FTC Settles With Premom App Developer for Privacy and Security Violations
In its second use of the Health Breach Notification Rule (HBNR), the FTC recently settled an action with Easy Healthcare Corporation (Easy Healthcare), the developer of the Premom Ovulation Tracker mobile application, alleging the app engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act and failed to comply with the HBNR. Coming just months after the FTC’s settlements with the prescription drug platform GoodRx and the online mental health counseling service BetterHelp, the settlement with Easy Healthcare underscores the agency’s vigorous enforcement posture with respect to perceived abuses of privacy involving personal health data.
The Premom app assists individuals in tracking their fertility cycle, using a combination of data such as dates of menstrual cycles, pregnancy and fertility status, whether and when pregnancies started and ended, hormone levels, pregnancy-related symptoms, as well as app users’ location, mobile device data, and wi-fi network data. According to the FTC, between 2017 and 2020, Premom’s privacy policies/notices assured users that, to the extent the app shared the information it collected, that information was non-identifiable, and that Easy Healthcare used the data only for its own analytics and/or advertising. However, Easy Healthcare allegedly disclosed hundreds of thousands of Premom users’ identifiable health data to third parties in direct violation of these representations. Specifically, as claimed by the FTC, beginning in 2018, Easy Healthcare shared Premom users’ identifiable health (and non-health) information with U.S.-based analytics providers, a marketing/adtech company, and two foreign analytics companies via software development kits (SDKs) embedded in the Premom app’s code.
Not only did Easy Healthcare allegedly deceive Premom users regarding its data sharing practices, thereby violating Section 5 of the FTC Act, the company also allegedly violated the HBNR by failing to notify users about the unauthorized disclosures of personal health data. Under the HBNR, a vendor of personal health records must notify its users and the FTC of any unauthorized acquisition of unsecured health information, which, as the FTC made clear in its action against GoodRx, includes mobile applications’ sharing of such information without notice and consent.
The FTC has proposed a settlement with Easy Healthcare under which the company would pay a $100,000 civil monetary penalty, as well as commit to permanently refraining from sharing Premom user personal health data with third parties for advertising and obtaining consent prior to sharing health data for any other purposes. The settlement also would prohibit Easy Healthcare from making misrepresentations about its privacy practices and require the company to request the third parties with whom it previously shared Premom users’ personal information to delete the data. As is typical of FTC settlements in privacy and security cases, Easy Healthcare would be required to implement comprehensive security and privacy safeguards to protect consumer data and to circulate a consumer notice explaining the FTC’s allegations and the settlement.
Easy Healthcare also agreed to separately pay a $100,000 fine to attorneys general in D.C., Connecticut, and Oregon, who coordinated with the FTC in investigating the matter. Similar to the FTC settlement, under the terms of that settlement, Easy Healthcare is obligated to implement and maintain a comprehensive privacy program, as well as a process for selecting service providers and third parties capable of safeguarding personal data. The settlement also prohibits Easy Healthcare from sharing Premom user personal health data and location information to third parties without consent.
The Easy Healthcare case confirms that the FTC’s use of the HBNR in GoodRx was not an anomaly. Mobile app developers are on notice that the FTC will intensely scrutinize their privacy policies or notices and other representations, as well as their security and data-sharing practices, for potential violations of both the HBNR and FTC Act Section 5.
The authors of this blog post and their colleagues in the Arnold & Porter Privacy, Cybersecurity & Data Strategy practice group are available to provide counsel on the FTC’s actions in this area, enforcement brought by the FTC and other regulators, and more broadly on privacy and security compliance.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.