In this analysis piece for National Law Review, Darrow's Etia Rottman Frand examines a landmark California jury verdict that found Meta Platforms liable for wiretapping under the California Invasion of Privacy Act — and explains why the ruling has significant implications for data privacy litigation well beyond this single case.
On August 1, 2025, a federal jury in San Francisco found that Meta had illegally intercepted sensitive reproductive health data from users of Flo, a popular period-tracking app. The mechanism was a software development kit embedded in Flo's app that captured intimate details users entered — including menstrual cycle data, pregnancy goals, and sexual activity — and transmitted them to Meta for targeted advertising purposes. Plaintiffs argued this was the digital equivalent of planting a recording device in a private conversation: as users confided personal health information to the Flo app, Meta was secretly listening in real time. The jury agreed, finding Meta liable on three counts.
The case had a long runway. Flo's data-sharing practices were first exposed in 2019 by The Wall Street Journal, which revealed that the app was sending user health data to Facebook through hidden analytics tools. A Federal Trade Commission investigation followed, leading to a 2021 settlement in which Flo agreed to obtain affirmative consent before sharing health data going forward. But civil litigation continued, eventually naming Flo, Google, Meta, and analytics firm Flurry as defendants. By the time the case reached the jury, most had settled: Flurry in March 2025, Google weeks before trial, and Flo on July 31, the day before the verdict. Meta alone went to trial and lost.
Meta's defense centered on positioning the company as a passive recipient of data rather than an active participant in its collection — arguing that Flo, not Meta, made the decision to share the information. The jury rejected this framing. Plaintiffs successfully argued that Meta had designed the SDK to capture data, encouraged developers to embed it, and then exploited the resulting data for commercial gain. Intent, in the jury's view, was clear.
The verdict carries substantial financial stakes. CIPA permits statutory damages of $5,000 per violation, and with a certified class of California-based Flo users, Meta has acknowledged that total exposure could reach multiples of billions of dollars. Judge James Donato of the Northern District of California is set to determine final damages.
Rottman Frand frames this verdict as more than a win in a single case — it is a proof of concept for a wave of data privacy litigation that has been building for years. CIPA, a 1967 wiretapping statute originally designed to protect Californians from unauthorized telephone recordings, has become one of the most powerful tools available to plaintiff attorneys challenging modern data collection practices. The Meta verdict is the first time a CIPA wiretap claim has resulted in a jury finding against a major technology company, setting precedent for how courts will handle similar cases involving pixels, SDKs, and third-party tracking tools going forward.
