In August 2025, a San Francisco jury reached a rare privacy verdict in Frasco v. Flo Health, holding Meta liable under the California Invasion of Privacy Act (“CIPA”) for intercepting reproductive health information from women using the Flo menstrual tracking app. Flo and other co-defendants had settled before or during trial, leaving Meta as the only defendant to face the jury. The unanimous finding that Meta’s software development kit (“SDK”) captured highly personal ovulation and menstrual information without consent set the stage for a round of post-trial motions aimed at undoing the result.
Meta, in the Court’s words “filed several post-trial motions that ask to overturn just about everything related to the verdict.” These included requests to decertify the California class under the CIPA claim, for judgment as a matter of law on the CIPA claim, and for a new trial. Meta attempted to rehash its argument that individual differences in user onboarding experiences and expectations of privacy should have precluded class-wide resolution. Meta also argued that there had been no “eavesdropping” at all, because the SDK only relayed information Flo had already received, rather than directly intercepting user communications. Meta further insisted that plaintiffs had not proved confidentiality or lack of consent. Finally, Meta claimed that the court had erred in its jury instructions and in allowing a juror with alleged bias to serve.
Judge James Donato rejected these efforts. On the question of decertification, Meta was chided for its “improper attempt to seek reconsideration” on the basis of “arguments [that] have virtually nothing to do with the evidence admitted at trial and are not based on materially new facts or law that might warrant reconsideration.” Nevertheless, Judge Donato explained that the opposition to certification was misdirected because the trial evidence confirmed that the named plaintiffs saw the same privacy disclosures by Flo and Meta, completed the onboarding survey, and were subject to the same SDK practices each time they answered an onboarding survey question. The plaintiffs also testified that they considered the information they provided during the onboarding survey to be highly sensitive, private, and not something they would otherwise freely share.
Next was a Rule 50(b) motion for judgment as a matter of law, in which Meta insisted that plaintiffs had failed to prove eavesdropping, intent, or confidentiality. Judge Donato was not persuaded. He pointed to the plaintiffs’ expert evidence showing that Meta’s SDK intercepted the contents of user inputs as they were entered into the Flo app, and noted that intent under CIPA was satisfied because there was sufficient evidence to reasonable conclude that Meta recorded users’ communications with Flo “with the purpose or desire of recording a confidential conversation,” or “with the knowledge to a substantial certainty that [its] use of the [SDK] will result in the recordation of a confidential conversation.” On confidentiality, the court emphasized that Flo’s privacy policies had promised to keep cycle and pregnancy information private, giving users a reasonable expectation of privacy.
Finally, Meta sought a new trial under Rule 59. It claimed that the court had erred in instructing the jury on intent, because the jury was instructed that a “recording of a confidential conversation is intentional if the person using the recording equipment does so with the purpose or desire of recording a confidential conversation, or with the knowledge to a substantial certainty that his use of the equipment will result in the recordation of a confidential conversation.” This language was drawn directly from Rojas, a California Court of Appeal decision construing CIPA and quoting the Supreme Court of California. Rojas v. HSBC Card Servs. Inc, 20 Cal. App. 5th 427, 435 (2018) (quoting People v. Superior Court, 70 Cal. 2d 123, 134 (1969)). The Court rejected Meta’s argument that there is a distinction “between a first-party use case [and] a third-party misuse case,” and that Rojas was inapplicable because as a first-party case because the defendant “in that case was recording themselves.” Critically, the Court noted that CIPA prohibits “a particular result, rather than a particular act.”
Finally, Meta’s challenges to evidentiary rulings and the seating of a particular juror were also rejected, in large part due to Meta’s failure to raise timely objections. With no defect undermining the integrity of the trial, the verdict remained intact, illustrating that CIPA liability can attach not only to app developers but also to technology providers whose SDKs are embedded in apps and facilitate undisclosed transmissions.
With its post-trial motions denied, Meta now faces the prospect of statutory damages under CIPA Section 632. The statute authorizes $5,000 per violation, and in a certified California class, that number adds up quickly. The court has not yet ruled on damages, but the order makes clear that the liability finding is not going away.
The case is Frasco v. Flo Health, Inc., 21-cv-00757-JD, 2025 WL 2680068 (N.D. Cal. Sept. 17, 2025).
CIPAWorld 