Your Period Tracker Told Meta When You Were Ovulating — Now They Owe $8 Billion

:red_circle: Your Period Tracker Told Meta When You Were Ovulating — Now They Owe $8 Billion

A “private” health app was secretly sending your most intimate data — your cycle, your pregnancy plans, whether you had unprotected sex — straight to Facebook’s ad machine. A jury just said: that’s wiretapping.

180 million downloads. 38 million active users. Every single cycle logged, every symptom tapped — piped directly to Meta, Google, and a data company called Flurry. The judge says Meta alone might owe $8 billion.

The app is called Flo. One in three American women uses a period tracker. Flo is the biggest. And it was snitching on all of them.

Eavesdropping


🧩 Dumb Mode Dictionary
Term Translation
SDK (Software Development Kit) A tiny hidden tool another company sneaks into an app to spy on what you do
Wiretapping (under California law) Secretly recording someone’s private info without permission — yes, even digital stuff counts
App Events Every time you tap something in an app, it can be recorded and sent somewhere
Class Action When millions of people sue one company together
CIPA (California Invasion of Privacy Act) California law that says you can’t secretly listen in on people’s private stuff
Statutory Damages A fixed penalty per person — multiply that by millions of users and… yeah
📖 The Backstory — How Did We Get Here?
  • Flo launched as a simple period tracker. Log your cycle, get predictions. Easy.
  • Between 2016–2019, Flo embedded Meta’s SDK, Google’s SDK, and Flurry’s tracking code inside the app
  • Every time you told Flo “my period started” or “I’m trying to get pregnant” — that info was sent to these companies in real time
  • Meta’s SDK logged events with names like R_SELECT_LAST_PERIOD_DATE and R_SELECT_CYCLE_LENGTH
  • Flo’s privacy policy said your data would NEVER be shared without consent
  • They changed that privacy policy 13 times between 2016–2019
  • In 2019, the Wall Street Journal exposed the scheme. The lawsuits started.
🔍 What Exactly Was Shared?

Brace yourself. This is what Meta was receiving:

  • When your period started and ended
  • Whether you were ovulating
  • Pregnancy status and week-by-week updates
  • Whether you had unprotected sex
  • Masturbation frequency
  • Mood, symptoms, cramps, flow intensity
  • Sexual activity logs

All of this — labeled, timestamped, and tied to your identity — sent to Meta’s advertising system. So they could sell you ads. That’s it. That’s the whole reason.

💰 The Money — Who's Paying What
Company Amount Status
Google $48 million Settled
Flo Health $8 million Settled
Flurry $3.5 million Settled
Meta Up to $8 BILLION Jury found them guilty — damages being calculated

The total settlement pool (minus Meta) is $59.5 million. You don’t even need proof you were affected to file a claim — if you used Flo between 2016–2019, you’re eligible.

Meta’s bill? $5,000 per person × ~1.6 million California class members = potentially $8 billion. Meta refused to settle. They went to trial. They lost.

⚖️ What the Jury Actually Said

On August 1, 2025, the jury ruled on every single question against Meta:

  • :white_check_mark: Meta intentionally eavesdropped on users
  • :white_check_mark: Users had a reasonable expectation of privacy
  • :white_check_mark: Meta did NOT have consent
  • :white_check_mark: This violates California’s Invasion of Privacy Act (basically: it’s wiretapping)

Judge James Donato denied all three of Meta’s post-trial motions in September 2025 — no decertification, no new trial, no judgment override. Meta is appealing, but the verdict stands for now.

🗣️ Why This Is Different From Every Other Privacy Scandal
  • This isn’t “oops we had a data breach.” This was by design. The SDK was placed there on purpose.
  • Health apps aren’t covered by HIPAA (the medical privacy law). They operate in a legal gray zone where basically anything goes — until now.
  • The “wiretapping” framing is massive. It means any app secretly sending your data could face the same per-person penalties.
  • Over one-third of US women use period trackers. This isn’t niche. This is mainstream.
  • Post-Roe v. Wade, period tracking data can reveal pregnancy status — which in some states could have legal consequences for users.
📊 The Design Trap — How Flo Made You Overshare

The Femtech Design Desk analysis revealed something darker:

  • Flo increasingly pushed users to log MORE symptoms, not fewer
  • The app framed normal cycles as “problems” to drive engagement
  • More data logged = more ad-relevant signals sent to Meta
  • The interface was designed to make oversharing feel like self-care
  • Flo profited from both ends: subscription revenue AND selling data access

This wasn’t a bug. It was a business model.


Cool. My health app was literally a corporate spy. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

Data Leak

🛡️ Build the 'App Privacy Audit' Micro-Service

Most people have NO idea what their health apps are doing behind the scenes. Build a dead-simple web tool that takes an app name and shows: what SDKs it uses, what permissions it requests, and what data it sends out. Use publicly available APK decompilation data (tools like Exodus Privacy already track embedded trackers). Package it as a “privacy score” people can check before downloading. Monetize with a premium version for companies wanting to prove their apps are clean.

