According to the Federal Trade Commission, a technology start-up that develops and distributes a mobile application called Flo Period & Ovulation Tracker is in a bit of trouble. The App collects and stores menstruation and fertility information about millions of women who use their app worldwide. No big deal, right?
The problem is the technology start-up allegedly shared and monetized the data collected in the app without getting the appropriate approvals. The FTC investigated allegations of sharing menstruation and pregnancy data without the permission of the users with third parties like Facebook and Google.
After the FTC concluded its investigation, the app developer worked with the FTC’s Bureau of Consumer Protection to work out an agreement to resolve the allegations.
The FTC hasn’t made a final decision on whether it will or will not accept the agreement (which contains a consent order) as a tool to resolve the allegations of wrongdoing. The FTC is accepting public comment until March 1, 2021.
Here is what I submitted to the FTC:
Re: Flo Health, Inc.; File No. 192 3133
While it is commendable that the FTC’s Bureau of Consumer Protection proposed a Consent Order that contains some degree of injunctive relief to consumers, specifically by ordering the Proposed Respondent:
- To delete the data, it improperly shared with third parties.
- To obtain user’s affirmative express consent before sharing their health information with third parties.
- To report to the Commission future unauthorized disclosures
- To obtain an outside assessment of its privacy practices.
- To notify consumers that information about their period and pregnancy was disclosed to Facebook, Flurry, Fabric, and Google
What is problematic is that the company already had a legal duty to adhere to items #2 and #3. Under the Health Breach Notification Rule, vendors of personal health records not covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to notify individuals, the FTC, and others of a breach of this type.
Why was the Health Breach Notification Rule not invoked by the FTC?
Also problematic is the lack of victim redress in the Consent Order. If the FTC’s intent is to classify consumer notification as a substitute for consumer redress, then it should spell out why. If consumer notification is not being proposed as a substitute for consumer redress, then, conversely, it follows that the FTC explain why it is silent on consumer redress in the order.
For these two reason–first, FTC’s failure to use its power to enforce the Health Breach Notification Rule; and, second, lack of victim redress–I urge the Commission to withdraw from the agreement and take appropriate action by enforcing the laws on the books.
Click here to learn more or to submit your own comment.
Publisher, LA Progressive