Flo & Google to Pay $56M Over Period-Tracking Privacy Case

Health data and shadow tracking don’t mix. Flo Health and Google have agreed to pay a combined $56 million to resolve claims tied to the Flo period-tracking app’s data-sharing practices. The deal still requires court approval, but the signal to the market is loud: sensitive health signals routed through analytics/ads stacks can trigger eight-figure outcomes and that’s before you factor in copycat suits and regulator follow-ons. As we’ve covered and warned business owners with our coverage about Flo’s privacy and legal issues for the class action case as well as Google’s ongoing privacy cases. It is imperative that you install and setup a Captain Compliance consent management software to protect your business from legal liabilities.

The Latest Privacy Settlement

Who pays: Google (~$48M) and Flo Health (~$8M), pending approval.
Core allegation: Sensitive reproductive health information was shared with third parties via embedded SDKs/trackers without sufficiently explicit, informed consent (historic period: roughly 2016–2019).
Co-defendant status: Meta did not settle; a jury later found Meta liable under California privacy law—damages phase to follow.
Why this stings: Statutory privacy laws can multiply damages per user or per transmission; plaintiffs don’t need to prove individualized harm for every class member.

Why It Matters (Beyond Flo)

Reproductive and health-adjacent data is among the most sensitive personal information a product can touch. Even “derived” or “inferred” signals (cycle predictions, pregnancy status, symptom notes) carry heightened expectations of confidentiality. When telemetry flows to ad/analytics partners without granular consent and tight purpose limits, plaintiffs can frame it as unlawful disclosure—especially under state wiretap, medical-privacy, or invasion-of-privacy statutes. For platforms, that becomes an exponential risk curve.

Related 2025 Actions You Should Have on Your Radar

Aspen Dental — Pixel/Telemetry Lawsuit

Result: $18.7 million to resolve claims that marketing pixels on dental sites disclosed patient interactions and visit details to third parties. The broader lesson: web pixels can be litigated like app SDKs. Health-adjacent sites are squarely in scope, even when no formal HIPAA relationship exists.

Headway (Mental-Health Platform) — Litigation Still Active

Status: No class settlement announced at the time of writing. Courts allowed key medical-privacy claims to proceed, keeping focus on whether trackers/analytics exposed sensitive therapy-related interactions. Mental-health contexts are drawing stricter judicial scrutiny; expect more discovery fights over telemetry.

Other Signals

State AG mega-matters: Large state actions (e.g., Texas v. Google over data collection practices) show attorneys general are willing to pursue blockbuster penalties outside the class-action channel.
FTC enforcement/refunds: Cases like BetterHelp reinforce the federal view that sharing mental-health data for advertising is a bright-line problem when disclosures and consents are ambiguous.

Three Product Lessons for Founders and GCs

Treat SDKs and pixels like data processors, not “just tools.” Maintain a processor registry, data-flow map, and purpose limits for each library. If you can’t justify the signal, don’t send it.
Consent must be explicit, granular, and enforced in code. Tie consent to specific features (e.g., cycle predictions, community, ads personalization), record it, honor revocation, and minimize by default.
Design for statutory-damages regimes. Assume per-user, per-transmission exposure. Log, segregate, and block sensitive events by default; quarantine anything that could reveal health status without an opt-in.

How Captain Compliance Keeps You Out of the Headlines

Data Classification: Auto-tag reproductive/health, communications, and biometric signals as “sensitive” to trigger encryption, retention limits, and access controls.
Vendor & SDK Oversight: Centralize all trackers/processors with risk scores, DPAs, and purpose constraints; block unapproved libraries in CI/CD.
API & Pixel Risk Assessment: Continuous scans for cross-account leakage, overbroad payloads, and covert signal sharing to ad/analytics endpoints.
Consent & Purpose Logging: Feature-level opt-ins tied to lawful basis, purpose, and expiry—provable in audits and court.
DSAR Automation: Respond at scale to access/deletion requests after incidents; show regulators a working rights pipeline, not a promise.

Get Compliant Now and Avoid Multi-Million Dollar Fines

The $56M Flo/Google deal isn’t an outlier—it’s a milestone. Health and wellness products that treat telemetry as a free-for-all are inviting eight-figure settlements and open-ended litigation. Build privacy in before plaintiffs and regulators build your roadmap for you.

Ready to pressure-test your website or app? Get a free privacy audit or book a time with a privacy and compliance superhero below.

Captain Compliance Platform Overview

Get an Overview of our all-in-one data privacy platform

Cookie Scanner

Get a real-time view of all the cookies on any website

Privacy Notice Generator

Central place to manage your privacy policy tied to your consent and Cookie Policy

Cookie Consent Manager

Manage consent for data privacy laws around the world

DSR Portal

Easily manage Data Subject Requests in your DSR Portal

Cookie Transparency Page

Build trust by showing users the most current cookies on your site

By Regulation

Compliance