Okay so between November 2016 and February 2019, Flo embedded Facebook’s SDK deep inside their app. Every time you answered a health survey, tapped a date, or logged anything — that data got beamed straight to Meta.

We’re not talking vague analytics here. Meta set up 12 custom tracking codes inside Flo with names like:

• R_SELECT_LAST_PERIOD_DATE
• R_SELECT_CYCLE_LENGTH

Every single survey question you filled out? Meta got a copy. Automatically. For three years straight. And they used it to figure out who’d be a good target for baby product ads, fertility ads, and pregnancy-related marketing.

The kicker? Flo’s privacy policy said they were protecting your data the whole time. They revised that policy 13 times during the violation period. I mean. Thirteen rewrites to keep the lie going.

Total settled so far: $59.5 million. Claim forms are expected in spring 2026.

But here’s where it gets truly wild: each CIPA violation carries a $5,000 penalty. With 38 million monthly active Flo users? Meta’s potential bill is somewhere around $190 billion. With a B. That’s more than Meta’s entire yearly revenue.

This isn’t random. Pregnancy data is worth up to 200 times more to advertisers than your age or location.

Think about it. If Facebook knows you’re trying to get pregnant, they can sell that signal to:

• Baby product companies
• Fertility clinics
• Insurance companies
• Maternity brands
• Prenatal vitamin makers

One woman in the lawsuit, Autumn Meigs, was a teenager when this started. She testified she felt “a lot of anxiety” learning her most personal health data had been sold.

• Jury foreman: Described the verdict as wanting to “send a message” about app privacy
• Consumer Reports: Published a call to delete your Flo data immediately
• Privacy advocates: Called this the first real case where Big Tech got held accountable for health data abuse
• Meta: Still appealing. Still denying wrongdoing. Still Meta-ing.
• Flo users online: Basically a collective “I KNEW something was off when I started getting baby ads before I told anyone I was trying”

Over one-third of American women use period tracking apps. And Flo isn’t the only one with sketchy data practices. After the Dobbs decision (which overturned abortion rights), privacy experts warned that period app data could be used against users in states where reproductive choices are criminalized.

This lawsuit proves that the threat isn’t theoretical. These apps ARE sharing your data. The only question is who’s buying it and what they’re doing with it.

Fun fact: Google and Flurry didn’t even fight the lawsuit. They just wrote the checks. Only Meta said “nah, we’ll take our chances” — and got hit with the wiretapping verdict.

Most people have NO idea what their health apps are sending out. Build a simple tool or service that scans popular health/fitness apps and generates a “privacy report card” — showing what data goes where. Charge $5-15 per audit, or offer a subscription for ongoing monitoring.

Example: A freelance developer in Lisbon built a browser extension that flags apps with known data-sharing SDKs. Listed it on Product Hunt, got 800 upvotes in a day, then licensed it to a European health data compliance startup for €4K/month.

Timeline: MVP in a weekend using public SDK databases. First paying users within 2 weeks if you market it on privacy-focused subreddits like r/privacy and r/degoogle.

The $59.5M settlement means millions of women qualify for payouts — no proof required. But most people won’t bother filling out the forms. Set up a simple landing page that walks people through the claim process, collects an email list, and monetize through affiliate links to privacy-first period tracking alternatives like Drip or Euki.

Example: A TikTok creator in Atlanta made a 45-second video explaining the Equifax settlement claim process, got 2.3M views, and drove 40K signups to her email list. She then sold a $12 “digital privacy toolkit” to 3,100 of them. That’s $37K from one lawsuit explainer.

Timeline: Set up a Carrd or Notion page today. Post the explainer video this week. Claim forms open spring 2026 — so you’re early.

Take budget Android phones, strip out all the tracking garbage, pre-install privacy-first alternatives for period tracking, messaging, and browsing. Sell them on Etsy or through Instagram reels targeting the “detox your phone” audience. The Flo lawsuit just created a massive wave of women who now actively distrust their apps.

Example: A guy in Warsaw buys Xiaomi phones for €80, installs GrapheneOS or CalyxOS, pre-loads Signal + Drip + Brave, and sells them as “Privacy Phones” on a Shopify store for €249. Moves 15-20 units/month through Telegram privacy groups. That’s €2,500+/month profit from phones nobody else thought to de-Google.

Timeline: First unit ready in a day. Shopify store up in a weekend. First sales within a week if you post in privacy forums and women’s health communities.

Nobody reads privacy policies. But after lawsuits like this, people WANT to know — they just can’t understand legalese. Create bite-sized, plain-English breakdowns of popular health app privacy policies. Monetize through a Substack newsletter, a micro-SaaS tool, or by selling “translated” reports to companies who want to prove they’re transparent.

Example: A law student in Nairobi started a Substack called “TOS;DR for Health Apps” — plain-language breakdowns of what health apps actually do with your data. Hit 6,000 subscribers in 3 months. Now charges health startups $500 to write their “plain English privacy page” as a trust signal.

Timeline: First post takes an afternoon. Consistency over 4-6 weeks builds the audience. Revenue starts when you have 1,000+ subscribers or your first B2B client.

Most people don’t know they can request their data be deleted from apps and ad networks. Offer a done-for-you service: for $25-50, you send GDPR/CCPA deletion requests to every company that has someone’s health data. Target the post-Flo-lawsuit crowd who just found out Facebook has their cycle data.

Example: Two college students in Berlin built a simple form that auto-generates deletion request emails for 200+ companies. They charge €29/year for the “auto-send” premium tier. Got featured on a German tech podcast, hit 4,000 paying users in 6 months. That’s €116K/year from helping people press “delete.”

Timeline: Build a basic form with templates in a weekend. Charge immediately. The demand is RIGHT NOW while the lawsuit is in the news.