Hand on smartwatch and health medical tracker showing warning for health apps over data sharing

Fertility-Tracking App Flo Settles With FTC Over Misrepresentation of Data Sharing Practices; Warning for All Health Apps

A recent FTC settlement with the popular Flo Fertility Tracking app came with a warning from the agency to other health apps that engage in questionable data sharing practices.

Downloaded by over 100 million people, Flo tracks various stages of the reproductive cycle from menstruation to pregnancy and menopause. Flo Health Inc. ran afoul of the Federal Trade Commission (FTC) by promising to not share this user data with any other parties, but making it available to a variety of third-party analytics services (such as those run by Facebook and Google).

Health apps on notice as Flo is ordered to overhaul data sharing practices

Given the range of features it offers, the company’s ideal Flo user would appear to be a teenager who takes the app up when coming of age and continues to use it all the way through to menopause. The app encourages women to log a wide variety of personal health information along with several items of personally identifiable information: full names, email addresses, date of birth and physical address.

Users of the app were reassured by the regularly-updated privacy policy that Flo data would not be shared with any third parties. Flo has been available since 2016; the FTC complaint notes that the only indication of data sharing was a period from August 2017 to February 2019 in which the privacy policy was updated to say that personal data might be shared only for “purposes of operating and servicing the Flo App,” but also reassured users that sensitive health information was not among what was being shared.

Between May 2018 and February 2019, the health app’s privacy policy was updated to refer to several specific data sharing partners. In addition to the data analytics programs of Facebook and Google, it named the mobile marketing platforms AppsFlyer, Flurry and Fabric. It stressed that only “non-personally identifiable information” and data not related to health were being shared with these various analytics platforms.

However, the FTC found that the user events the app was tracking and sharing with these partners contained sensitive health information that users logged, such as menstruation and pregnancy dates. The FTC also found some of this data sharing was going on outside of the period in which the privacy policy mentioned any possibility of it; Facebook, Flurry and Fabric had been receiving data from the app’s launch in mid-2016.

News coverage of the issue in February of 2019 led to a flood of complaints by users, and Flo was ultimately hit with seven charges of misrepresentation of data sharing. The company would not be fined under the proposed settlement, but would be required to cease misrepresenting its use of personal information and to overhaul its data sharing practices to ensure that health information is not shared with any third parties. It would also be required to notify app users about any prior disclosure of health information and to follow up with the analytics partners to ensure that shared information of that nature is destroyed. The proposed settlement is currently in a required 30-day public comment period and will then return to the FTC’s commissioners for a final vote.

Health data sharing under increased scrutiny?

The Flo case is the first time a US regulator has ordered notice of a privacy action. The fact that it was approved 5-0 by the Commission, along with some statements from ranking members of the FTC, would indicate that the health apps market should carefully review its data sharing practices to avoid being the next target.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said of health apps: “Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps … We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.” Commissioners Rohit Chopra and Rebecca Kelly Slaughter also issued the following joint statement: “This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action … While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation.” The agency also issued a health apps guidance infographic for consumers along with the decision.

The Health Breach Notification Rule, passed in 2009, applies to all entities that handle electronic health records. It requires notification of both the FTC and consumers in the event of any breach that involves these records, and if more than 500 records are involved the entity must notify the media as well. Fitness tracking and health apps exist in something of a legal grey area as regards this regulation. In general, if the app publisher is not subject to HIPAA (which usually only applies to patient care facilities) then regulators have also typically not seen it as subject to this FTC rule. These apps do deal in quite a bit of health information that would normally be covered by HIPAA records requirements, but the key distinction seems to be that the end user is seen as being responsible for whatever information they choose to input into the app.