Privacy & Information Security Law Blog

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.

The FTC alleged that Flo, a developer of a popular mobile application used by more than 100 million consumers to track menstruation and ovulation cycles, had promised to keep users’ health data private and use it only to provide services to app users, but in fact disclosed the data (such as the fact of a user’s pregnancy) to third-party marketing and analytics services. The complaint also alleged that Flo did not place restrictions on how third-parties could use this health data, and that Flo’s disclosures of sensitive health data continued unhindered until a February 2019 news article revealed them. Additionally, the FTC alleged that Flo, which is certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, violated the Privacy Shield’s Notice, Choice, Accountability for Onward Transfer and Data Integrity and Purpose Limitation Principles.

The proposed settlement would bar Flo from misrepresenting: (1) the purposes for which it collects, uses and discloses data; (2) the extent to which consumers can control the purposes for which their data is used; (3) Flo’s compliance with any privacy, security or compliance program; and (4) how Flo collects, maintains, uses, discloses, deletes or protects app users’ personal information. The proposed settlement also requires Flo to notify affected users about the disclosure of their personal information to third-parties, and instruct any third-party recipient to destroy Flo users’ health information.