Flo gets FTC slap for sharing user data when it promised privacy – TechCrunch

Summary (IA Generated)

The FTC has reached a settlement with Flo, a period- and fertility tracking app with 100M+ users, over allegations it shared users’ health data with third party app analytics and marketing services like Facebook despite promising to keep users’ sensitive health data private.

Flo must obtain an independent review of its privacy practices and obtain app users’ consent before sharing their health information, under the terms of the proposed settlement.

In the announcement of a proposed settlement today, the FTC said press coverage of Flo sharing users data with third party app analytics and marketing firms including Facebook and Google had led to hundreds of complaints.

Under the FTC settlement terms, Flo is prohibited from misrepresenting the purposes for which it (or entities to whom it discloses data) collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.

Flo must also notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.

“Apps that collect, use, and share sensitive health information can provide valuable services but consumers need to be able to trust these apps.

@RKSlaughterFTC and I also believe that Flo violated the @FTC Health Breach Notification Rule.

“In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule.

Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization.

While we would prefer to see substantive limits on firms’ ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches.

A report last year by the Norwegian Consumer Council found fertility/period tracker apps Clue and MyDays unexpectedly sharing data with adtech giants Facebook and Google, for example.