The Federal Trade Commission (FTC) has come to an agreement with Flo, a popular period and fertility tracking application utilized by over 100 million individuals, regarding accusations that it disclosed user health data to third-party analytics and marketing platforms, including Facebook, despite assurances of maintaining the privacy of sensitive health information.

As part of the proposed settlement, Flo is required to undergo an independent assessment of its privacy procedures and secure explicit consent from app users before sharing any health-related data.

This action stems from reports published in the Wall Street Journal in 2019, which analyzed data sharing practices among various applications.

The analysis revealed that the fertility tracking app had communicated details of in-app user activity – such as menstrual cycles or pregnancy intentions – to Facebook, and found no mechanisms for Flo users to prevent this data transmission.

According to the FTC’s announcement regarding the proposed settlement, media coverage concerning Flo’s data sharing with third-party analytics and marketing companies, including Facebook and Google, prompted a significant number of consumer complaints.

The app ceased the unauthorized disclosure of user health data only after the emergence of unfavorable media attention, the FTC stated.

The terms of the FTC settlement prohibit Flo from making false or misleading statements concerning the reasons for which it (or related entities) gather, retain, utilize, or reveal data; the extent of consumer control over these data practices; its adherence to privacy, security, or compliance programs; and its methods for collecting, retaining, utilizing, disclosing, deleting, or safeguarding personal information.

Flo is also obligated to inform affected users about the disclosure of their personal information and to direct any third party that received user health information to eliminate that data from their systems.

The app developer has been approached for a statement. Update: A representative from Flo commented:

While no financial penalties are being imposed, the FTC’s proposed settlement is significant as it marks the first instance of the U.S. regulator mandating notification of a privacy-related action.

“Applications that collect, utilize, and share sensitive health information can deliver valuable services, but consumers must have confidence in these applications. We are carefully examining whether developers of health apps are upholding their commitments and responsibly managing sensitive health information,” stated Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

Although the settlement received unanimous support from all five commissioners, two – Rohit Chopra and Rebecca Kelly Slaughter – issued a dissenting statement, emphasizing the absence of a determination regarding a violation of a health breach notification rule, which they believe should have been applicable in this situation.

“We believe the FTC should have charged Flo with violating the Health Breach Notification Rule. According to the rule, Flo was required to notify its users after allegedly sharing their health information with Facebook, Google, and others without their consent. Flo failed to do so, rendering the company liable under the rule,” they explained.

“The Health Breach Notification Rule was initially established over a decade ago, but the proliferation of connected health applications has made its requirements more crucial than ever. While we would prefer to see more substantial restrictions on companies’ ability to collect and monetize personal information, the rule at least ensures that services like Flo must disclose any privacy or security breaches. This may encourage companies to exercise greater caution in collecting and monetizing our most sensitive data,” they added.

Flo is not the only period tracking app to have faced scrutiny regarding user data leaks in recent years.

A report released last year by the Norwegian Consumer Council revealed that fertility/period tracker apps Clue and MyDays were unexpectedly sharing data with advertising technology companies Facebook and Google, among others.

The report also identified similar instances of non-transparent data sharing across a variety of applications, including dating, religious, makeup, and children’s apps – indicating widespread violations of regional data processing regulations, which require that consent be informed and freely given. However, app developers in the region have faced limited enforcement for analytics/marketing-related data leaks thus far.

In the U.S., regulatory measures concerning apps are centered on deceptive claims – whether regarding privacy, as in Flo’s case, or concerning the purposes of data processing, as seen in a separate FTC settlement earlier this week involving cloud storage app Ever.