A recent FTC settlement with the popular Flo Fertility Tracking app came with a warning from the agency to other health apps that engage in questionable data sharing practices.
Downloaded by over 100 million people, Flo tracks various stages of the reproductive cycle from menstruation to pregnancy and menopause. Flo Health Inc. ran afoul of the Federal Trade Commission (FTC) by promising to not share this user data with any other parties, but making it available to a variety of third-party analytics services (such as those run by Facebook and Google).
Health apps on notice as Flo is ordered to overhaul data sharing practices
Given the range of features it offers, the company’s ideal Flo user would appear to be a teenager who takes the app up when coming of age and continues to use it all the way through to menopause. The app encourages women to log a wide variety of personal health information along with several items of personally identifiable information: full names, email addresses, date of birth and physical address.
News coverage of the issue in February of 2019 led to a flood of complaints by users, and Flo was ultimately hit with seven charges of misrepresentation of data sharing. The company would not be fined under the proposed settlement, but would be required to cease misrepresenting its use of personal information and to overhaul its data sharing practices to ensure that health information is not shared with any third parties. It would also be required to notify app users about any prior disclosure of health information and to follow up with the analytics partners to ensure that shared information of that nature is destroyed. The proposed settlement is currently in a required 30-day public comment period and will then return to the FTC’s commissioners for a final vote.
Health data sharing under increased scrutiny?
The Flo case is the first time a US regulator has ordered notice of a privacy action. The fact that it was approved 5-0 by the Commission, along with some statements from ranking members of the FTC, would indicate that the health apps market should carefully review its data sharing practices to avoid being the next target.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said of health apps: “Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps … We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.” Commissioners Rohit Chopra and Rebecca Kelly Slaughter also issued the following joint statement: “This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action … While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation.” The agency also issued a health apps guidance infographic for consumers along with the decision.
The Health Breach Notification Rule, passed in 2009, applies to all entities that handle electronic health records. It requires notification of both the FTC and consumers in the event of any breach that involves these records, and if more than 500 records are involved the entity must notify the media as well. Fitness tracking and health apps exist in something of a legal grey area as regards this regulation. In general, if the app publisher is not subject to HIPAA (which usually only applies to patient care facilities) then regulators have also typically not seen it as subject to this FTC rule. These apps do deal in quite a bit of health information that would normally be covered by HIPAA records requirements, but the key distinction seems to be that the end user is seen as being responsible for whatever information they choose to input into the app.