The company behind period and fertility-tracking app Flo Health has settled with the FTC over allegations that it engaged in inappropriate sharing of user data. According to the FTC complaint, it shared health information on its 100 million users with third-party data analytics firms despite promising that the information would remain private.
Flo is far from the only company to offer period tracking apps that collect highly personal data. In fact, millions of women use such apps, for purposes such as avoiding period-triggered migraines or attempting to get pregnant.
It’s not always clear what such services do with user data. According to research by Consumer Reports, which looked at Flo and four other popular period tracking apps (BabyCenter, Clue, My Calendar and Ovia), even anonymous app users can’t be sure that their information won’t be shared with third parties.
The FTC apparently saw Flo’s practices as particularly egregious, though. According to its complaint, Flo disclosed health data provided by millions of users of its Flo Period & Ovulation tracker to third parties including Facebook’s analytics division, Google’s analytics division, Google’s Fabric services, AppsFlyer and Flurry.
According to the complaint, Flo disclosed particularly sensitive health information to third parties, such as the fact that a user had become pregnant. It also set no limits on how the third parties could use this health data. What’s more, the data was sent with a unique advertising identifier that could be matched with a device or user profile.
Flo only stopped supplying this highly sensitive data to third parties once an article published in the Wall Street Journal in February 2019 revealed these practices. The story noted that Facebook, in particular, collects a high volume of otherwise private consumer data in addition to that provided by Flo.
As part of the proposed settlement with the FTC, Flo is required to notify affected app users about their disclosure of their personal information, as well as telling any third party that received this information that they must destroy the data. It must also agree to several other conditions, including obtaining an independent review of its privacy practices and getting app users’ consent before sharing their health information.
In addition, it is prohibited from misrepresenting how much consumers can control the collection, maintenance, or disclosure of their data. It’s also required to disclose how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
Even if Flo meets its all of its obligations listed in the settlement, its legal troubles may not be over. The FTC alleges that Flo also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which include a requirement that companies provide notice, choice and protection of personal data transferred to third-party networks.
UPDATE: A Flo spokesperson put out the following statement:
“We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use. That’s why it is our policy to provide security measures designed to protect individual user data and privacy rights. We are transparent about our data practices and adhere strictly to all applicable regulations.
“Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
“Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.
“We have a comprehensive privacy framework with a robust set of policies and procedures to safeguard our users’ data which are regularly reviewed both internally and using independent expert auditors.
“We are glad to have reached an agreement with the FTC and resolved the matter. We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount”.