Photo credit: sharafmaksumov – stock.adobe.com.
The Federal Trade Commission (“FTC”) has settled charges with Flo Health, Inc. that the company misrepresented how it shared data from its popular fertility app. The app, Flo Period & Ovulation Tracker, allowed women from around the world to track their menstrual cycles, follow a pregnancy calendar, and note their menstrual- and pregnancy-related symptoms. Flo Health claimed in its privacy policy that it would not share information about period cycles, pregnancy, or symptoms with third parties, and that third parties would only use other personal information to provide the app’s services. The privacy policy also stated that marketing and analytics firms, including Google and Facebook, would only receive non-personally identifiable information. The FTC’s complaint alleged that Flo Health broke all of these promises over a four-year span, deceiving consumers and violating some third-party terms of service.
The complaint and settlement warn app developers to be careful about the information they disclose to third parties and the representations they make about their privacy practices. According to the FTC, Flo Health incorporated third-party software development kits (“SDKs”) into its fertility app that let marketing and analytics firms gather app data, including Custom App Events. Flo Health allegedly labeled Custom App Events with titles that revealed a user’s health information – for example, when a user entered the week of her pregnancy, the app recorded a Custom App Event titled “R_PREGNANCY_WEEK_CHOSEN.” When the app shared Custom App Events with third-party SDKs, it allegedly also shared users’ sensitive and identifiable health information. Third parties used this information for purposes not stated in Flo Health’s privacy policy, such as targeting advertisements.
To avoid a similar situation, app developers should ensure that data shared with third parties – whether through SDKs or otherwise – does not reveal information that the app developer promised to keep private. App developers can, for example, implement vendor diligence processes that allow appropriate personnel to assess data practices of the vendors before onboarding such vendors. An app’s privacy policy should accurately reflect the information shared with third parties and the ways that information may be used. In addition, if apps made commitments under the now invalid EU-US Privacy Shield, like Flo Health did, they must continue to meet those obligations. The FTC alleged that Flo Health’s practices violated the company’s obligations to comply with the Privacy Shield principles of Notice, Choice, Accountability for Onward Transfers, and Data Integrity and Purpose Limitation—exemplifying how the Privacy Shield’s invalidation does not affect a company’s Privacy Shield obligations before that invalidation.
Under the settlement, Flo Health must notify consumers whose information was shared with third parties in violation of Flo Health’s privacy policy and must instruct third parties to delete this information. Going forward, Flo Health must stop misrepresenting its privacy practices. It must obtain users’ consent before sharing their health information with third parties, and must inform users of the information disclosed, the third parties involved, and the purposes of the disclosures. Notably, Flo Health must undergo review by a qualified outside party to ensure its compliance with the settlement within 180 days of the settlement becoming final. The settlement also includes ongoing reporting obligations.
This settlement serves as a reminder that an app’s design must match up with its privacy policy. Put more simply – apps must do what they say, and say what they do.