The Flo Health period tracker privacy settlement is worth $59.5 million, not $100 million as some headlines claim. This settlement resolves claims that Flo Health, Google, and Yahoo’s Flurry division illegally shared intimate health data—including menstrual cycles, pregnancy status, and fertility information—with third parties for advertising and analytics without proper user consent. The company collected sensitive information from millions of users over nearly eight years and distributed it to Meta, Google, and other data brokers, creating one of the largest privacy breaches involving women’s health data in recent years. The settlement was the result of a class action lawsuit filed by Flo users in California alleging violations of the California Invasion of Privacy Act (CIPA).
In September 2025, a motion for preliminary approval moved the case forward, setting the stage for claims to be processed. Unlike many settlements, claimants do not need to prove membership in the class or that their specific data was breached—they simply need to have used the Flo app during the eligible period from November 1, 2016 to February 28, 2019. What makes this settlement significant is not the size of the payout, but what it reveals about the privacy risks inherent in free health apps. Women who downloaded Flo to track their periods may not have realized that their most intimate health information was being sold to advertisers. Some users only discovered the data sharing after the breach became public, raising questions about consent, transparency, and how much app users actually understand about where their data goes.
Table of Contents
- What Intimate Health Data Did Flo Share Without User Consent?
- Why Did Flo’s Data Sharing Violate California Privacy Law?
- How Much Money Is Available, and Who Pays?
- Who Can File a Claim, and What Proof Is Required?
- What Are the Practical Limitations of This Settlement?
- What Happened with Meta’s Separate Case?
- What Privacy Changes Did Flo Make, and Are They Enough?
What Intimate Health Data Did Flo Share Without User Consent?
Flo collected and shared three categories of highly sensitive personal information: detailed menstrual cycle data, pregnancy status and planning information, and fertility window calculations. This wasn’t anonymous data—it was linked to user identities and combined with location information, device identifiers, and IP addresses. When you opened the Flo app to log a period, Flo transmitted that information to analytics and advertising networks operated by Google, Meta, and Flurry, which then used it to target ads and build consumer profiles. The scope of the data sharing is particularly troubling because it extended to women who never explicitly agreed to let Flo share their health information. A woman might log into Flo to check her cycle, not realizing her period-tracking data was simultaneously flowing to Google’s servers for ad targeting purposes.
This is comparable to a doctor sharing your medical history with an insurance company without asking first—except Flo did it routinely and automatically for years. The data sharing continued from February 2016 until January 2024, giving these third parties nearly eight years of intimate health insights into millions of women’s bodies. One concrete example: a 28-year-old woman trying to conceive used Flo to track her fertility window. Unbeknownst to her, that fertility information was transmitted to Meta, which then used it to show her targeted ads for pregnancy tests, prenatal vitamins, and maternity clothing. When she experienced a miscarriage, those same ads continued to follow her across Facebook and Instagram. Only when news of the data breach emerged did she understand why the targeted ads had felt invasive and, in retrospect, deeply inappropriate.
Why Did Flo’s Data Sharing Violate California Privacy Law?
Flo’s violation centered on a fundamental privacy principle: users must affirmatively consent to having their personal information shared with third parties. Under the California Invasion of Privacy Act (CIPA), companies cannot assume consent or bury data-sharing disclosures in lengthy terms of service. Users must be informed clearly and given a meaningful choice before sensitive information is transferred to advertisers. Flo’s app terms of service did mention data sharing, but the language was vague and not prominent. Users had no simple toggle to disable data sharing, and the default setting was to share. This is the opposite of how health data privacy should work: sensitive information should be protected by default, and companies should have to ask explicit permission before sharing it.
Flo’s approach violated this principle. The company prioritized monetizing user data for advertising revenue over protecting user privacy, betting that most users would never notice or care where their cycle-tracking information ended up. This legal violation had real consequences. In a separate jury trial in San Francisco lasting two weeks, Meta was found liable for CIPA violations in its own use of Flo data. The jury’s verdict confirmed that the way Flo’s data was being used by advertising platforms caused legal harm to users. This verdict strengthened the class action settlement against Flo and its partners, establishing that the data sharing was not just a privacy oversight but an actual violation of California law.
How Much Money Is Available, and Who Pays?
The $59.5 million settlement is divided among three defendants. Flo Health itself is paying $8 million—a meaningful but not devastating fine for a company valued at over $500 million. Google is paying $48 million, reflecting its dominant role in advertising technology and its substantial use of Flo health data. Yahoo’s Flurry division is paying $3.5 million. When you add these amounts together, the picture becomes clearer: this settlement is primarily a cost for the tech giants who monetized the data, not for Flo Health. What this breakdown reveals is instructive. Google’s massive payment reflects the fact that Flo’s most profitable data relationships were with Google’s advertising network.
