The FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
First, user notice and explicit consent, albeit through privacy policies, remains paramount to allow data sharing. The settlement prohibits Flo Health from misrepresenting, among other things, “the purposes for which it (or entities to whom it discloses data) collect, maintain, use, or disclose the data.” In its complaint against Flo Health, the FTC alleges that Flo Health disclosed user health data to, among others, the analytics divisions of Facebook and Google, despite assuring users that their information would only be used to provide services. These disclosures included health information, such as the fact of a user’s pregnancy. The FTC’s prohibition on future misrepresentations aligns with language in an earlier, proposed settlement that required Flo Health to receive consent from app users before sharing their health information. The FTC’s settlement with Flo Health underscores its expectation that companies sharing sensitive personal information should receive “consumer’s affirmative express consent,” which the FTC has defined in other settlements as requiring a consumer to assent to the disclosure in question through a clear and conspicuous mechanism.
Second, health apps will get special scrutiny, and health companies should be particularly clear and honest about the extent to which consumers can control their data. A spokesperson from the FTC emphasized that consumers need “to be able to trust” any apps that collect, use, or share sensitive health information. They added that the FTC is keeping an eye on the extent to which “developers of health apps are keeping their promises.” If consumers are led to believe that they will have robust controls over which entities receive their information, then companies must make good on those representations. The final settlement prohibits Flo Health from misrepresenting how consumers can control data uses.
Third, third-party purchasers of data from other companies can lose access to data if they are not collected appropriately and so should exercise some level of due diligence into how the data collectors provide notice and obtain consent. The FTC has ordered third parties that received users’ health information from Flo Health to destroy that data. The FTC’s order for deletion makes clear that the agency will not tolerate data continuing to exist in hands of parties to which consumers did not consent to sharing their information, despite those third parties being good-faith third-parties.
In the popular mind, HIPAA provides broad protections for all sorts of health data in all sorts of contexts. Legally, however, HIPAA’s protections are limited to certain entities and circumstances. With the Flo enforcement action, the FTC seems to drawing attention to the use of medical and health information outside of HIPAA’s protections. Developers of such apps must be particularly detailed and candid with users about how that data will be used, including with whom it will be shared and how consumers can involve themselves in controlling the use of their data. Failure to provide adequate notice, obtain clear consent, and then have a privacy program that allows the company to follow through on important promises, such as to protect sensitive data from third party disclosure, will carry more risk of an enforcement action.