Google & Flo – What the Federal Privacy Lawsuit Means for Our Industry

At ECAC, one of our goals is to keep members abreast of key legal, regulatory, and technological shifts that could impact privacy, trust, and the customer experience ecosystem. A recent development in the privacy space, the class action lawsuit involving Google and the menstrual tracking app Flo, is an important case to watch. It raises questions about data handling, transparency, user expectations, and liability.

Below is a breakdown of what’s going on, why it matters to our industry, and how ECACUSA members should think about it.

What Is the Google & Flo Case?

• In September 2025, Google and Flo Health agreed to a combined settlement of $56 million to resolve a class action lawsuit. Google will pay $48 million, and Flo will pay $8 million. 
• The lawsuit alleges that during the period from November 2016 through February 2019, the Flo app collected sensitive health data (menstrual, pregnancy, reproductive) and shared it with third parties, including Google, via embedded analytics or software development kits (SDKs). 
• Users claimed they were led to believe their data would remain private and not be shared with outside parties without consent. The plaintiffs argued that sharing violated privacy laws such as the California Invasion of Privacy Act and related state laws. 
• Google and Flo both denied wrongdoing in public statements, but chose settlement to avoid the uncertainties, costs, and risks of trial. 
• A notable twist: Meta (formerly Facebook) was also a defendant and declined to settle. During trial, a jury found Meta liable for illegally collecting users’ reproductive health data. 

Why This Case Matters to the CX / Digital Experience Industry

1. Sensitive data and user trust

In many apps and CX services, the data collected can be deeply personal, health, preferences, behavior, and location. This case reminds us how critical it is to handle sensitive data with extreme care. If users perceive their trust violated, reputational damage can be severe.

2. SDKs, analytics, and embedded tools carry risk

Many digital platforms use third-party SDKs, analytics, ad networks, or measurement tools. The Google & Flo case underscores that even tools installed “behind the scenes” can implicate you in data sharing, especially if they carry personal or sensitive data.

3. Regulatory and legal liability is rising

Courts and privacy advocates are increasingly willing to hold companies accountable for opaque data practices. Settlement or liability risk is no longer theoretical. The case shows the legal risk attached to what might have been considered “back end” or “infrastructure” code.

4. Evolving privacy expectations

Users are more aware now of what data is collected and how it’s used. Even where strict laws don’t yet apply, expectations and norms are shifting. The legal outcome may influence regulation, industry standards, and best practices going forward.

5. Precedent for “non-medical” health data

Although health data has special protections under regulations like HIPAA (for covered entities), many consumer health apps are outside those rules. This case could influence how courts and regulators view the boundary between protected health data and consumer information.

What ECACUSA Members Should Watch & Do

• Review embedded tools and SDKs: Audit all third-party libraries, analytics, measurement tools, and SDKs in your product stack. Question what data they transmit and whether user consent is explicit.
• Revisit privacy policies and disclosures: Ensure your privacy terms are clear, transparent, and understandable. Avoid vague or overly broad language that could be misinterpreted.
• Implement opt-in and granular consent: Wherever possible, allow users to control optional data sharing, especially related to sensitive or personal categories.
• Document decisions and data flows: Keep internal records explaining why you collect, share, or process certain types of data. Having an audit trail strengthens your defense if challenged.
• Monitor legal developments and class actions: This case is new and may lead to additional legislation or further litigation. Stay alert for related cases in your niche or region.
• Engage in industry discussion: Participate in policy forums, standards groups, and trade associations to help define norms for sensitive data practices in CX.

The Bottom Line

The Google & Flo privacy case is more than a headline; it is a signal to the digital experience industry that data practices are under increasing legal and social scrutiny. Sensitive personal and health data, analytics tools, and third-party integrations all carry risk.

At ECACUSA, we will continue to monitor developments, provide updates, and help our members navigate this evolving landscape. Because we don’t just want you to avoid risks, we want you to build experiences that users trust, that abide by the highest standards, and that help shape a more accountable digital future.