The Federal Trade Commission finalized a settlement that will require Flo Health Inc. to obtain the affirmative consent of users of the company’s fertility-tracking app before sharing their personal health information with others and to obtain an independent review of their privacy practices.
In a complaint first announced in January, the FTC alleges that despite promising to keep users’ health data private, Flo shared sensitive health data from millions of users of its Flo Period & Ovulation Tracker app with marketing and analytics firms, including Facebook and Google.
As part of the settlement, Flo Health must notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data. Flo also is prohibited from misrepresenting:
- the purposes for which it (or entities to whom it discloses data) collect, maintain, use, or disclose the data;
- how much consumers can control these data uses;
- its compliance with any privacy, security, or compliance program; and
- how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
After receiving five comments, the Commission voted 4-0-1 to finalize the settlement and to send responses to the commenters. FTC Chair Lina Khan did not participate in the vote. In responding to commenters, the Commission noted that it is currently undertaking a review of the Health Breach Notification Rule, and is actively considering public comments regarding the application of the Rule to mobile applications and other direct-to-consumer technologies that handle consumers’ sensitive health information.