Flo gets FTC slap for sharing user data when it promised privacy
The FTC has reached a settlement with Flo, a period- and fertility tracking app with 100M+ users, over allegations it shared users’ health data with third party app analytics and marketing services like Facebook despite promising to keep users’ sensitive health data private.
Flo must obtain an independent review of its privacy practices and obtain app users’ consent before sharing their health information, under the terms of the proposed settlement.
The action follows a 2019 reports in the Wall Street Journal which conducted an analysis of a number of apps’ data sharing activity.
It found the fertility tracking app had informed Facebook of in-app activity — such as when a user was having their period or had informed it of an intention to get pregnant despite. It did not find any way for Flo users to prevent their health information from being sent to Facebook.
In the announcement of a proposed settlement today, the FTC said press coverage of Flo sharing users data with third party app analytics and marketing firms including Facebook and Google had led to hundreds of complaints.
The app only stopped leaking users’ health data following the negative press coverage, it added.
Under the FTC settlement terms, Flo is prohibited from misrepresenting the purposes for which it (or entities to whom it discloses data) collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
Flo must also notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.
The app maker has been contacted for comment.
No financial penalty is being levied but the FTC’s proposed settlement is noteworthy as it’s the first time the US regulator has ordered notice of a privacy action.
“Apps that collect, use, and share sensitive health information can provide valuable services but consumers need to be able to trust these apps. We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a statement.
While the settlement received unanimous backing from five commissioners, two — Rohit Chopra and Rebecca Kelly Slaughter — have issued a joint dissent statement in which they highlight the lack of a finding of a breach of a US’ health breach notification rule which they argue should have applied in this case.
.@RKSlaughterFTC and I also believe that Flo violated the @FTC Health Breach Notification Rule. Congress directed the FTC to protect our sensitive health data through this rule, to complement HIPAA, but the agency has never brought an action under this rule. This should change. — Rohit Chopra (@chopraftc) January 13, 2021
“In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization. Flo did not do so, making the company liable under the rule,” they write.
“The Health Breach Notification Rule was first issued more than a decade ago, but the explosion in connected health apps make its requirements more important than ever. While we would prefer to see substantive limits on firms’ ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches. Over time, this may induce firms to take greater care in collecting and monetizing our most sensitive information,” they add.
Flo is by no means the only period tracking app to have attracted attention for leaking user data in recent years.
A report last year by the Norwegian Consumer Council found fertility/period tracker apps Clue and MyDays unexpectedly sharing data with adtech giants Facebook and Google, for example.
That report also found similarly non-transparent data leaking going on across a range of apps, including dating, religious, make-up and kids apps — suggesting widespread breaches of regional data processing laws which require that for consent to be valid users must be properly informed and given a genuine free choice. Although app makers have so far faced little enforcement for analytics/marketing-related data leaking in the region.
In the US regulatory action around apps hinges on misleading claims — whether about privacy (in Flo’s case) or in relation to the purposes of data processing, as in a separate settlement the FTC put out earlier this week related to cloud storage app Ever.