Tracking Periods and Consumer Data: A Look at the Costs of Privacy Non-Compliance for Health Apps

12:17 PM, 10/16/2025

Women’s health app developer Flo Health, Inc. (“Flo”) and Google LLC (“Google”) have reached a proposed settlement to resolve a class action lawsuit alleging that Flo unlawfully shared private health data with Google, Meta Platforms, Inc. (“Meta”), and Flurry, Inc. (“Flurry”) through online tracking technologies. Flo collected highly sensitive data from users, including but not limited to menstrual cycle details, sexual activity, and location information. Flo, Google, and Flurry opted to settle with the plaintiffs before the jury verdict, while Meta proceeded to trial and lost. 

Since smartphones have become indispensable devices, health-adjacent apps like Flo, which track personal information, have become increasingly popular. From sleep, to food intake, to fertility, almost every aspect of one’s health can be monitored through a specially designed app. 

To protect consumers’ data in this sensitive marketplace, a number of sector-specific privacy laws have emerged in various states across the United States. There is a common misconception that the Health Insurance Portability and Accountability Act (“HIPAA”) protects health app data, but the majority of these apps do not fall within its purview. Rather, the Act applies only to specifically covered healthcare entities. As such, the suit against Flo and Google was brought under the California Invasion of Privacy Act (“CIPA”), alleging that the unauthorized collection of users’ health data was unlawful.

As part of the settlement, Google has agreed to pay $48 million while Flo has agreed to pay $8 million, totaling $56 million in relief for the plaintiffs. Neither entity admitted liability as part of the settlement. Meta, after losing a jury verdict, plans to appeal the decision. This verdict could cost Meta up to $5,000 per violation, a number that could total in the billions. A spokesperson for Meta stated they “disagree with the verdict and believe the plaintiffs’ claims are false.” 

The plaintiffs in this case were able to present evidence that device identifiers could link the data back to individual users. Accordingly, experts claim that the verdict serves as a warning for technology companies who deal in consumer health data, even if such data is considered “de-identified.”

As settlements like this emerge, the question arises: will health apps fight or fold against litigation? 

Privacy statutes are often accompanied by large statutory penalties imposed on a per-violation basis. Regulators can slap whopping multi-million dollar fees to deter companies from violating regulations. While this may seem unreasonable, regulators’ deterrence function must outweigh the economic benefit from ignoring the law, given that compliance creates increased costs as companies must heighten transparency, confidentiality, and security. Without such severe penalties, privacy laws would be useless.

One concern with fines is that larger companies may choose to avoid true accountability by paying their way out of any violations. In fact, an enforcement tracker for the General Data Protection Regulation, the primary privacy law for Europe, indicates that Meta has been issued five out of ten of the all-time highest fines issued to an individual/entity. Other critics claim that the reputational damage a brand suffers is the true penalty. Companies may face loss of customer trust, operational disruptions, and increased scrutiny from regulators for future audits. 

In the present case, despite not admitting liability, Flo has agreed to display a “prominent notice about Flo’s commitment to privacy” on their website for one year after the finalization of the settlement. 

The debate between incurring costs of compliance versus paying regulator fees has made its rounds within Big Tech. With this settlement, health technology companies will be forced to join the conversation. Many apps collecting sensitive data similar to Flo have successfully evaded regulators such as the Federal Trade Commission by working outside the scope of HIPAA. This settlement indicates that, despite HIPAA not governing the data at issue, collecting any health-related information requires explicit and informed consent. 

As this issue progresses, health technology companies must navigate new costs. These companies do not always have the financial resources of a technology giant (*cough* Meta *cough*) and may choose to settle more often than pursuing expensive litigation. Such a legal strategy may leave the door open for frivolous lawsuits from opportunistic plaintiffs seeking deeper pockets. 

Ultimately, the options come down to choosing between the costs of compliance or non-compliance. Given the reputational harms of litigation, the wisest option for budding companies is pursuing compliance or, following in the footsteps of Flo, a settlement. 

Shreya Patel

Shreya is a 2L at the University of North Carolina School of Law. Before law school, Shreya attended the University of North Carolina at Chapel Hill, majoring in Psychology with minors in Neuroscience and Philosophy. In her free time, Shreya enjoys spending time with her friends and family.