"Flo, through the Flo App, unlawfully shared users’ sensitive health data – including menstrual cycle, ovulation, and pregnancy-related information – with third parties such as Meta, Google, and Flurry for their own commercial us"

If the app sold the data to Meta through extremely automated Meta platforms. Doesn't the bulk of legal liability and social backlash lie on the app instead of on Meta?

Like sure if a company is caught buying stolen goods, maybe they could tighten up due diligence, but the actual thief is the main culprit.