The US Federal Trade Commission (FTC) reached a settlement with Flo Health, the owner of the fertility-tracking app, Flo. The FTC alleges Flo shared users’ personal information with third parties despite promises to keep such information private. The proposed settlement would require Flo Health to obtain an independent review of their privacy practices. They would also need to get users’ explicit consent before disclosing their health information to others.
Personal Information Sold Without Permission
The Flo app tracks ovulation and menstrual cycles. According to their website, Flo has approximately 153 million customers worldwide. Users can log their symptoms to get the most precise AI-based period and evolution predictions. They can also answer surveys in their personal feed, chat with Flo’s Health Assistant and track their child’s development.
In their complaint, the FTC says that Flo promised to keep users’ health data private and only use it to provide services to their users. “Millions of women […] trust Respondent with intimate details of their reproductive health because Respondent repeatedly promised to protect the information and keep it secret. Indeed, Respondent’s privacy policies stated, time and again, that Respondent would not share users’ health details with anyone.”
However, despite this promise, Flo Health did sell sensitive health information to third parties without user’s permission. Information about pregnancy, for example, was sent to various marketing and analytics companies. These companies included Google’s and Facebook’s analytics divisions, Google’s Fabric service, AppsFlyer and Flurry. This is in direct violation of the EU-US Privacy Shield and other privacy frameworks.
The case was raised in February 2019 by the Wall Street Journal following an analysis of the data sharing practices of a number of apps. The FTC, which oversees US companies, started their investigations into Flo Health shortly after. At the time, Facebook was also under scrutiny for the way they treated personal information from users and non-users alike.
No Possibility to Turn Data Sharing Off
In addition, the FTC alleges Flo did not limit how third parties could use their health data. “They merely agreed to each company’s standard terms of service. By doing so, Respondent gave these third parties the ability to use Flo App users’ personal health information expansively, including for advertising.”
Moreover, there was no way for users to turn data sharing off. Privacy Shield Principle 2 requires organizations to offer individuals the opportunity to opt out. This means they can choose whether their personal information can be used for a purpose that is different from the purpose for which it was originally collected. “Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice”, the Choice Principle says.
Flo Health did not give users a choice. On the contrary, the app told them that the health information they provided would only be used within the app. Worst of all, Flo Health only stopped sharing data in response to negative press coverage following the article in the Wall Street Journal and to more than 300 complaints from Flo app users.
A Slap on the Wrist
As part of the settlement Flo Health must obtain an independent review of their privacy practices. They must also get users’ explicit consent before disclosing personal information to any third-party. In addition, the FTC has demanded that Flo Health make users whose data was shared in the past aware of this and instructs third parties to destroy the data they received.
Flo Health neither admits nor denies any of the allegations. They purely wish to reach a settlement to avoid the time and expense of litigation. “Flo did not at any time share users’ names, addresses, or birthdays with anyone”, a spokesperson said in a statement that completely ignores the issue. “We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.”
The settlement received unanimous backing from the FTC’s commissioners. Nonetheless, some of them see it as just a slap on the wrist. “The FTC should have charged Flo with violating the Health Breach Notification Rule”, two out of five commissioners said in a joint dissent statement. Flo is by no means the only health app leaking or having leaked user data. Unfortunately, so far, very few app developers have faced serious consequences for misleading claims and not taking users’ privacy seriously.