FTC's Focus on Health Apps: Popular Women's Fertility-Tracking App Settles FTC Privacy Complaint
On January 13, 2021, the Federal Trade Commission (FTC) announced it had reached a consent agreement with Flo Health, Inc. (Flo), the developer of the Flo Period & Ovulation Tracker mobile application, settling allegations that Flo illegally shared consumer data with third parties. Users of the Flo app—relying on the company's assurances that their health data would be kept private—uploaded "intimate details of their reproductive health" to the app. Yet, according to the seven-count complaint, instead of keeping the health information of many of its more than 100 million users private, Flo shared the data with third parties, including Google and Facebook, for purposes unrelated to the app's function, such as advertising. Flo allegedly stopped this data transfer only after the Wall Street Journal exposed the practice in 2019.
This settlement is notable given the indication by the FTC of its interest in reviewing the practices of apps that collect, use, and share health information and due to the fact that the FTC is requiring Flo, one of the most popular health and fitness apps available to consumers, to conduct an outside review of its privacy compliance.
The Flo App tracks a user's menstruation cycle and predicts ovulation based on data that users input related to their menstruations and gynecological health. Since launching in 2015, it has been downloaded by more than 100 million users, including more than 35 million users in the United States, the European Union, and Switzerland. In 2019, it was the most downloaded health and fitness app in the Apple App store.
The FTC brought its complaint against Flo under Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." In this case—as in many privacy cases brought by the FTC—Flo's allegedly deceptive act or practice arose from its failure to abide by its stated privacy policies and privacy representations. Between 2017 and 2019, Flo represented to its users that it would keep their health data private and only use such data to provide the Flo app's services. Flo's privacy policies represented that information shared with third parties "exclud[ed] information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share." Flo also stated that third parties could not use the Flo app users' personal information "for any other purpose except to provide services in connection with the App."
According to the complaint, however, Flo's data practices made it possible for third parties to both view and use the app users' health data. The app's programming included software development kits (SDKs) from third-party marketing and analytics firms that tracked the actions and inputs of users for analytical and marketing purposes. SDKs allow developers like Flo to create "Custom App Events" that track and report on user actions that are unique to a particular app. Here, Flo created Custom App Events that conveyed to third parties both the unique advertising or device identifiers for Flo app users and those users' behavioral data, which contained health information. Specifically, Flo created Custom App Events with descriptive titles that reflected users' health information, such as the number of weeks users reported being pregnant and users' requests to receive menstruation reminders. That information was then made available to third parties. Furthermore, Flo did not limit what these third-party companies could do with the users' information. Instead, Flo agreed to each company's standard terms of service, which permitted the third parties' broad use of the Flo App users' personal health information.
The FTC also alleged that Flo's actions violated the EU-US Privacy Shield and the Swiss-US Privacy Shield frameworks. In its privacy policies effective from August 6, 2018 through the present, Flo represented that it participates in both frameworks. By the FTC's estimation, however, Flo's practices did not comply with at least four of the frameworks' privacy principles. Specifically, Flo did not (1) provide notice in clear and conspicuous language about the purposes for which it disclosed health information to third parties; (2) provide users an opportunity to opt out of third-party data use; (3) obligate third parties to provide the same level of privacy protection as Flo's policies; and (4) possess user data for purposes limited to the reason for which it has been collected. Notably, while the Court of Justice of the European Union invalidated the EU-US Privacy Shield last July, the Flo complaint demonstrates that the FTC still "expect[s] companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework."
Finally, as part of the proposed settlement, Flo must notify affected users about the disclosure of their personal data; instruct third parties to delete previously received health data; obtain an independent review of its privacy practices; and obtain users' express consent prior to disclosing any health data to a third party. While some of these changes may not be difficult for Flo to implement, the third party review of its privacy program could lead to costly, and conservative, privacy program changes and implementation costs.
The FTC made clear that it will be "looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly." Companies that provide consumer-facing health apps should heed this warning to ensure their privacy (and data security) house is in order and flexible enough to account for the ever-evolving legal landscape. While it seems basic, the most critical aspect of a privacy program is knowing your data: What it is, who gives it to you and why, who gets it and why, where it is stored, and how you protect it. Like Flo, companies cannot make statements to consumers with which they can comply if they do not have all of the data and facts.
Once you know your data, understand what your privacy and data security obligations are and assess requirements. Craft your data strategy, use, disclosure, and practices around those laws. Then, be transparent, and do what you say you are going to do. And, finally, give someone the responsibility to make sure that this is an ongoing process—knowing your data, revising your program, and being transparent is a constant process. The FTC has issued its warning, and so while all companies should be undertaking these (and other) steps, health apps should move with alacrity.
For questions about these steps or others that your company can take to protect consumer personal data and comply with applicable privacy and data security laws, please reach out to the authors or any of their colleagues in Arnold & Porter's Privacy, Cybersecurity, and Data Strategy practice group.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.