Period and fertility-tracking-app maker Flo Health has settled with the Federal Trade Commission regarding a complaint alleging improper disclosure of sensitive user data to third-party marketing and analytics services from Facebook, Google and others, the agency announced today.
The FTC’s complaint listed several ways in which Flo deceived its users. These included messaging from the company that it would not share «information regarding … marked cycles, pregnancy, symptoms [and] notes» to any third parties or other health data to certain types of third parties.
The app-maker also allegedly violated the E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, each of which includes consumer protections for personal data transfer to third parties.
Flo – which is said to be used by over 100 million consumers in the U.S. and abroad – continued these practices until they were detailed in a 2019 Wall Street Journal report, according to the FTC. That reporting «prompted hundreds of complaints from the app’s users,» the agency wrote.
The company went on to say that the settlement “is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
“Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission,» the company wrote.
The FTC’s commissioners unanimously voted in favor of the action and consent agreement. Still, two commissioners – Rohit Chopra and Rebecca Kelly Slaughter – issued a joint statement arguing in favor of additional enforcement.
WHAT’S THE IMPACT?
As part of a proposed settlement (soon to be published in the Federal Register for public comment), Flo must notify the «millions» of users who were affected by its improper disclosures while instructing third parties to destroy any of the data they received.
Further, the app must not misrepresent how it’s handling and collecting personal information, or how much control users have over the process. To accomplish this, the company is required to arrange for an independent review of its privacy practices and appropriately obtain users’ consent before sharing any health information. The proposed settlement does not outline monetary fines.
Chopra and Slaughter wrote in their joint statement that informing consumers about a company’s false privacy practices helps them decide whether they should switch to another service or recommend it to others. It also «accords consumers the dignity of knowing what happened,» they wrote.
The agency also seems to be aware of the impact damaged consumer trust can have on personal health apps, and said in the notice that its eye is on the rest of the industry as well.
“Apps that collect, use and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in a statement. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
THE LARGER TREND
Within the burgeoning femtech industry, women’s health apps focused on period and fertility-tracking are among the products with the greatest consumer adoption. However, a 2020 independent report reviewing free fertility apps and other low-barrier smartphone software suggests that the majority will share data with third parties without adequately informing the user.
What’s more, the intersection of women’s health and advertising has had its fair share of dustups, ranging from European regulatory investigations into Natural Cycles’ misleading advertising claims to Facebook’s rejection of women’s sexual health ads.
The FTC has previously taken steps to temper the Wild West of consumer health apps. Standouts over the years include the agency’s action against exercise-incentive app Pact, eyesight-improvement app Carrot Neurotechnology and melanoma risk-detection apps MelApp and Mole Detective.
ON THE RECORD
“We are glad to have reached an agreement with the FTC and resolved the matter,» Flo wrote in its statement. «We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount.”