Fertility app Flo reached a settlement with the Federal Commerce Fee over allegations that it misled customers about how their well being information was disclosed. The corporate allegedly shared delicate well being info, similar to whether or not a person had gotten pregnant, to 3rd events with out limiting how they might use this well being information.
The information-sharing allegations surfaced two years in the past, after the Wall Road Journal reported that the well being app shared with Fb when customers indicated they have been on their interval or attempting to get pregnant. Flo has since dropped Fb for its advert monitoring and information analytics.
In response to the FTC’s grievance, the startup coded app occasions to trace how customers interacted with the app, with phrases like “Being pregnant.” This info was reportedly shared with third-party apps together with Google, Fb, advertising agency AppsFlyer and analytics agency Flurry between 2016 and 2019. In its privateness insurance policies, the corporate instructed customers that it will not share their well being information.
The FTC additionally alleged that Flo violated the EU-U.S. Privateness Protect, which requires discover, selection and safety of private information transferred to 3rd events.
As a part of the settlement, Flo should get an impartial evaluation of its privateness practices, search deletion of the info it improperly shared with third events, and get customers’ consent earlier than sharing their well being info. The startup should additionally notify its customers of the settlement.
The FTC voted 5-0 to permitted the settlement, although Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented partially, saying the FTC ought to have additionally charged Flo with violating the Well being Breach Notification rule beneath HIPAA.
“The Well being Breach Notification Rule was first issued greater than a decade in the past, however the explosion in related well being apps make its necessities extra vital than ever. Whereas we would like to see substantive limits on corporations’ skill to gather and monetize our private info, the rule no less than ensures that providers like Flo want to return clear once they expertise privateness or safety breaches,” they wrote in a joint assertion.
For its half, Flo mentioned it didn’t share customers’ names, addresses or birthdays at any time, and wouldn’t share any details about customers’ well being with out their permission.
“Our settlement with the FTC isn’t an admission of any wrongdoing. Relatively, it’s a settlement to keep away from the time and expense of litigation and allows us to decisively put this matter behind us,” the corporate acknowledged. “We will likely be conducting a compliance evaluation into our insurance policies and procedures as requested as a part of the Consent Settlement and offering the FTC with common updates. We’re dedicated to making sure that the privateness of our customers’ private well being information is completely paramount.”
The FTC’s announcement of the settlement additionally hinted at broader scrutiny of well being apps. In a discover to shoppers, the company shared info the way to scale back privateness dangers in utilizing these apps, and directions for notifying the FTC in the event that they thought their private info was shared with out their permission.
“Apps that accumulate, use, and share delicate well being info can present useful providers, however shoppers want to have the ability to belief these apps,” Andrew Smith, director of the FTC’s Bureau of Client Safety, mentioned in a information launch. “We’re trying intently at whether or not builders of well being apps are protecting their guarantees and dealing with delicate well being info responsibly.”