The developer of a period and fertility-tracking app used by more than 100 million consumers has settled Federal Trade Commission allegations that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.
The proposed settlement requires Flo Health, Inc. to, among other things, obtain an independent review of its privacy practices and get app users’ consent before sharing their health information.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
In its complaint, the FTC alleges that Flo promised to keep users’ health data private and only use it to provide the app’s services to users. In fact, according to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry.
According to the complaint, Flo disclosed sensitive health information, such as the fact of a user’s pregnancy, to third parties in the form of “app events,” which is app data transferred to third parties for various reasons. In addition, Flo did not limit how third parties could use this health data.
Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users.
The FTC also alleges that Flo violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks,which,among other things, require notice, choice, and protection of personal data transferred to third parties.
As part of the proposed settlement, Flo is prohibited from misrepresenting the purposes for which it or entities to whom it discloses data collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information. In addition, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.
The FTC also issued guidance to consumers about health apps, with tips for consumers on how to select and use these types of apps while reducing privacy risks.
The Commission voted 5-0 to accept the proposed administrative complaint and the consent agreement with the company. Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement concurring in part and dissenting in part, while Commissioner Noah Joshua Phillips issued a separate statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,792.