The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared. In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies. Namely, third parties who provided marketing and analytics services to the app.
Like many app developers, Flo tracked both standard app events such as launching or closing the app, as well as “custom” app events. Custom app events record user-interactions unique to those using the Flo app. For example, if a user enters a menstruation date, that interaction is logged as a custom app event. Flo used those custom app event to improve app functionality and identify features that might be of interest to the user. Flo also gave each custom app event a descriptive title, such as “R_PREGNANCY_WEEK_CHOSEN.” These custom app events, with that descriptive title, thus conveyed information about users’ menstruation, fertility, or pregnancies.
Interestingly given the current status of the EU-U.S. Privacy Shield program, the FTC also alleged that Flo violated both that program and the Swiss-U.S. Privacy Shield framework. In particular, the provisions of the programs that require notice, choice, and protection of personal data transferred to third parties. These allegations are somewhat unique given that to-date, most FTC complaints enforcing the EU-US Privacy Shield have dealt with instances where companies were representing they were participants of the framework when in fact, they were not. Two commissioners also issued a joint statement concurring in part and dissenting in part, arguing that that Flo also violated the Health Breach Notification and the FTC should have enforced it. The Health Breach Notification rule has not been enforced by the FTC to-date. This rule, which the Agency sought public comment on last year, imposes breach notification requirements on vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.