Flo Health, Inc., which markets a menstrual and ovulation tracking app, recently entered into a settlement with the Federal Trade Commission (FTC) to dispose of charges that Flo improperly shared consumer data with third parties, including Facebook and Google. The disclosure of the data, which included pregnancy status and sexual history of more than 100 million users, violated Flo’s published privacy policies.
Health privacy laws, including HIPAA and individual states’ laws, generally only apply to medical providers, leaving many mobile apps unregulated. In a statement regarding the Flo settlement, two FTC commissioners said that the FTC should have charged Flo with violating the Commission’s Health Breach Notification Rule, The Rule was first issued more than a decade ago but has never been enforced.
Newly appointed Department of Health and Human Services (HHS) Secretary Xavier Becerra reached a similar settlement with Glow, Inc. last September when he was California’s Attorney General. Privacy and security violations involving Glow’s fertility tracker resulted in a $250,000 civil penalty, among other remedies.
Under Flo’s FTC settlement, the company will be subject to new consent and disclosure requirements and must ensure that its business partners destroy the data that they receive. It appears likely that the FTC, and perhaps HHS as well, will soon take further action against mobile app developers that violate consumers’ privacy or fail to comply with health breach notification laws.