FTC Finalizes Settlement with Flo Health Regarding Exchanged Data

The Federal Trade Commission (FTC) finalized a settlement proposed earlier this year in response to allegations that Flo Health, Inc. had conspired with companies such as Google and Facebook to exchange its users’ personal health information for their own benefit. The FTC claimed that Flo Health shared the private health information of its users with outside data analytics providers after guaranteeing to its users that the information would be kept confidential. 

Part of Flo Health’s privacy and security agreement was that any and all health data provided to them would only be used for the explicit purposes of the app. FTC Bureau of Consumer Protection Director Andrew Smith explained the importance of confidentiality by stating, “apps that collect, use and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps.” This statement is especially significant where personal health privacy is concerned, because this leads to a greater need for privacy promises to be kept.

After the parties reached a settlement, the Federal Trade Commission ruled that Flo Health must receive explicit consent and permission from its users to share any personal health information. In addition to this, they are required to have an independent review conducted of their privacy and security protocols, immediately notify users after any apparent disclosure of information, and any company who mistakenly obtained the information is ordered to destroy the data.

Further, Flo Health is now barred from misrepresenting why it discloses user data to certain companies, how much consumers can control data uses, the ways in which it complies with security programs, and the manner in which it handles user data.

The settlement was finalized by a vote of 4-0-1, with Federal Trade Commission Chair Lina Khan not participating. The commission addressed public response by explaining that they are currently reviewing the Health Breach Notification Rule and the ways in which it applies to mobile apps and other “direct-to-consumer” technologies, especially in light of sensitive and intimate health information.