Period and fertility-tracking app developer Flo Health has reached an agreement with the United States’ Federal Trade Commission over allegations the company shared users’ health information with outside data analytics providers despite promising it would be kept private
Requirements of the proposed settlement include Flo Health obtaining an independent review of its privacy practices and getting app users’ consent before sharing their health information.
“Apps that collect, use and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
“We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
In response, Flo said: “Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.”
The California-based company added: “Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.
“We have a comprehensive privacy framework with a robust set of policies and procedures to safeguard our users’ data which are regularly reviewed both internally and using independent expert auditors.”
The FTC alleged Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry, which provided marketing and analytics services to the app.
Flo also disclosed sensitive health information, such as a user’s pregnancy, to third parties as “app events” and did not limit how third parties could use the health data, according to the FTC.
“Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users,” the commission said.
It will publish a description of the consent agreement in the Federal Register, with the settlement then subject to public comment for 30 days before deciding if to make the proposed consent order final.
Flo stated: “We will be conducting a compliance review into our policies and procedures as requested as part of the consent agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount.”
The company also said: “We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use.
“That’s why it is our policy to provide security measures designed to protect individual user data and privacy rights. We are transparent about our data practices and adhere strictly to all applicable regulations.”