The Federal Trade Commission has reached a settlement with Flo Health, a widely used period and fertility-tracking app which has more than 100 million users worldwide, over allegations that it broke its privacy promises by improperly sharing private health information with Facebook, Google and other third-party companies.
As part of the proposed settlement, Flo Health has to obtain an independent review of its privacy practices, notify users about the prior data sharing and secure their permission before sharing their private health information.
The settlement follows a 2019 report from The Wall Street Journal which conducted an analysis of a number of apps’ data sharing activity. The report had revealed how Facebook collects a wide range of private data from developers. The report found that Flo Health was sharing sensitive data, –including whether users were ovulating and when a user was having their period — with Facebook behind closed doors.
“Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users.” the FTC said in the announcement of the proposed statement.
As part of the proposed settlement, Flo is prohibited from misrepresenting the purposes for which it or entities to whom it discloses data collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
The data shared with third-party companies by Flo was an ad identifier which allows to target users for online ads, not users’ names or addresses. A Flo spokesperson said in a statement that: “We are glad to have reached an agreement with the FTC and resolved the matter. We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount.”