The FTC reaches a settlement with Flo over the allegation that it has shared millions of health information with Facebook, Google
The Federal Trade Commission did not fine Flo Health Inc. on Wednesday, despite finding evidence that it misled millions of users of its period and fertility tracking app by sharing their health data with third parties, including Facebook and Google.
Flo was accused of not limiting how outside companies could use the health information of millions of women, leading these companies to use the private data for targeted online advertising.
The investigation found that the app was sharing data while the company repeatedly promised users that their data would be protected and not shared with others.
In practice, information about users’ periods, pregnancies and deliveries was shared with third parties, including two mobile analysis services, AppsFlyer and Flurry.
The FTC found that Flo’s period and fertility tracking app inappropriately shares women’s health information with outside companies such as Google and Facebook. Flo agreed on a settlement with the FTC on Wednesday, but refuses to admit any wrongdoing
Without contracts to prevent further use of this information for three years, the third parties can then use the data for advertising.
The practice began in June 2016 and was not made public until after a Wall Street Journal Research in February 2019.
Flo has been downloaded over 100 million times worldwide – including 16 million downloads in the US and is used as an ovulation calendar, period tracker and pregnancy app.
It claims to have 25 million active users.
In the 2019 report, The Wall Street Journal found that Flo had shared period tracking data with Facebook so it could deliver targeted online ads to users.
Facebook and Google were among the third-party apps Flo reportedly shared data with
While Flo initially denied that it had shared critical user data, testing by The WSJ found it not.
The tests showed that Flo told Facebook when a user was having their period or informed the app of their intention to become pregnant.
Software on Facebook can then associate this information with one of its users for targeted advertising.
The original WSJ investigation accused at least 11 apps of covertly collecting deeply personal information, including real estate app Realtor and Instant Heart Rate: HR Monitor.
It angered many users with Flo, which led to the FTC investigation.
The agency said Flo had interacted with users who were “outraged,” “incredibly upset,” “disturbed,” “appalled,” and “very angry,” as well as feeling “victimized” and “violated.”
By encouraging millions of women to enter comprehensive information about their bodies and mental and physical health, Respondent [Flo] collected personal information about consumers, including name, email address, date of birth, place of residence, dates of menstrual cycles, when pregnancies started and ended, menstrual and pregnancy-related symptoms, weight and temperature, ” FTC said in his submission.
The FTC accused Flo of failing to set limits on how outside companies could use health information, while repeatedly promising users that their data would be protected
Still, it continuously agreed to the third parties’ own terms of service, allowing them to “ use any information obtained from Flo App users for the third party’s own purposes. ”
In the case of Facebook, the company was able to collect data even if the user had not used a Facebook account to log in or was not even a Facebook member.
The FTC voted 5-0 on the proposed settlement, despite Flo pulling out against the claims.
Flo had repeatedly promised that users’ data was safe, as depicted in the ad above
As part of the agreement, Flo must notify all users that it has shared their information without their consent and notify them of the FTC charges.
It will also be required to obtain an independent review of its privacy practices and obtain users’ consent before sharing their health information.
While Flo agreed to the settlement, Flo has insisted it did nothing wrong, claiming that it has only now agreed to avoid further lawsuits and “ get the case behind us. ”
“Our agreement with the FTC is not an admission of any wrongdoing,” the company said in a statement.
Rather, it is a settlement to avoid the time and expense of a trial and allows us to move decisively away from this case.
“Flo has never shared users’ names, addresses, or birthdays with anyone,” the statement added.
“We currently do not and will not share any information about the health of our users with any company unless we have their consent.”
The FTC has suggested more cases could be brought after the Wall Street Journal report identified other apps also guilty of the malpractice.
Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said: “Apps that collect, use and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps.
‘We look carefully at whether developers of health apps keep their promises and handle sensitive health information responsibly.’
WHICH APPS DO YOU SHARE DATA WITH FACEBOOK?
A study by the Wall Street Journal tested 70 apps in 2019 and found that 11 apps shared data with Facebook, largely without users’ knowledge.
Apps mentioned by the Journal include:
Instant heart rate: HR monitor: Sent information such as heart rate to Facebook
Flo Period & Ovulation Tracker: Informed Facebook when the user had their period or had indicated that they wanted to become pregnant
Makelaar.com: Sent location and price of listings that a user has viewed and even noted as favorite
Breethe Inc.: The email addresses of shared users and the name of the meditations they completed
Better me: Shared user weights and heights as soon as they were entered