The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared.  In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies. Namely, third parties who provided marketing and analytics services to the app.

Like many app developers, Flo tracked both standard app events such as launching or closing the app, as well as “custom” app events. Custom app events record user-interactions unique to those using the Flo app. For example, if a user enters a menstruation date, that interaction is logged as a custom app event. Flo used those custom app event to improve app functionality and identify features that might be of interest to the user. Flo also gave each custom app event a descriptive title, such as “R_PREGNANCY_WEEK_CHOSEN.” These custom app events, with that descriptive title, thus conveyed information about users’ menstruation, fertility, or pregnancies.

In its app, Flo integrated various third-party tools (software development kits or SDKs) that gathered advertising or other unique device identifiers. When doing this, the SDKs also gathered the custom app events revealing certain health information about users. The FTC alleged that this was sharing health information with third parties and directly contradicted statements in Flo’s privacy policy claiming to never share health data (e.g., “We may share certain non-identifiable information about you and some Personal Data (but never any data related to health).”). In addition, Flo did not limit what these companies could do with the users’ information, agreeing to each company’s standard terms of service. Besides allegedly violating its privacy policy, the FTC also pointed that out that this kind of sharing violated several of the third parties’ own terms of service/use. Those terms prohibited the sharing of health or sensitive information.

Interestingly given the current status of the EU-U.S. Privacy Shield program, the FTC also alleged that Flo violated both that program and the Swiss-U.S. Privacy Shield framework. In particular, the provisions of the programs that require notice, choice, and protection of personal data transferred to third parties. These allegations are somewhat unique given that to-date, most FTC complaints enforcing the EU-US Privacy Shield have dealt with instances where companies were representing they were participants of the framework when in fact, they were not. Two commissioners also issued a joint statement concurring in part and dissenting in part, arguing that that Flo also violated the Health Breach Notification and the FTC should have enforced it. The Health Breach Notification rule has not been enforced by the FTC to-date. This rule, which the Agency sought public comment on last year, imposes breach notification requirements on vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.

While no financial penalty was invoked, as part of the settlement, Flo agreed to a number of terms invariably having some financial impacts. Among other requirements, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data. In addition, separate from disclosures in any privacy policy or terms of use, before sharing any health information with a third party in the future, Flo must disclose the categories of health information that will be shared, the identifies of the third parties, the purpose of such disclosure and how information will be used, and obtain the users affirmative express consent.

Putting it into Practice. Apps collecting sensitive or health information should be aware that descriptive custom app event titles could inadvertently convey information not intended to be shared with third parties. This information could be viewed as sharing of personal information, and thus the FTC (and others) will expect that it be correctly described in the company’s privacy policy and elsewhere that representations about data use and sharing are made. Companies who have not done so already will want to think through app event titles and information that gets shared as part of SDK integrations and align that with their privacy disclosures. This case is also a reminder that companies in the health and wellness space have privacy and security obligations even if outside the scope of HIPAA applicability.