gary Kibel of Davis+Gilbert LLP. “Many settle to avoid the expense of litigation.”
The plaintiffs sued in 2021, naming Flo Health Inc. as well as
Meta argued that its conduct never fit the decades-old law because the company was never “eavesdropping” on users’ conversations with the Flo app as defined by the statute. Instead, Flo would record the users’ responses and then separately send non-sensitive data through Meta’s software development kit, the attorneys argued.
The jury rejected those arguments. They also determined that Flo users never consented to having their data recorded despite Meta’s broad privacy agreements that allow extensive tracking of users across the internet, another one of Meta’s key defenses.
The finding is additional evidence that consent agreements can’t be used by tech companies to abuse users’ privacy, Polk said.
“It’s one thing to consent, for example, to a fist fight,” he added. “But that’s not the same thing as consenting to a fight where one party is using brass knuckles.”
Unique Ruling
The health data involved in the Meta case, information about womens’ menstrual cycles and fertility goals, is regarded as highly sensitive under other California privacy laws and creates a particularly sympathetic narrative for a jury, said Linda Wang, a privacy and employment attorney at CDF Labor Law LLP.
However, many other lawsuits filed under CIPA focus on less sensitive data collected on shopping websites. Others target smaller website owners that use third-party data trackers that result in quick settlements.
“Most businesses just don’t have the resources or the appetite to take something like this all the way through the litigation,” Wang said. “This is a kind of unique situation.”
The California senate bill introduced in March that would exempt commercial activity under CIPA has been touted by defense attorneys as an update to an analog-era law and an end the wave of abusive lawsuits. The legislation has faced criticism from consumer advocacy groups including the Electronic Frontier Foundation and Consumer Reports, who argue it will leave tech companies unaccountable for their privacy infringements.
The verdict also doesn’t resolve existing legal questions about the law that the California Supreme Court or a federal appeals court will need to clarify.
This spring, as Meta was preparing for trial, a federal judge rejected a CIPA lawsuit against Prudential Financial Inc., which allegedly captured users’ medical and demographic information while they interacted with a webform on Prudential’s site. Although distinct from the Meta case, the judge ruled that Prudential couldn’t have “read” the users’ data as it was being recorded, a requirement under the statute.
“It’s helpful to get additional decisions to help businesses get some clarity,” Wang said. “If a business is willing to fight aspects of these CIPA claims, that’s certainly helpful.”
The case is Frasco v. Flo Health Inc., N.D. Cal., No. 3:21-cv-00757, verdict delivered 8/1/25.
To contact the reporter on this story:
To contact the editors responsible for this story: