Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations that It Misled Consumers About the Disclosure of their Health Data
The developer of a period and fertility-tracking app used by more than 100 million consumers has settled Federal Trade Commission allegations that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.
The proposed settlement requires Flo Health, Inc. to, among other things, obtain an independent review of its privacy practices and get app users’ consent before sharing their health information.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
In its complaint, the FTC alleges that Flo promised to keep users’ health data private and only use it to provide the app’s services to users. In fact, according to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry.
According to the complaint, Flo disclosed sensitive health information, such as the fact of a user’s pregnancy, to third parties in the form of “app events,” which is app data transferred to third parties for various reasons. In addition, Flo did not limit how third parties could use this health data.
Recommended AI News: Dominion DMS Announces VUE Integration with Kia Motors
Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users.
The FTC also alleges that Flo violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which, among other things, require notice, choice, and protection of personal data transferred to third parties.
As part of the proposed settlement, Flo is prohibited from misrepresenting the purposes for which it or entities to whom it discloses data collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information. In addition, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.
Recommended AI News: AchieveIt Reaches FedRAMP “In-Process” Designation