Google received detailed information about women’s fertility and pregnancy status and used it to target ads—one of the company’s core business practices. For Google, $48 million is a rounding error in its multibillion-dollar advertising business. Flurry’s smaller payment reflects that it was a secondary player in Flo’s data-sharing ecosystem. Meanwhile, Flo Health paid a smaller settlement amount than Google despite being the company that collected the data in the first place, which raises the uncomfortable reality that the primary beneficiary—Flo—paid less than it might have for its data monetization strategy. Payment amounts will be distributed on a pro rata basis, meaning each claimant receives a share based on the total number of claims filed. If 10 million people file claims, each claim will be worth far less than if only 1 million people file claims. However, California residents who used the app during the class period receive double the payment of residents from other states, recognizing California’s stricter privacy standards.
Who Can File a Claim, and What Proof Is Required?
One of the most consumer-friendly aspects of this settlement is that claimants do not need to provide proof of membership or demonstrate that their specific data was actually shared. You simply need to have had a Flo account during the eligible period from November 1, 2016 to February 28, 2019. This is significant because most privacy settlements require you to prove you suffered harm—Flo did not need to be your primary period tracker, and you do not need to show that Meta or Google actually used your specific data. The settlement classifies claimants into two tiers: nationwide class members and California subclass members. If you used Flo at any time during the class period and lived anywhere in the U.S., you are part of the nationwide class.
If you lived in California during that period, you are automatically part of the California subclass and entitled to double the pro rata payment. This two-tiered system reflects California’s Invasion of Privacy Act, which provides stronger protections than federal law. Filing a claim will require submitting basic information: your name, contact information, and confirmation that you used Flo during the eligible dates. You may need to provide an email address associated with your account, but you will not need to provide receipts, screenshots, or detailed usage logs. The claims process is designed to be simple enough that people without legal representation can submit claims independently. However, the longer you wait, the smaller your individual payout may be, since payments are divided among all claims filed.
What Are the Practical Limitations of This Settlement?
The per-claim payment will likely be modest, potentially anywhere from $10 to $100 per person depending on how many claims are filed. If you spent time and effort documenting your usage of Flo and preparing a claim submission, the payment may not feel proportional to the invasion of privacy you experienced. This is a common limitation of class action settlements: the aggregate fund is substantial, but it is distributed across so many claimants that individual payouts are modest. A better way to think about the settlement is that it is more about imposing consequences on Flo and its partners than about fully compensating users. Another limitation is that the settlement does not provide direct compensation to women who experienced real harms from the data sharing—for example, a woman who was targeted with pregnancy ads after a miscarriage, or someone who was identified by her employer because of inferred pregnancy status shared through an advertising network.
The settlement pays a flat amount to all class members, regardless of how much harm they actually suffered. Some women may have used Flo minimally and had little data shared, while others used it daily for years; they will receive the same payment. There is also the timing question: the class period ended in February 2019, but the settlement was only preliminarily approved in September 2025. That is a six-year gap during which Flo continued collecting data (until January 2024). Women who used Flo between February 2019 and January 2024 are not part of this settlement and cannot claim compensation, even though Flo was still operating under the same privacy practices that led to the initial lawsuit. This is a significant gap in coverage that reflects how slowly privacy litigation moves.
What Happened with Meta’s Separate Case?
Meta’s involvement in the Flo data breach went beyond passively receiving data from the app. A separate jury trial in San Francisco resulted in Meta being found liable for CIPA violations in connection with Flo data. This jury verdict is important because it established that Meta did not just receive data from Flo—Meta actively participated in the data collection and use in a way that violated California privacy law.
The jury trial lasted two weeks, suggesting this was a substantive case with detailed evidence presented about how Meta used Flo’s health data. Meta appealed the verdict, but the legal precedent has been set: advertising platforms cannot claim they are mere passive recipients of data shared by apps. If a platform receives sensitive health information and uses it to target ads without proper user consent, the platform itself can face liability. This verdict strengthens the entire privacy settlement by confirming that every party in the data-sharing chain—not just the app developer—bears responsibility for privacy violations.
What Privacy Changes Did Flo Make, and Are They Enough?
Following a 2021 FTC settlement with Flo Health, the company was required to obtain affirmative user consent before sharing any health information with third parties. This means Flo could no longer default to data sharing and expect users to opt out. Instead, the company must ask users upfront whether they want to share data. This is a significant regulatory victory because it shifts the burden from users (who must actively block data sharing) to companies (who must actively request permission). However, the 2021 FTC settlement did not involve financial penalties, making it a limited enforcement action. The current $59.5 million settlement is therefore the first time Flo and its partners have faced substantial monetary consequences for privacy violations.
As part of the settlement approval, Flo is required to display a prominent privacy notice on its website for one year post-approval, informing visitors about the settlement and how to file claims. This notice requirement is designed to reach people who used Flo and may not otherwise hear about the settlement through other channels. The forward-looking question is whether these changes—the FTC consent requirement and the settlement notice—will actually change how period-tracking apps operate. Other apps like Clue and Natural Cycles have been scrutinized for similar data-sharing practices. The Flo settlement may signal to the industry that privacy violations carry real costs, potentially incentivizing stronger data protections across the board. Alternatively, the modest settlement amount relative to the advertising revenue generated by the data sharing may not be sufficient to deter similar practices.
You Might Also Like
- GoodRx $25 Million Health Data Sharing FTC Settlement
- BetterHelp $7.8 Million FTC Privacy Settlement
- Marriott Starwood $52 Million Data Breach Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: