Meta Was Eavesdropping on 13 Million Women's Period Apps — A Jury Just Said That's Worth $190 Billion

:red_circle: Meta Was Eavesdropping on 13 Million Women’s Period Apps — A Jury Just Said That’s Worth $190 Billion

A hidden tracking tool inside the Flo period app was quietly sending your ovulation dates, pregnancy status, and sexual activity straight to Meta’s ad servers — for three years. A jury just called it illegal.

The numbers: 13 million users compromised. $5,000 per violation under California law. Potential liability: $190 billion. Google and Flurry already settled. Meta is fighting the verdict.

So here’s what happened. Between 2016 and 2019, the Flo period-tracking app — used by 75 million women worldwide — had Meta’s tracking code secretly baked into its code. Every time a user logged their cycle, their pregnancy plans, their sexual activity, even details about contraception and yeast infections — all of that data was shipped directly to Meta for advertising. This wasn’t a hack. It was a feature.

surveillance


🧩 Dumb Mode Dictionary
Term What It Actually Means
SDK A chunk of code a company (like Meta) gives app makers to drop into their app. It sends data back to the company silently. Think of it as a hidden microphone disguised as a feature.
Class Action When a bunch of people (in this case 13 million) sue together instead of one by one. Strength in numbers.
HIPAA A US law that protects your medical records at hospitals and doctors. But period apps? They don’t count as “medical” — so HIPAA doesn’t cover them at all.
FTC The Federal Trade Commission — basically the US government’s consumer protection cops. They already fined Flo once in 2021 for this same thing.
Data Broker A company that buys and sells personal info about you. Your pregnancy data is worth 200x more to advertisers than your age or location.
📱 How the Eavesdropping Actually Worked

The setup was diabolical in its simplicity:

  • Flo embedded Meta’s SDK (tracking code) inside the app
  • Every time you filled out a health survey inside Flo, Meta automatically received every answer
  • The court literally called it an “eavesdropping tool” — not a data breach, not a hack, but a wiretap built into the product
  • This included: menstruation timing, ovulation dates, pregnancy attempts, sexual health details, chronic disease info, reproductive conditions
  • Flo changed its privacy policy 13 times during this period — but none of those changes actually told users what was happening
  • The whole time, Flo’s marketing slogan was “Your Body, Your Data” — which, yeah

The data went to Meta, Google, and a company called Flurry (an analytics firm). All three were caught.

📊 The Receipts
What Number
Flo total users worldwide ~75 million
Users in the class action 13 million
Data collection period Nov 2016 – Feb 2019
Max fine per violation (California law) $5,000
Theoretical max liability for Meta ~$190 billion
Flurry’s settlement $3.5 million
Google’s settlement Undisclosed
Flo’s earlier FTC fine 2021 (amount undisclosed)
Privacy policy revisions during collection 13 times
Value of pregnancy data vs. age data 200x more valuable
⚖️ What the Jury Actually Said

A federal jury in San Francisco found Meta liable for violating California’s privacy laws. Key points:

  • The jury agreed that Meta’s SDK was essentially a recording device that “eavesdropped on consumers as they communicated with the app”
  • They were NOT asked to set a dollar amount yet — that part comes later, and it could be catastrophic for Meta
  • One of the original plaintiffs, Autumn Meigs, was a teenager when her data was being collected
  • Meta is already trying to overturn the verdict
  • Google and Flo settled before it went to trial — Meta was the only one that fought it and lost

But here’s the thing nobody mentions: period apps are classified as “lifestyle” apps, not medical apps. That means HIPAA doesn’t protect your data at all. Your step counter and your ovulation tracker have the exact same legal protection — which is basically none.

🔥 Why This Got Way Scarier After Roe v. Wade

When the US Supreme Court overturned Roe v. Wade in 2022, period tracking data suddenly became potential evidence in criminal cases.

  • If abortion is illegal in your state, your period tracker data could theoretically be subpoenaed (forced out by a court order)
  • Privacy International found that 61% of period tracking apps were automatically sharing data with Facebook — six years ago
  • Law enforcement can buy this data from data brokers without a warrant
  • Insurance companies can use it to adjust your premiums or deny coverage
  • Many users deleted their apps entirely after Roe — but the data that was already collected? Still sitting on Meta’s servers.

This isn’t hypothetical paranoia. The legal infrastructure for this is already built.

🗣️ What People Are Saying

George Furber, Privacy International legal officer:

“Hopefully we’ll see this happening more and more with class actions, as people are being affected more and more.”

The Bureau of Investigative Journalism:

“Meta automatically received information from each survey question” — calling it a hidden tracking tool, not a bug.

Flo’s original marketing:

“Your Body, Your Data” — which aged like milk in the sun.

Researcher Stefanie Felsberger:

The solution isn’t to ditch these apps — it’s to switch to non-commercial alternatives run by nonprofits. Don’t use any app that treats your data as its revenue source.

🛡️ Apps That Don't Sell You Out

Consumer Reports tested eight period trackers. Only three passed both tests (local data storage + no third-party tracking):

App Stores Data Locally No Third-Party Tracking
Drip :white_check_mark: :white_check_mark:
Euki :white_check_mark: :white_check_mark:
Periodical :white_check_mark: :white_check_mark:

These are open-source or nonprofit-run. Your data stays on your phone, period. No pun intended.


Cool. So Your Most Intimate Health Data Has Been Feeding Ad Algorithms for Years. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

privacy phone

🕳️ The SDK Bounty Hunter

Every app on your phone has 3-15 hidden SDKs (tracking codes) baked in. Most app developers don’t even know what data those SDKs are sending. Here’s the play: use free tools like Exodus Privacy to scan any Android app and list every tracker embedded inside it. Then contact the app developer directly, show them what their app is leaking, and offer to write a “privacy audit report” they can use for marketing. Small app studios (under 500K downloads) will pay $200-800 for this because they genuinely didn’t know — and “privacy-first” is now a selling point that moves downloads.

:brain: Example: A 24-year-old infosec student in Berlin scans 50 health apps on Exodus Privacy, finds 12 that have Meta’s SDK silently installed. Emails each developer a one-page report. Three respond. Two pay €350 each for a full write-up. One hires her for ongoing privacy consulting at €800/month.

:chart_increasing: Timeline: First paid report in 5-7 days. Steady side income in 3-4 weeks. Saturates when bigger firms start offering the same service — but first movers own the niche testimonials.

🎣 The Lawsuit Signal Scraper

Class action lawsuits against tech companies are public record. When a verdict like Meta/Flo drops, there’s a 2-4 week window where millions of affected users have NO idea they might be owed money. The play: monitor ClassAction.org and court filing databases, then build simple one-page explainer sites targeting the specific app’s user base. “Were you a Flo user between 2016-2019? Here’s what just happened.” Monetize through legal referral partnerships (law firms pay $50-150 per qualified lead) or affiliate links to the safe alternative apps listed in the verdict coverage.

:brain: Example: A 21-year-old in Manila builds a one-page site called “FloSettlement.info” within 48 hours of the verdict using a free Carrd template. Posts it on Reddit r/TwoXChromosomes and TikTok. Gets 40K visits in the first week. Earns $2,800 from legal referral clicks before bigger players catch up.

:chart_increasing: Timeline: First referral payment in 7-10 days. Each major tech verdict creates a new window. Burns out per-case in 3-4 weeks as law firms run their own ads, but the skill transfers to every new verdict.

📡 The Privacy Swap Shop

Here’s the arbitrage: 61% of period apps leak data to Facebook. Only 3 apps passed Consumer Reports’ tests. Most women don’t know either fact. The play: create short-form video content (TikTok, Reels, Shorts) that does “app swap” reviews — “I scanned [popular app] and found 7 trackers. Here’s the free alternative with zero.” You’re not selling anything. You’re building an audience of privacy-conscious women — a demographic that health brands, VPN companies, and secure messaging apps will pay premium CPM rates to reach. NordVPN’s blog already covers this topic, meaning VPN sponsors are already interested in this audience.

