Flo Health pitched its Flo Period & Ovulation Tracker as a way for millions of women to “take full control of [their] health.” But according to the FTC, despite express privacy claims, the company took control of users’ sensitive fertility data and shared it with third parties – a broken promise that left consumers feeling “outraged,” “victimized,” and “violated.” Read on for details, including a notable feature in the proposed settlement.
Available from popular app stores, Flo Health’s app allowed users to “Log your menstruation days in a handy period calendar, ovulation and fertility tracker, schedule menstrual cycle reminders, record moods and PMS symptoms, use a due date calculator, follow a pregnancy calendar. . . . ” The FTC says users were willing to trust Flo Health with such intimate details because the company claimed to protect their information and keep it secret – a representation repeated in multiple places and in multiple ways in the company’s Privacy Policy. For example, Flo Health said third parties couldn’t use consumers’ personal information “for any other purpose except to provide services in connection with the App” and represented it wouldn’t share with third parties “information regarding your marked cycles, pregnancy, [or] symptoms . . .” Elsewhere in its Privacy Policy, Flo Health mentioned Facebook, Google, and other marketing and analytics firms, but claimed those third parties would receive only non-personally identifiable information.
That’s what Flo Health said, but according to the complaint, the company’s practices were at odds with its promises. As far back as June 2016, the app included tools – software development kits (SDKs) – from numerous third-party marketing and analytics firms, including Facebook, Flurry, Fabric, AppsFlyer, and Google, that gathered app users’ sensitive health information. Specifically, those SDKs gathered what are called App Events – records of users’ interactions with different features of the app. Typically, these App Events contain only innocuous data, like when an app was opened or closed. Flo, however, used them to convey users’ health information to third parties. For example, if an app user entered pregnancy-related information, Flo Health disclosed App Events with the word “pregnancy” in the title to the analytics divisions of those third parties. According to the complaint, Flo Health’s disclosures of sensitive information about users’ pregnancies or periods broke its privacy assurances to consumers and violated several of the third parties’ own terms of service – terms Flo Health had agreed to.
A February 2019 story in the Wall Street Journal highlighted how Flo Health’s practices injured consumers. According the news report, the Journal was able to intercept unencrypted identifying health information transmitted by the Flo App to Facebook. That information included a unique advertising identifier, the fact that the consumer in question was trying to get pregnant, and when she was having her period.
The first three counts of the complaint challenge the ways in which Flo Health falsely claimed it wouldn’t disclose consumers’ health information; falsely claimed to disclose only non-personally identifiable information to Facebook, Google, and Fabric; and falsely claimed that third parties couldn’t use consumers’ personal health information “for any other purpose except to provide services in connection with the App.” Counts IV through VII allege that Flo Health misrepresented its adherence to the EU-U.S. and U.S.-Swiss Privacy Shield Framework Principles, which (among other things) require notice, consent, and protection of personal data transferred to third parties.
The proposed settlement prohibits Flo Health from making false or deceptive statements about the purposes for which it collects, uses, or discloses covered information; the extent to which consumers can control how the company collects, uses, or discloses that information; and how Flo Health complies with any privacy, security, or compliance program. The order also includes prohibitions against any misrepresentation about how the company collects, uses, or discloses covered information, and the extent to which it protects the confidentiality of that data. In addition, Flo Health must ask third parties to delete health information obtained from users of the app.
Under the settlement, before disclosing any consumer’s health information to a third party, Flo Health must get that person’s express affirmative consent, including clearly telling the person the categories of information to be disclosed, to whom it will be disclosed, and how it will be used. The proposed order also includes a new provision requiring Flo Health to undergo a Compliance Review conducted by a qualified outside entity to verify the company is honoring its privacy promises to consumers. This provision sends a clear message that the FTC takes misrepresentations about a company’s compliance with any privacy principles or program very seriously.
The order also requires Flo Health to contact people who used the app, notifying them that it shared information about their periods and pregnancies with third parties, in violation of its privacy promises. The company must clearly post the same notice on its website.
Once the proposed settlement appears in the 鶹ý Register, the FTC will accept public comments for 30 days.
What compliance tips can other companies glean from this case?
When it comes to health information, wear kid gloves. Health-related apps can offer benefits to consumers, but only if companies clearly disclose how consumers’ personal information will be used and scrupulously substantiate the privacy claims they convey to consumers.
Your privacy representations must line up with how your app operates behind the scenes – and must stay in line over time. In many instances, companies create apps designed from the get-go to share information with third parties and then add features that build on that baseline sharing. The use of SDKs and analysis of App Events are some of the ways that can happen. The problem arises when your privacy claims are at odds with information sharing technologies already built into your products – or when your privacy claims don’t keep pace with changes to your data practices.
Consider third parties’ terms of service. Privacy claims aren’t made in a vacuum. Companies also must consider provisions in contracts with third parties that touch on how data is shared. For example, Facebook’s Business Tools terms stated, “You will not share Customer Data with us that you know or reasonably should know . . . includes health, financial information, or other categories of sensitive information (including any information defined as sensitive under applicable law).” Despite that provision, Flo Health shared health data that consumers input into the app. Furthermore, Flo Health told consumers it restricted how third parties could use personal data and yet agreed to third parties’ standard terms of service, including provisions that allowed the third party to use the information “for its own business purposes. . . .” It might be tempting to gloss over what seem like “click through” agreements. But the wiser course of business is to harmonize your privacy promises with any and all agreements about consumer data you’ve made with other companies.
Live up to the standards you agree to when you choose to participate in a privacy program. The complaint in this case specifically alleges that Flo misrepresented its participation in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks. But the message is clear to companies that misrepresent compliance with any privacy program: Misleading claims about participation or adherence may violate the FTC Act’s prohibition on deception.
The primary point for app developers: Honor your privacy promises and exercise particular care when it comes to highly sensitive personal health information. Period.