On January 13, 2021, the Federal Trade Commission announced a proposed settlement with Flo Health, Inc., after the Company allegedly shared its users’ health information with third-party analytic providers, despite promises to the contrary and in violation of certain provisions of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
According to the FTC complaint, more than 100 million users of Flo Health’s free period and ovulation tracker app had their information shared with numerous analytic and marking service firms, with no limits on how the companies could use the data. These disclosures were ultimately brought to light by a national news story which prompted hundreds of complaints from app users.
The settlement largely tracks similar settlements with other first-time offenders. Specifically, Flo Health is required to notify affected users about the improper disclosures and instruct all third-party recipients to destroy the shared data. In addition, Flo Health is prohibited from making further misrepresentations related to its privacy practices and must disclose to users: 1) what data is collected; 2) how it is collected, maintained, and deleted; and 3) the purposes for which the personal information is collected, maintained and disclosed. Flo Health is also required to share how customers can control their data usage, disclose its compliance with any existing privacy or security programs, and obtain an independent review of its current privacy practices.