You’re probably aware of the recent major CIPA verdict in Frasco v. Flo Health, Case No. 21-cv-757 (N.D. Cal. Aug. 4, 2025). In this consolidated class action, plaintiffs alleged that Flo Health shared sensitive data with third parties via software development kits (“SDKs”) incorporated into its Flo Period & Ovulation Tracker app (the “Flo App”).
Flo Health settled mid-trial. However, the case proceeded against a social media company whose SDK was embedded into the Flo App.
In a first, the jury found that the social media company was liable for violations of the California Invasion of Privacy Act (“CIPA”). As this is a class action, and CIPA provides for penalties of $5,000 per violation, damages here could reach staggering levels.
Three takeaways related to SDKs stand out.
(1) This is a significant win for the plaintiff bar that is likely to fuel similar litigation.
CIPA is a Cold War era law written for analog times. The plaintiff bar has relied heavily on such laws to bring claims based on modern website tracking technologies. While courts have had mixed responses to these novel theories, Frasco was an important litmus test for juries.
The very questions that the jury had to answer reflect CIPA’s pre-internet origins. The verdict form given to the jury asked it to determine whether the defendant “eavesdropped” or “recorded” the plaintiffs’ “conversation,” and whether the plaintiffs had a reasonable expectation that this “conversation” was not being “overheard” or “recorded.”
This language evokes the image of a spy with their ear to a door, or placing a bug in someone’s telephone. It does not sound like the technical data collection of SDKs at issue in Frasco. And yet the jury found that the SDK’s collection of discrete data points from app users—fields with descriptors like “R_SELECT_CYCLE_LENGTH”—was “eavesdropping” or “recording.”
This result may signal a willingness to import old laws into the present. Or, it could just be a jury wanting to hold “Big Tech” accountable—a major theme of the plaintiffs’ case. Either way, this verdict is sure to fuel further litigation of the CIPA variety.
(2) Recipients of data from SDKs—not just senders—are at risk of CIPA liability.
An essential element of a CIPA claim is “intentionally” eavesdropping or recording.
While the social media company in Frasco developed the SDK, Flo Health configured the data fields and integrated the SDK into its app. The social media company received data, but it did not embed the SDK in the Flo App or decide what data to collect.
So, a key defense at trial was that any eavesdropping was done by the Flo App, not the social media company. All the company did, it argued, was give Flo Health an empty “envelope” to fill with whatever it wanted and mail the envelope back.
The jury did not accept this defense. The jury’s decision here—that there was intent—shows that SDK developers can face significant CIPA liability. It is not only the apps and websites that configure and integrate them into their products that need to be concerned. This could have profound implications, as developers do not always control how a third party configures an SDK or what data it will send when it embeds the SDK in its app.
Looking ahead, the definition of “intentional” that the jury received here might be the key to understanding this issue. The plaintiffs and defendants proposed different definitions, and the court opted to instruct the jury using plaintiffs’ broader definition of intent. An SDK developers’ more passive involvement might not have fallen under a narrower definition.
(3) “Consent” to data collection via terms of use is not a winning defense.
Another defense that the social media company presented was that the plaintiffs had consented to the collection of their data when they agreed to the social media company’s terms of use.
The jury was given a general question: Did the company “have the consent of all parties to the conversation to eavesdrop on and/or record it?” Jury’s answer: No. The jury likely agreed that the terms of use was too long, too esoteric, and too hard to read to count as “consent.”
A recent motion to dismiss victory in Lakes v. Ubisoft, Inc. shows that disclosure and consent can still defeat a CIPA claim as a matter of law. Lakes v. Ubisoft, Inc., – F. Supp. 3d –, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025). If consent goes to a jury as an issue of fact, however, that defense might not fare as well absent detailed and express consent.