NJ Legislators Urge FTC to Enforce Health Information Breach Regulations for Period-Tracking Apps

New Jersey lawmakers are calling on the Federal Trade Commission (FTC) to take action to enforce regulations that prevent menstruation-tracking mobile apps from misusing users’ personal health information.

In last week’s letter to acting FTC Chair Rebecca Slaughter, Sen. Bob Menendez (D-N.J.) and Reps. Bonnie Watson Coleman (D-N.J.) and Mikie Sherrill (D-N.J.) said the FTC should use its power to protect user data through enforcing the Health Breach Notification Rule, which requires personal health record vendors to notify users if a third party has obtained their data without their consent and requires vendors to notify any large breaches to the FTC and local media if the information of a certain number of users in the same geographical area is compromised.

“The Health Breach Notification Rule has been in force for more than ten years, and during that time, the tech industry has spawned dozens of popular menstruation-trackers and other mobile health apps,” according to the letter. “However, despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule.”

One of the “high-profile cases” the legislators noted was a finding that menstruation-tracking app Flo was sharing app users’ personal information with third parties despite Flo’s promise that it would keep that personal data private and safe. According to an FTC complaint against Flo, the app shared millions of users’ data with companies such as Google and Facebook without telling the app’s users. Despite the FTC’s complaint and January 2021 settlement with Flo, the lawmakers’ letter argued that the FTC can do more to enforce the Health Breach Notification Rule.

“While the FTC recently filed a complaint against Flo that cites various privacy violations and other deceptive practices, the complaint does not address the possibility that Flo violated the Health Breach Notification Rule,” the letter stated.

The letter noted that Flo has not been the only purported case of improper data sharing among menstruation-tracking apps and urged the FTC to use its authority to “send a clear message” to companies that the FTC will enforce regulations in the case of data misappropriation.

“Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women and all menstruating people from mobile apps that exploit their personal data,” the lawmakers wrote.