:brain: Example: A 26-year-old nurse in Lagos records 15-second screen recordings of Exodus Privacy scans on popular apps, posts them as TikTok “exposés” with dramatic music. Hits 500K views in 2 weeks. Gets a $1,200 NordVPN sponsorship by week 4 with only 8K followers, because the niche is hyper-targeted.

:chart_increasing: Timeline: First viral video in 3-5 days if timing aligns with a news cycle. Sponsorship offers at 5K-10K followers in this niche. Plateaus when the news cycle moves on — but the audience stays for the next privacy scandal (and there’s always a next one).

🪟 The HIPAA Gap Exploit

Period apps aren’t covered by HIPAA because they’re classified as “lifestyle” apps, not medical apps. But here’s the crack in the wall: if a doctor RECOMMENDS a specific period app for treatment purposes (endometriosis tracking, fertility treatment monitoring), the data arguably BECOMES medical data under some state laws. Nobody has built a bridge between gynecologists and privacy-safe period apps. The play: create a simple directory (Google Sheet or Notion page) of HIPAA-adjacent period tracking options, marketed specifically to OB/GYN offices. Doctors WANT to recommend apps but are terrified of liability. Give them a vetted list and charge clinics $15-30/month for the maintained directory with update alerts when an app’s privacy status changes.

:brain: Example: A 28-year-old pre-med student in Bogotá creates a Notion database of 20 period apps ranked by privacy, tracker count, and data storage location. Emails 100 OB/GYN clinics in Florida (post-Roe anxiety is highest there). 8 clinics subscribe at $20/month. Revenue: $160/month from a Google Sheet that takes 2 hours/week to maintain.

:chart_increasing: Timeline: First subscriber in 10-14 days. Scales slowly — this is a $500-2,000/month ceiling, not a get-rich play. But it’s recurring, defensible, and gets better as more verdicts drop.

🎰 The Data Deletion Middleman

Under GDPR (Europe) and CCPA (California), users have the legal right to demand companies delete their data. But nobody actually does it because the process is confusing — you have to email specific addresses, use specific legal language, and follow up when they ignore you (which they will). The play: offer a “data deletion service” for women who used Flo, Clue, or other leaky period apps. Charge $5-15 per app per deletion request. You’re not doing anything illegal — you’re filing official data deletion requests on behalf of the user using templates from Privacy International’s guides. Automate with form letters and email templates. Volume is the game.

:brain: Example: A 22-year-old law student in Warsaw sets up a Typeform + Zapier flow. User fills out name + which apps they used. She sends templated GDPR deletion requests to each company. Charges €8 per request. Runs a Reddit ad in r/privacy for €30. Gets 60 orders in the first week = €480 minus ad spend. Net: €450 from copy-pasting legal templates.

:chart_increasing: Timeline: First orders within 3 days of posting. Peaks around major news cycles (like this verdict). Burns out in 6-8 weeks as copycat services appear and companies streamline self-service deletion — but that gap is wide open RIGHT NOW.

🛠️ Follow-Up Actions
Step Action
1 Scan your own apps with Exodus Privacy right now — takes 30 seconds per app
2 Switch to Drip, Euki, or Periodical if you use a period tracker
3 File a CCPA data deletion request with any health app you’ve ever used
4 Check ClassAction.org to see if you qualify for the Flo settlement
5 Revoke app permissions: Settings → Apps → [any health app] → Permissions → turn off everything except what it absolutely needs

:high_voltage: Quick Hits

Want Do
:magnifying_glass_tilted_left: Check which trackers are in your apps Run them through Exodus Privacy (free, instant)
:mobile_phone: Switch to a safe period tracker Drip — open source, data stays on your phone
:money_bag: See if you’re owed money from Flo Check ClassAction.org Flo case for eligibility
:shield: Delete your data from Meta Facebook Off-Activity tool — disconnect + delete
:open_book: Read the full investigation Bureau of Investigative Journalism report

Your period tracker’s marketing said “Your Body, Your Data.” Turns out they meant Meta’s body of evidence, built from your data. The slogan was accurate — just not in the way you thought.

2 Likes