‘Another Notch in the Plaintiffs’ Side’: Experts Weigh Impact of Meta Privacy Verdict Ahead of Damages Phase
On August 1, 2025, a federal jury in San Francisco delivered a landmark verdict against Meta Platforms Inc. in the Frasco v. Flo Health case, finding the company liable for violating the California Invasion of Privacy Act (CIPA) by intentionally collecting sensitive menstrual and fertility data from millions of Flo app users without consent. The ruling, hailed as a significant win for digital privacy rights, now moves to the damages phase, where Meta could face billions in penalties. Experts are weighing the verdict’s broader implications for Big Tech and the evolving landscape of privacy litigation.
The Verdict and Its Basis
The jury determined that Meta’s software development kit (SDK), embedded in the Flo period-tracking app between November 2016 and February 2019, acted as a “recording device” to capture users’ private health data, such as menstruation cycles and pregnancy details, through 12 “custom app events” like “R_SELECT_LAST_PERIOD_DATE.” The jury answered three key questions:
- Intentional Eavesdropping: Yes, Meta intentionally intercepted confidential communications.
- Reasonable Expectation of Privacy: Yes, users reasonably expected their data was private.
- Lack of Consent: No, Meta did not have user consent for its actions.
Lead plaintiff attorney Michael Canty of Labaton Keller Sucharow called it “a landmark moment in the effort to safeguard digital privacy rights,” arguing that Meta “collected it, recorded it, used it, exploited it, profited from it.” Meta’s defense, led by Michele Johnson of Latham & Watkins, claimed the data collection stemmed from Flo’s programming, not Meta’s intent, and that users agreed to Meta’s terms of service. The jury rejected these arguments, finding that Meta’s broad privacy agreements did not shield it from liability.
Impact on Big Tech and Privacy Law
Experts view the verdict as a pivotal moment:
- Precedent for CIPA: The use of a 1960s-era wiretapping law to address modern data collection via SDKs and tracking pixels sets a “viable blueprint” for future privacy cases. CIPA’s $5,000 penalty per violation could lead to damages in the billions for Meta, given the certified class of California Flo users.
- Industry-Wide Warning: Suzanne Bernstein of the Electronic Privacy Information Center noted that the verdict “sends a message to the industry” about courts taking unregulated ad-tracking systems seriously. It underscores that identifiable data, even if not tied to a specific person, can violate privacy laws.
- Challenging Consent Models: The ruling challenges Big Tech’s reliance on broad terms of service, as the jury found Meta’s agreements insufficient to justify collecting sensitive health data. This could push companies to adopt clearer, more explicit consent mechanisms.
- Increased Litigation Risk: The verdict follows a surge in privacy lawsuits, with nearly 50 Video Privacy Protection Act (VPPA) suits filed in 2024 over pixel tracking. The Frasco case’s success may embolden plaintiffs in similar CIPA and VPPA claims, increasing financial and reputational risks for tech firms.
Damages Phase Outlook
The damages phase, overseen by U.S. District Judge James Donato, will determine the financial penalty, potentially reaching billions due to CIPA’s statutory damages. Unlike other defendants (Google, Flo Health, AppsFlyer, and Flurry), who settled before or during the trial, Meta’s decision to contest the case has heightened its exposure. Experts suggest Meta’s appeal will likely argue that Flo Health’s failure to comply with Meta’s terms, which prohibit sharing sensitive data, absolves the company of liability. However, the jury’s rejection of Meta’s consent defense may weaken this argument.
Broader Context
This verdict builds on Meta’s history of privacy controversies, including a $5.1 billion FTC fine in 2019 for violating a 2012 consent decree and an $8 billion shareholder lawsuit settlement in July 2025 over the Cambridge Analytica scandal. Posts on X reflect public frustration with Meta’s data practices, with users like @arnitly questioning how Meta faced no repercussions for privacy violations until now, though these sentiments are inconclusive. The ruling aligns with growing regulatory scrutiny of tracking pixels, as seen in FTC actions against Flo Health in 2021.
Conclusion
The Frasco v. Flo Health verdict marks “another notch in the plaintiffs’ side” by reinforcing that Big Tech cannot exploit sensitive data without explicit consent, even through third-party apps. As the damages phase looms, Meta faces significant financial and reputational risks, potentially reshaping how tech companies handle user data. For updates, monitor Courthouse News Service, Bloomberg Law, or the U.S. District Court for the Northern District of California’s docket (Case No. 3:21-cv-00757).