Flo was found liable in Frasco v. Flo (Aug 2025) for secretly sending menstrual, ovulation, and pregnancy data to Meta, Google, and Flurry via an embedded tracking tool.
Key Takeaways
Flo embedded a third-party tracking tool that passed reproductive health data to Meta and others from 2016-2019, violating its own privacy policy.
The class action covered 13 million plaintiffs; Meta was found liable by jury, while Google and Flurry settled out of court.
HIPAA does not cover non-clinical wellness apps, leaving consent frameworks entirely at the discretion of product teams.
Flo updated its privacy policy 13 times in three years, but courts found none of those edits constituted meaningful consent.
The article argues UX bloat around symptom logging was a deliberate design choice to surface more monetizable health signals for advertisers.
Hacker News Comment Review
The one comment captures the core tension cleanly: free apps need a revenue model, and health data is the product when there is no subscription fee.
No broader technical debate yet on HIPAA gaps, SDK-level tracking instrumentation, or post-Dobbs data-retention risk, though the source raises all three.
