Flo Health, the world’s most popular female health app, has agreed to pay $8 million after allegations it shared reproductive health data with digital advertising companies without user consent.

Court filings show Flo Health will pay into a proposed $59.5 million settlement fund - with Google agreeing to contribute $48 million and Yahoo-owned Flurry will add $3.5million.

The fund will compensate women nationwide and in California whose data was allegedly mishandled between 2017 and 2019.

As part of the proposed deal, Flo, Google and Flurry deny wrongdoing, insisting that they neither shared nor misused data. U.S. District Judge James Donato must still approve the settlement before payouts can proceed.

In a statement Flo Health said:

“We are pleased this matter has been resolved and that the facts came out at the trial. The agreement to settle was announced just a day after the lack of evidence to support the allegations against Flo became increasingly clear in court. We have always maintained that the claims lacked merit, and importantly, this settlement includes no admission of wrongdoing. We can now put the matter behind us so we can continue to focus on serving our customers and delivering our mission to advance the future of women’s health.

“As part of the settlement terms, Flo has created an $8,000,000 settlement escrow fund that eligible class members (those who used the Flo app between Nov. 1, 2016 and Feb. 28, 2019) will be able to file claims to receive a portion of this fund. (California residents may receive a larger share if they provide proof of residency.) The fund will also cover administrative costs, notice, attorneys’ fees & expenses, and service awards.”

Broader concerns on data privacy in FemTech

A number of high-profile cases and reports in the last decade have highlighted concerns about reproductive health apps collecting more data than is necessary, sharing with third parties (and even potentially selling data to third parties), poor data security measures and a lack of transparency about data privacy (i.e not being open about how data is collected, used and shared).

Back in 2019, Privacy International conducted an analysis of 36 menstruation apps and they found that 61% were automatically transferring data to Facebook when a user opened the app. They also found that some of those apps were routinely sending Facebook incredibly detailed and sometimes sensitive personal data. This was happening even if people were logged out of Facebook or didn’t have an account.

A study by JMIR from 2022 found that “many of the most popular women’s [mobile health] apps on the market have poor data privacy, sharing, and security standards. Although regulations exist, such as the European Union General Data Protection Regulation (GDPR), current practices do not follow them.”

And the issue of data privacy in FemTech apps came to a head in 2022 after protection for abortion was overturned in the US.

There were calls for women to delete their period tracking apps because of the fear that information logged in these apps could be used to prove women had obtained an abortion, which is considered a criminal offence in certain jurisdictions. For example, data from an app may show dates that a woman was pregnant followed by a date that she wasn’t.

In response many leading apps such as Clue have worked hard to demonstrate their commitment to data privacy. And new apps such as Embody and Comma’s app Sara offer privacy-first designs.

Flo Health data concerns

Flo Health has itself previously been in the spotlight for data privacy concerns. In January 2021 it settled with the Federal Trade Commission for sharing user data with marketing and analytics services at Facebook and Google. While Flo Health did not admit wrongdoing it agreed to overhaul its privacy efforts to renew a focus on user consent and transparent communications. Since then, Flo Health has introduced a range of improved practices including open sourcing its anonymous mode in June 2023 and stepping up privacy commitments with a new ISO certification in January 2024. The latter is an internationally recognised standard in privacy and data protection and serves as a formal independent seal of approval for Flo’s privacy program.

Separate class actions are also ongoing in Canada against Flo Health, including a national lawsuit certified in British Columbia and another in Quebec. In that case, Flo Health is accused of sharing users’ intimate health information to third parties like Facebook without their knowledge between June 2016 and February 2019.

The current class action builds upon the same core allegations from the 2021 FTC settlement, while this time seeking damages on behalf of users affected.

*This article was amended after publishing to include a statement from Flo Health.