The FTC has reached a settlement with Flo, a period and fertility tracking app with 100 million+ users, over allegations it shared users' health data with third-party app analytics and marketing services like Facebook despite promising to keep users' sensitive health data private.
Flo must obtain an independent review of its privacy practices and obtain app users’ consent before sharing their health information under the terms of the proposed settlement.
The action follows a 2019 reports in the Wall Street Journal that conducted an analysis of a number of apps' data sharing activity.
It found the fertility tracking app had informed Facebook of in-app activity -- such as when a user was having their period or had informed it of an intention to get pregnant. It did not find any way for Flo users to prevent their health information from being sent to Facebook.
In the announcement of a proposed settlement today, the FTC said press coverage of Flo sharing users data with third-party app analytics and marketing firms including Facebook and Google had led to hundreds of complaints.
The app only stopped leaking users' health data following the negative press coverage, it added.
Under the FTC settlement terms, Flo is prohibited from misrepresenting the purposes for which it (or entities to whom it discloses data) collect, maintain, use or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security or compliance program; and how it collects, maintains, uses, discloses, deletes or protects users’ personal information.
Flo must also notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.
The app maker has been contacted for comment. Update: A Flo spokesperson said:
“We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use. That’s why it is our policy to provide security measures designed to protect individual user data and privacy rights. We are transparent about our data practices and adhere strictly to all applicable regulations.
“Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
“Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.
“We have a comprehensive privacy framework with a robust set of policies and procedures to safeguard our users’ data which are regularly reviewed both internally and using independent expert auditors.
“We are glad to have reached an agreement with the FTC and resolved the matter. We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount”.
No financial penalty is being levied but the FTC's proposed settlement is noteworthy as it's the first time the U.S. regulator has ordered notice of a privacy action.
“Apps that collect, use and share sensitive health information can provide valuable services but consumers need to be able to trust these apps. We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly," said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a statement.
While the settlement received unanimous backing from five commissioners, two -- Rohit Chopra and Rebecca Kelly Slaughter -- have issued a joint dissent statement in which they highlight the lack of a finding of a breach of a health breach notification rule that they argue should have applied in this case.
Congress directed the FTC to protect our sensitive health data through this rule, to complement HIPAA, but the agency has never brought an action under this rule. This should change.
— Rohit Chopra (@chopraftc) January 13, 2021
"In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google and others without their authorization. Flo did not do so, making the company liable under the rule," they write.
"The Health Breach Notification Rule was first issued more than a decade ago, but the explosion in connected health apps make its requirements more important than ever. While we would prefer to see substantive limits on firms’ ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches. Over time, this may induce firms to take greater care in collecting and monetizing our most sensitive information," they add.
Flo is by no means the only period tracking app to have attracted attention for leaking user data in recent years.
A report last year by the Norwegian Consumer Council found fertility/period tracker apps Clue and MyDays unexpectedly sharing data with adtech giants Facebook and Google, for example.
That report also found similarly nontransparent data leaking going on across a range of apps, including dating, religious, make-up and kids apps -- suggesting widespread breaches of regional data processing laws, which require that for consent to be valid users must be properly informed and given a genuine free choice. Although app makers have so far faced little enforcement for analytics/marketing-related data leaking in the region.
In the U.S. regulatory action around apps hinges on misleading claims -- whether about privacy (in Flo's case) or in relation to the purposes of data processing, as in a separate settlement the FTC put out earlier this week related to cloud storage app Ever.