California Attorney General Xavier Becerra (“AG”) announced in September a settlement against Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information.” In the complaint, the AG alleged violations of certain state consumer protection and privacy laws, stemming from privacy and security “failures” in Glow’s mobile application (the “Glow App”). The settlement, which remains subject to court approval, requires Glow to comply with relevant consumer protection and privacy laws (including California’s medical privacy law), mandates “a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women,” and imposes a $250,000 civil penalty.
According to the AG’s announcement, the “settlement is a wake up call not just for Glow, Inc., but for every app maker that handles sensitive private data.” Below is a discussion of the complaint and settlement, as well as takeaways from the case.
As described in the complaint, the Glow App is “marketed as an ovulation and fertility tracker” and “collects and stores deeply sensitive personal and medical information related to a user’s menstruation, sexual activity, and fertility.” The types of information collected include medications, fertility test results, medical appointments, medical records, and ovulation-cycle calculations, as well as “intimate details of  sexual experiences and efforts to become pregnant.” One feature of the Glow App is its “Partner Connection” offering, which “allows a Glow App user to link to a partner to share information.”
As alleged, Glow violated multiple laws, including California’s Confidentiality of Medical Information Act (“CMIA”). The CMIA regulates, in relevant part, “providers of health care,” that collect and use “medical information,” defined as “individually identifiable information . . . in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” According to the complaint, Glow is a “provider of health care” under CMIA because it “offer[s] software to consumers that is designed to maintain medical information for the purposes of allowing users to manage their information or for the diagnosis, treatment, or management of a medical condition” (citing Cal. Civ. Code 56.06(b)). The complaint also alleges that Glow’s privacy and security practices violated California’s Unfair Competition Law (“UCL”) and False Advertising Law (“FAL”).
The specific activities alleged to have triggered these violations of law from 2013 to 2016 include the following:
- The Partner Connect feature “automatically granted” linking requests and “immediately shared” certain “sensitive information” without obtaining authorization from the Glow user.
- The Partner Connect feature failed to verify the legitimacy of the person with whom the information was being shared.
- The Glow App’s password change functionality asked for “old passwords” without authenticating such passwords on the back-end.
The AG’s settlement with Glow (1) requires Glow to comply with relevant consumer protection and privacy laws, (2) obligates Glow to consider how “privacy or security lapses may uniquely impact women,” and (3) imposes a $250,000 civil penalty. The settlement remains subject to court approval. The requirements of the settlement are discussed in turn.
First, the settlement requires Glow to comply with consumer protection and privacy laws, including the CMIA. To do so, Glow must implement an information security program “to protect the security, integrity, availability, and confidentiality” of “personal information,” “medical information,” and “sensitive personal information” that Glow “collects, stores, processes, uses, transmits, and maintains.” “Personal information” has the meaning it is given under California’s Data Security Law (Cal. Civ. Code. 1798.81.5), and “medical information” has the meaning it is given under CMIA with the clarification that such information may be “enter[ed] or upload[ed] . . . into a mobile application or online service” by a consumer. “Sensitive information” refers to information that is not “medical information” or “personal information” but is individually identifiable information that describes a consumer’s “sexual activity, sexual health, and reproductive health.”
Under the settlement, Glow’s information security program is required to protect the specified categories of information by taking measures such as: (i) preventing unauthorized access, (ii) preventing unauthorized disclosure, (iii) imposing a two-step authentication process for password changes, (iv) providing annual employee training on the information security practices, (v) implementing procedures for vulnerability patching, (vi) incorporating privacy-by-design principles and security-by-design principles when creating new Glow App features, and (vii) establishing a point of contact at Glow to address security issues.
Second, the settlement requires Glow, for two years after implementing its information security program, to complete annual privacy and security risk assessments addressing Glow’s efforts to comply with applicable privacy and security laws. The reports must be submitted to the AG’s office.
Notably, the settlement requires the privacy assessment to “(i) consider online risks that women face, or could face, including gender-based risks, as a result of privacy or security lapses while using GLOW mobile applications or online services; (ii) consider the impact of any such risks, and (iii) document GLOW’s efforts to mitigate any such risks.” As noted, the AG’s announcement of the settlement refers to this requirement as a “first-event injunctive term” that requires a company to consider the unique impact of privacy and security lapses on women.
Third, the settlement imposes a civil penalty of $250,000.
The settlement highlights the sensitivity of health data, even if that data is not protected under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Notably, the AG’s announcement asserts, “[w]hen you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet.”
The Glow complaint alleges that Glow is a “provider of health care” for the purposes of CMIA because it “offer[s] software to consumers that is designed to maintain medical information for the purposes of allowing its users to manage their information or for the diagnosis, treatment, or management of a medical condition. Specifically, the Glow app is designed for the user to store, email, and print information relating to their reproductive health such as ovulation and menstrual cycles, and/or for the diagnosis, treatment, or management of users seeking to become pregnant or treat infertility.”
The settlement also states that health information may be “medical information” for the purposes of the CMIA “irrespective of how the information is transmitted,” and thus may include information that is “manually enter[ed] or upload[ed] . . . into a mobile application or online service.”
This settlement follows other recent health and medical privacy developments in California. In early September, the California legislatures passed AB 173 creating a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (discussed here). Although the legislature also passed SB 980, the Genetic Information Privacy Act (“GIPA”) (discussed here), Governor Gavin Newsom recently vetoed the bill. GIPA would have imposed certain privacy and security obligations on direct-to-consumer genetic testing companies, and the Governor veto of the bill cited potential implications on research related to COVID-19. Another recent development is the AG’s announcement of a $8.69 million settlement against Anthem Inc., resolving allegations that the health insurer violated state law and HIPAA.