Popular period-tracking app Flo reached a settlement with the FTC over allegations that it shared users’ data without their consent. Photo credit: Flo
Fertility app Flo reached a settlement with the Federal Trade Commission over allegations that it misled users about how their health data was disclosed. The company allegedly shared sensitive health information, such as whether a user had gotten pregnant, to third parties without limiting how they could use this health data.
The data-sharing allegations surfaced two years ago, after the Wall Street Journal reported that the health app shared with Facebook when users indicated they were on their period or trying to get pregnant. Flo has since dropped Facebook for its ad tracking and data analytics.
According to the FTC’s complaint, the startup coded app events to track how users interacted with the app, with words like “Pregnancy.” This information was reportedly shared with third-party apps including Google, Facebook, marketing firm AppsFlyer and analytics firm Flurry between 2016 and 2019. In its privacy policies, the company told users that it would not share their health data.
The FTC also alleged that Flo violated the EU-U.S. Privacy Shield, which requires notice, choice and protection of personal data transferred to third parties.
As part of the settlement, Flo must get an independent review of its privacy practices, seek deletion of the data it improperly shared with third parties, and get users’ consent before sharing their health information. The startup must also notify its users of the settlement.
The FTC voted 5-0 to approved the settlement, though Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented in part, saying the FTC should have also charged Flo with violating the Health Breach Notification rule under HIPAA.
“The Health Breach Notification Rule was first issued more than a decade ago, but the explosion in connected health apps make its requirements more important than ever. While we would prefer to see substantive limits on firms’ ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches,” they wrote in a joint statement.
For its part, Flo said it did not share users’ names, addresses or birthdays at any time, and would not share any information about users’ health without their permission.
“Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us,” the company stated. “We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount.”
The FTC’s announcement of the settlement also hinted at broader scrutiny of health apps. In a notice to consumers, the agency shared information how to reduce privacy risks in using these apps, and instructions for notifying the FTC if they thought their personal information was shared without their permission.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a news release. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
