The Federal Trade Commission (“FTC”) announced this month a proposed settlement against Flo Health, Inc. (“Flo”), the developer of popular menstrual cycle and fertility-tracking application (the “Flo App”), resolving allegations that “the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.”  The proposed settlement requires Flo, among other things, to obtain review by an “independent third-party professional” of its privacy practices, obtain users’ consent before sharing their health information, alert users whose data was disclosed, and require third-parties that previously received that data to destroy it.

This settlement marks the first instance in which the FTC has required a company to provide users with a notice of the privacy action brought by the FTC.  Specifically, in its proposed settlement, the FTC requires Flo to “clearly and conspicuously” share with users a pre-written notice that explains what information Flo disclosed to third parties and describes the settlement with the FTC.  According to the FTC’s announcement, the agency is “looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”  Below is a discussion of the complaint and settlement, as well as takeaways from the case.

The Complaint

As described in the complaint, the Flo App “functions as an ovulation calendar, period tracker, and pregnancy guide.”  The Flo App collects personal information from its users, including “name, email address, date of birth, place of residence, dates of menstrual cycles, when pregnancies started and ended, menstrual and pregnancy-related symptoms, weight, and temperature.”  According to the complaint, Flo “repeatedly promised to protect [users’] information and keep it secret” in its privacy policies.  The complaint further alleged that Flo disclosed health information to various third parties not in accordance with its policies.  This health information included, without limitation, unique advertising identifiers, users’ intentions to become pregnant, and when users were menstruating.  These allegations follow a 2019 report that conducted an analysis of a number of apps’ data sharing activity.  Upon publication of the report, Flo App users’ complained to Flo about its privacy practices.

The FTC complaint alleged that Flo violated Section 5 of the FTC Act because its privacy practices amounted to “unfair or deceptive acts or practice, in or affecting commerce.”  The complaint also alleged that Flo violated the EU-U.S. Privacy Shield and the U.S.-Swiss Privacy Shield, which require notice, choice, and protection of personal data transferred to third parties.

The specific activities amounting to “unfair or deceptive acts or practices” alleged in the complaint include the following:

  • Flo represented to users that the Flo App would not disclose, without consumers’ consent, their health information to third parties, but did in fact disclose such information to third parties without consent.
  • Flo represented to users that it would disclose only non-personally identifiable information “like device identifiers” to third parties, but in fact also shared users’ identifiable health information.
  • Flo represented to users that third parties could not use users’ personal information “for any other purpose except to provide services in connection with” the Flo App, but in fact set no limitations on how third parties could use such information. At least one third party used the Flo App users’ information for its own research and development purposes.
  • Flo certified to users that it adheres to the principles of the Privacy Shield frameworks, but in fact did not. Specifically, Flo did not adhere to the principles of notice (i.e., Flo did not properly inform users of disclosures of their information to and why), choice (i.e., Flo did not offer individuals the opportunity to choose whether their personal information could be used for purposes other than the ones originally stated), accountability for onward transfers (i.e., Flo did not ensure that third parties only process user data for limited and specified purposes), and data integrity (i.e., Flo did not process personal information in a way that was compatible with the purposes for which it has been collected).

The Proposed Settlement

The FTC’s settlement with Flo requires, among other things, that the company obtain an independent review of its privacy practices and get Flo App users’ consent before sharing their health information.  The specifics of key provisions of the settlement are discussed in turn.

First, Flo must not misrepresent the purposes for which it or relevant third parties collect, maintain, use, or disclose users’ data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.

Second, Flo must instruct any third party with which it has shared health information to destroy such information.

Third, Flo must “clearly and conspicuously” share with its Flo App users the “Notice” attached to the settlement, which informs consumers that Flo shared user’s health information with third parties and reached a settlement with the FTC.  The Notice must be posted on Flo’s website and emailed to Flo App users.

Fourth, Flo must “clearly and conspicuously” disclose to the consumer the categories of health information that will be disclosed to third parties, the identities of such third parties, and all purposes for Flo’s disclosure of such information.  This disclosure must be separate from any privacy policy or terms of use page.  Flo must obtain the consumer’s express consent in response to this disclosure.

Fifth, Flo must obtain an independent review of its privacy practices within 180 days of the settlement’s finalization.  This review must (1) determine whether Flo adhered to the terms of the settlement, (2) determine whether Flo’s privacy practices are consistent with its privacy policy, (3) determine whether Flo adequately informs Flo App users about how they may pursue complaints, (4) identify any gaps or weaknesses in Flo’s privacy practices, and (5) identify the specific evidence the review relied upon for its conclusion.  The report must be submitted to the FTC upon completion.  Flo must also submit a separate compliance report to the FTC 60 days after the settlement’s finalization describing how it is complying with the terms of the settlement, and annually thereafter for five years.

The FTC published a description of the proposed settlement agreement in the Federal Register; the proposed settlement will be subject to public comment through March 1.  After the comment period closes, the FTC will decide whether to finalize the proposed consent order.

Key Takeaways

Consumer health apps, in particular menstrual and ovulation trackers, are under growing scrutiny by federal and state regulators.  In September 2020, California Attorney General Xavier Becerra, who is now President-elect Joe Biden’s pick for Secretary of the Department of Health and Human Services, announced a $250,000 settlement with Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information” and violated multiple laws, including California’s Confidentiality of Medical Information Act (“CMIA”).  FTC’s settlement with Flo further highlights the sensitivity of health data, even if that data is not protected under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While traditional health privacy frameworks, such as HIPAA, do not typically apply to digital health apps, the FTC’s Section 5 authority offers a path to regulation.  Other states may pursue enforcement against digital health apps using their own consumer protection laws.

FTC voted 5-0 in favor of the Flo settlement, but the two Democratic commissioners—Rohit Chopra (recently tapped by President Joe Biden to direct the Consumer Financial Protection Bureau) and Rebecca Kelly Slaughter (now Acting FTC Chair)—partially dissented.  The two signaled their disappointment that the Commission did not go further in protecting consumers’ privacy, and argued that Flo’s conduct violated the federal Health Breach Notification Rule.  This rule requires vendors of personal health records, which may include certain mobile health apps, to notify users and the FTC if there has been an unauthorized disclosure.  “Although the FTC has advised mobile health apps to examine their obligations under the rule,” the dissenters wrote, “the FTC has never brought an action to enforce it.”  The dissenters also called on Congress to provide more authority in the privacy space.  Commissioner Noah Joshua Phillips issued a separate statement, disagreeing with the dissenter’s view on the Health Breach Notification Rule.  He argued that requiring companies to issue notice every time an unauthorized disclosure occurs, particularly when there is no remedial action for consumers to take, “runs the risk of undermining consumer trust and needlessly overwhelming consumers.”

This settlement marks the first time the FTC has ordered a company to issue a specific notice to consumers about a privacy action brought against it.  The FTC typically requires consumer notice in cases where consumers’ health or safety is at risk, where consumers would not be able to discover or determine the illegal behavior on their own, or where consumers have a financial or legal interest that needs to be protected.  Here, the Flo action, including the requirement to issue the Notice specifically referencing the FTC’s privacy action against it, is another signal that regulators are increasingly focused on safeguarding the sensitive information that digital health apps collect and use.