On January 13, 2021, the FTC announced that fertility app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers, including Facebook and Google. The FTC originally filed the complaint against Flo after 2019 media reports alleged that the app used by more than 100 million consumers had shared customer information despite representations that Flo would keep such information private.
In a statement released on Flo’s webpage, the fertility app developer stated: “Flo has never sold any data point to Facebook [and] we never used sensitive data from Facebook Analytics for advertisement. We utilized Facebook Analytics tool, as many other apps do, for us to ensure our app offers the best experience for our users. To clarify, any use of these tools was for internal development only to improve our functionality and service to our users.” Flo maintains that it did not share users’ names, addresses, or birthdays. Flo has stated that its agreement with the FTC is not an admission of wrongdoing but a business decision to avoid costly litigation.
The FTC’s vote on the proposed settlement was 5-0. If the proposed consent order becomes final after public comment, it would require Flo Health to undergo an independent review of its privacy practices and to obtain users’ consent before sharing their health information. Flo would also have to alert consumers of the FTC charges that Flo had shared users’ personal data without their consent.
Companies that rely on outside services for data processing and analytics (such as Facebook or Google analytics services) should pay particular attention to this case. Once a proposed consent order is issued on a final basis, it can carry the force of law with respect to future actions, and each violation of a final order may result in a civil penalty of up to $43,792. If, indeed, using third party analytics tools constitutes sharing of data with third parties, companies may wish to be sure to obtain users’ prior consent to minimize such risks.