Fertility app Flo reached a settlement with the Federal Commerce Fee over allegations that it misled customers about how their well being knowledge was disclosed. The corporate allegedly shared delicate well being info, resembling whether or not a person had gotten pregnant, to 3rd events with out limiting how they may use this well being knowledge.
The info-sharing allegations surfaced two years in the past, after the Wall Street Journal reported that the well being app shared with Fb when customers indicated they have been on their interval or attempting to get pregnant. Flo has since dropped Fb for its advert monitoring and knowledge analytics.
According to the FTC’s complaint, the startup coded app occasions to trace how customers interacted with the app, with phrases like “Being pregnant.” This info was reportedly shared with third-party apps together with Google, Fb, advertising agency AppsFlyer and analytics agency Flurry between 2016 and 2019. In its privateness insurance policies, the corporate instructed customers that it could not share their well being knowledge.
The FTC additionally alleged that Flo violated the EU-U.S. Privateness Defend, which requires discover, selection and safety of private knowledge transferred to 3rd events.
As part of the settlement, Flo should get an unbiased evaluation of its privateness practices, search deletion of the info it improperly shared with third events, and get customers’ consent earlier than sharing their well being info. The startup should additionally notify its customers of the settlement.
The FTC voted 5-Zero to authorized the settlement, although Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented partly, saying the FTC ought to have additionally charged Flo with violating the Well being Breach Notification rule underneath HIPAA.
“The Well being Breach Notification Rule was first issued greater than a decade in the past, however the explosion in related well being apps make its necessities extra essential than ever. Whereas we would favor to see substantive limits on companies’ means to gather and monetize our private info, the rule at the least ensures that companies like Flo want to return clear once they expertise privateness or safety breaches,” they wrote in a joint statement.
For its half, Flo stated it didn’t share customers’ names, addresses or birthdays at any time, and wouldn’t share any details about customers’ well being with out their permission.
“Our settlement with the FTC shouldn’t be an admission of any wrongdoing. Reasonably, it’s a settlement to keep away from the time and expense of litigation and allows us to decisively put this matter behind us,” the corporate said. “We will likely be conducting a compliance evaluation into our insurance policies and procedures as requested as a part of the Consent Settlement and offering the FTC with common updates. We’re dedicated to making sure that the privateness of our customers’ private well being knowledge is totally paramount.”
The FTC’s announcement of the settlement additionally hinted at broader scrutiny of well being apps. In a discover to shoppers, the company shared info cut back privateness dangers in utilizing these apps, and directions for notifying the FTC in the event that they thought their private info was shared with out their permission.
“Apps that gather, use, and share delicate well being info can present useful companies, however shoppers want to have the ability to belief these apps,” Andrew Smith, director of the FTC’s Bureau of Shopper Safety, stated in a information launch. “We’re trying intently at whether or not builders of well being apps are retaining their guarantees and dealing with delicate well being info responsibly.”