Personal Information Flo-wing out of Control

By: Lauren Scribner

In September, a nearly $60 million settlement was reached in Frasco, et al v. Flo Health, Inc., Meta Platforms, Inc., Google, LLC, and Flurry, Inc.  The case,[1] a class action filed in 2021, alleged inter alia that Flo Health Inc. (“Flo”), a popular women’s health tracking application estimated to have over 38 million monthly users, invaded the privacy of its users by sharing personal and sensitive fertility data with third parties without their consent.

The class action was filed on the heels of a settlement with the Federal Trade Commission (FTC) after allegations that despite millions of users trusting Flo “with intimate details of their reproductive health” under repeated assurances that it would “protect the information and keep it secret,” Flo “shared women’s personal health information with these third parties for years,” including marketing and analytics firms.[2]  That settlement ultimately required Flo to obtain users’ affirmative consent prior to sharing their health data and undergo an independent review of its privacy practices.[3]

How exactly did this happen?

When users create an account with Flo, they typically answer a series of personal questions about women’s health matters.  As users engage with the app over time, they continue to answer these questions in exchange for “tailored health and wellness advice” and the ability to track and predict certain health-related outcomes such as fertility windows and stages of their menstrual cycles.[4]  Users input this information in confidence, and Flo assures it will be kept private and confidential unless they consent for it to be shared.[5]

Flo was initially created using software development kits (SDKs), which are “a set of software-building tools for a specific platform, including the building blocks, debuggers and, often, a framework or group of code libraries such as a set of routines specific to an operating system.”[6]  SDKs allow developers to build applications more quickly and efficiently, but a known challenge associated with their use is the potential for security breaches.  According to IBM, this type of “[p]atchwork software development can result in unintended loopholes that can potentially expose personal information of users.”[7]

That is likely what happened here.

In the class action, the plaintiffs argued that the SDKs embedded in the Flo application recorded users’ sensitive health information and ultimately channeled it to third parties like Meta Platforms, Inc. (“Meta”) for marketing uses.  But because Flo settled in the middle of the jury trial, we do not have a verdict on whether it unlawfully shared users’ personal health data, nor whether that alleged sharing was an “unintended loophole” or an intentional plan.

The case also went to trial against Meta, who the jury ultimately found liable for violating the California Invasion of Privacy Act.

Flo is estimated to be responsible for $8 million of the total settlement amount and must “display a prominent notice on its website” expressing its commitment to maintaining the privacy of its users for one year following the settlement’s approval.[8]  Flo continues to deny any liability for the allegations.

Takeaways

The case against Flo is a cautionary tale for other companies collecting users’ health data.  This case shows that there is, and will continue to be, increased scrutiny on companies collecting personal health data because it is widely considered to be uniquely sensitive.  In other words, companies collecting this type of information may be subject to greater risk than those who send targeted ads after a consumer shops online for a household item or browses a list of the best restaurants in a nearby city.[9]  Personal health data is uniquely sensitive, and the plaintiffs’ bar will likely continue to treat it as such.

Additionally–and it should go without saying–companies, especially those collecting sensitive personal health information, should know how their applications work.  If SDKs were used to develop the application (and statistically, they probably were), are they recording user information and improperly sharing it without users’ consent?  Familiarity with how the application is operating on the backend is paramount to reducing the risk of future privacy breaches.

But the settlement against Flo should not just be a warning sign to companies collecting health data—consumers should be wary as well.  Of particular concern is the rapidly growing prevalence and popularity of consumers tracking personal health and health-related data.  A recent survey forecasts there will be 92.4 million smartphone health and fitness app users in the U.S. in 2025,[10] and last year alone, total revenue from health apps reached $3.74 billion.[11]

Whether by inputting information directly into a health application, like Flo, or allowing a wearable device to collect continuous data in real time that syncs to an application, consumers are tracking everything from steps to sleep to food intake.  Some products track even more advanced metrics like heart rate rhythm and blood oxygen levels.  Consumers must weigh the benefits of tracking this information and the insights it can provide against the risk that their most personal health data may be accessible by third parties.

Ultimately, the “closer” we get to our smartphones, and the more intimate and personal information we allow the applications on our phones to have access to, the greater the risk that our most sensitive data will not be private—even if the privacy settings reassuringly “say” it is.

[1]  Northern District of California, Case No. 21-00757.

[2] Complaint ¶¶ 3, 5, Flo Health Inc., FTC Docket No. C-4747 (Jan. 13, 2021), https://www.ftc.gov/system/files/documents/cases/flo_health_complaint.pdf.

[3]  FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others, THE FEDERAL TRADE COMMISSION (June 22, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google#:~:text=The%20Federal%20Trade%20Commission%20(FTC)%20finalized%20a,collected%2C%20maintained%2C%20used%2C%20disclosed%2C%20deleted%2C%20or%20protected (last accessed Oct. 16, 2025).

[4] Steve Alder, Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit, THE HIPAA JOURNAL (Sept. 26, 2025), https://www.hipaajournal.com/flo-health-google-flurry-59-5m-settlement-privacy-lawsuit/ (last accessed Oct. 16, 2025).

[5] Alder, supra note 4.

[6] SDK vs. API: What’s the difference?, IBM, https://www.ibm.com/think/topics/api-vs-sdk (last accessed Oct. 17, 2025).

[7] IBM, supra note 6.

[8] Alder, supra note 4.

[9]  But regardless of the type of data collected, customer data should always only be used with consent and in compliance with the company’s privacy policy.

[10] Arielle Feger, Consumers use mobile apps to track fitness, health, EMARKETER (Jan. 2, 2025), https://www.emarketer.com/content/consumers-use-mobile-apps-track-fitness-health (last accessed Oct. 17, 2025).

[11] Nayden Tafradzhiyski, Health App Revenue and Usage Statistics (2025), BUSINESS OF APPS (Apr. 7, 2025), https://www.businessofapps.com/data/health-app-market/ (last accessed Oct. 17, 2025).