:brain: Example: A developer in Portugal built a tracker-checker browser extension after the Flo news. Posted it on Product Hunt, hit #3 for the day, got 12K installs in a week, and landed a $4K/month contract with a European health startup wanting a “privacy certified” badge.

:chart_increasing: Timeline: MVP in a weekend using Exodus Privacy’s open API. Revenue within 2 weeks if you target health app communities on Reddit.

💰 Become the 'Flo Claim' Filing Helper

The $59.5M settlement is open for claims — and most eligible people don’t even know about it. No proof needed. Build a simple landing page that explains who qualifies (anyone who used Flo between 2016–2019), walks them through the claim form, and collects emails for a newsletter about upcoming tech settlements. You’re not a lawyer — you’re an information guide. Monetize with affiliate links to privacy tools, VPNs, or a Patreon for “settlement alerts.”

:brain: Example: A 20-year-old in the Philippines built a TikTok account called “FreeMoneyClaims” explaining US class action settlements to Americans. 340K followers in 4 months. Makes $3K/month from link-in-bio affiliate deals with privacy services.

:chart_increasing: Timeline: Landing page live in one evening. First viral TikTok/Reel within days if you lead with “$59.5 million and you might be owed money.”

🔧 Launch a Privacy-First Period Tracker

The market gap is SCREAMING right now. Every headline about Flo is a woman Googling “private period tracker alternative.” Build one that stores data ONLY on the user’s device (no server, no cloud, no SDK). Open-source the code so people can verify. Use Drip as a reference — it’s an open-source cycle tracker that stores everything locally. Fork it, make the UI beautiful, market it as “the anti-Flo.”

:brain: Example: A solo developer in Germany forked an open-source health tracker after a similar privacy scandal in 2023, added a clean UI and dark mode, charged $2.99 one-time. Made €18K in the first month purely from Twitter/X threads explaining why her app was different.

:chart_increasing: Timeline: Fork + UI redesign in 1-2 weeks. Launch on r/privacy, r/TwoXChromosomes, and women’s health forums immediately after.

📱 Sell 'SDK Audits' to Health App Startups

Every health app founder just read this headline and thought “oh no, is MY app doing this?” Many small startups use Meta’s SDK or Google Analytics without fully understanding what data gets sent. Position yourself as the person who checks their app, identifies hidden trackers, and writes a report confirming they’re clean (or tells them what to remove). Charge $500–$2,000 per audit. You don’t need a security degree — tools like MobSF automate most of the analysis.

:brain: Example: A cybersecurity student in Brazil started offering “privacy audits” to indie app developers after GDPR fines started hitting. Charges $800 per app, does 3–4 per week using automated scanning tools. Pulls in $10K+/month and gets referrals from app lawyers.

:chart_increasing: Timeline: Learn MobSF in a weekend. First client within a week if you cold-DM health app founders on Twitter/X with “hey, I checked your APK and found 3 trackers — want a full report?”

📝 Create 'Post-Roe Privacy Guides' for Specific States

Here’s the angle nobody’s talking about: in states with abortion restrictions, period tracking data can be subpoenaed. Women need state-specific guides on which apps are safe, what data to delete, and how to track their cycle WITHOUT creating a digital paper trail. Create downloadable PDFs or a simple website organized by state. Partner with reproductive rights orgs for distribution. Monetize with donations or a paid “complete privacy toolkit” bundle.

:brain: Example: A paralegal in Texas built a Notion template called “Digital Safety for Texas Women” after Dobbs. Shared it in 3 Facebook groups. It went viral — 89K views in a week. She now sells a $15 expanded version and makes $4K/month passively.

:chart_increasing: Timeline: Research 5 states’ laws (2-3 days). Build the guide (1 day). Share in women’s health communities immediately.

🛠️ Follow-Up Actions
Want Do
Check if YOUR apps have hidden trackers Use Exodus Privacy — paste any Android app name and see every embedded tracker
File a claim if you used Flo Visit the settlement site — no proof required for 2016–2019 users
Switch to a private period tracker Try Drip (open-source, local-only) or Euki (built by a reproductive health nonprofit)
Audit an app’s permissions yourself Download MobSF and drag any APK into it
Understand the legal precedent Read the full jury verdict breakdown

:high_voltage: Quick Hits

Want Do
:red_circle: Check if you’re owed money Visit the claim site — used Flo 2016–2019? File now. No proof needed.
:shield: Kill hidden trackers in your apps Run your apps through Exodus Privacy right now
:mobile_phone: Switch to a private tracker Drip — open source, stores nothing online
:balance_scale: Understand what Meta did They logged events called R_SELECT_LAST_PERIOD_DATE and sold ads with it
:brain: Protect yourself post-Roe Delete old period data, switch to local-only apps, read your state’s subpoena laws

Your “self-care” app was Meta’s informant. The jury noticed. Maybe check what else on your phone is snitching.

2 Likes