Fertility Tracking App Flo Settles with FTC for Misrepresentation of Data Sharing Practices; Warning for all health apps

A recent FTC deal with the popular Flo Fertility Tracking app came with a warning from the agency to other healthcare apps engaging in questionable data-sharing practices.

Downloaded by more than 100 million people, Flo tracks various stages of the reproductive cycle from menstruation to pregnancy and menopause. Flo Health Inc. conflicted with the Federal Trade Commission (FTC) by promising not to share this user data with other parties, but to make it available to a variety of third-party analytics services (such as those managed by Facebook and Google). .

Health app notices when Flo is instructed to review data sharing practices

Given the range of features it offers, the company’s ideal Flo user would appear to be a teenager who uses the app when they come of age and continues to use it until menopause. The app encourages women to record a wide variety of personal health information along with various items of personally identifiable information: full names, email addresses, date of birth, and physical address.

App users were reassured by the regularly updated privacy policy that Flo’s data would not be shared with third parties. Flo is available since 2016; The FTC complaint notes that the only indication of data sharing was a period from August 2017 to February 2019 in which the privacy policy was updated to say that personal data could be shared only for “operational and maintenance purposes from the Flo app, “but also assured users that sensitive health information was not among what was being shared.

Between May 2018 and February 2019, the health app’s privacy policy was updated to reference several specific data sharing partners. In addition to data analytics programs from Facebook and Google, he named mobile marketing platforms AppsFlyer, Flurry, and Fabric. He stressed that only “non-personally identifiable information” and non-health-related data were shared with these various analytics platforms.

However, the FTC found that user events that the app tracked and shared with these partners contained sensitive health information that users recorded, such as menstruation and pregnancy dates. The FTC also found that some of this data sharing took place outside of the period in which the privacy policy mentioned any possibility; Facebook, Flurry, and Fabric had been receiving data from the app’s launch in mid-2016.

News coverage on the subject in February 2019 sparked a barrage of user complaints, and Flo was ultimately hit with seven counts of data sharing misrepresentation. The company would not be fined under the proposed settlement, but will be required to stop misrepresenting its use of personal information and to review its data-sharing practices to ensure that medical information is not shared with third parties. It would also be necessary to notify app users of any prior disclosures of health information and follow up with analytics partners to ensure that shared information of that nature is destroyed. The proposed deal is currently in a required 30-day public comment period and will then go back to the FTC commissioners for a final vote.

Sharing health data under increased scrutiny?

The Flo case is the first time that a US regulator has ordered a notice of a privacy action. The fact that the Commission passed it 5-0, along with some statements from high-ranking members of the FTC, would indicate that the healthcare app market should carefully review its data-sharing practices to avoid being the next target.

Andrew Smith, director of the FTC’s Office of Consumer Protection, said of healthcare apps: “Apps that collect, use, and share sensitive medical information can provide valuable services, but consumers need to be able to trust these apps. if health app developers keep their promises and handle sensitive health information responsibly. Commissioners Rohit Chopra and Rebecca Kelly Slaughter also issued the following joint statement: “This proposed settlement is a change for the FTC, which has never before mandated a notice of a privacy action … While we are pleased to see this change, we are disappointed that the Commission is not using all its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Violation Reporting Rule, however the Commission’s proposed complaint does not include this allegation. The agency also released a consumer health app guidance infographic along with the decision.

The FTC cautions that they are closely scrutinizing whether #healthapps developers are keeping their promises and handling #health sensitive information responsibly. #privacy #respectdata

Click to tweet

The Health Breach Notification Rule, passed in 2009, applies to all entities that handle electronic health records. It requires notification to both the FTC and consumers in the event of any violation involving these records, and if there are more than 500 records involved, the entity must also notify the media. Health and fitness tracking apps exist in a kind of legal gray area with respect to this regulation. In general, if the publisher of the app is not subject to HIPAA (which generally only applies to patient care facilities), regulators have also not seen it as subject to this FTC rule. These apps handle a lot of health information that would normally be covered by HIPAA record requirements, but the key distinction appears to be that the end user is held responsible for whatever information they choose to enter into the app.


Leave a Reply

Your email address will not be published. Required fields are marked *