On Wednesday, the Federal Trade Commission (FTC) announced that that it has reached a proposed settlement with Flo Health, Inc., the “developer of a period and fertility-tracking app used by more than 100 million consumers,” over claims that the company shared user health information with third-party data analytics providers despite promising that this information would remain private.
In the complaint, the FTC alleged that Flo promised users that it would keep their health data, which includes menstrual cycle tracking and a PMS symptom log, as well as ovulation, fertility, and pregnancy information, private because it would only use this information to provide the app’s services to users. However, the FTC averred that Flo disclosed millions of users’ health data from its Flo Period & Ovulation Tracker app to third-parties “that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry.” Specifically, the FTC proffered that Flo disclosed users’ sensitive health information and data, such as that a user was pregnant, to third parties “in the form of ‘app events,’ which is app data transferred to third parties for various reasons,” which revealed information about users’ menstruation, fertility, or pregnancies. Furthermore, Flo purportedly did not limit third parties’ use of this health data. The FTC noted that Flo did not stop this practice until its conduct was revealed in a Wall Street Journal article from February 2019. The alleged conduct occurred between June 1, 2016 and Feb. 23, 2019. Additionally, the FTC claimed that Flo violated the EU – U.S. Privacy Shield and the Swiss – U.S. Privacy Shield frameworks, which, for example, “require notice, choice, and protection of personal data transferred to third parties.” The Commission accused Flo of making various misrepresentations.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
In the proposed settlement, Flo is required to have an independent review of its data privacy practices and obtain user consent before sharing their health data. Additionally, Flo is barred from misrepresenting the purpose for data collection, maintenance, usage, or disclosure in regards to itself and the entities to which it discloses data; the level of consumers’ control over their data; and how it “collects, maintains, uses, discloses, deletes, or protects users’ personal information.” Flo is required to notify affected users about the disclosure of their personal information and inform any third-parties that received this data to destroy it. Among other things, Flo is also obligated to provide certification of its compliance with the settlement and it must provide a covered incident and other report to the FTC.
Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement concurring and dissenting in part. The Commissioners stated, “This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action. We commend the agency’s staff for securing this relief and for addressing Flo’s concerning practices. While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation. The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it.”
Subsequently, the agency issued consumer guidance for health apps, including tips on how to select and use these types of apps to minimize privacy concerns.
The FTC voted 5-0 to accept the complaint and proposed settlement. The agreement will be published in the Federal Register and it will be subject to public comment for 30 days after it is published.