Flo Period App Gets A Wrist Slap For Sharing Private Health Data
from the new-day,-same-behavior dept
Another day, another privacy scandal where the penalties do virtually nothing to prevent history from repeating itself. This time the focus is on the Flo Period period and fertility tracking app, which has struck an arguably pathetic deal with the Federal Trade Commission over allegations that it lied to app users about sharing private health information with third-party firms, including Facebook and Google. According to the complaint and settlement, Flo informed the app’s users that customer data would be “kept private.” Instead, Flo sold consumer data, including the dates of user periods and their pregnancy plans with third parties:
“…the FTC alleges that Flo promised to keep users? health data private and only use it to provide the app?s services to users. In fact, according to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook?s analytics division, Google?s analytics division, Google?s Fabric service, AppsFlyer, and Flurry.”
Like so many app makers, companies, and telecom giants, the company hid behind claims that this data was “anonymized,” despite a laundry list of studies showing how anonymized data isn’t really anonymous (especially when an attacker, government or company has access to other data sets). Also like a long list of companies, consumer privacy appears to have been last thing on Flo’s mind as they looked for ways to monetize user data. As a result, Flo didn’t restrict how this data could be used in any meaningful way.
The settlement comes on the heels of a 2019 story by the Wall Street Journal that first disclosed Flo’s dubious privacy and security practices. Other detailed studies on several fronts have made it clear this has been a problem in the health app sector for years, with smoking cessation and mental health apps generally doing the same thing. It’s something the FTC claims to be working on, but clearly hasn’t made much of a dent in:
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,? said Andrew Smith, director of the FTC?s Bureau of Consumer Protection. ?We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
Think about the sheer volume of apps and companies engaging in this kind of behavior, then remember that the US FTC, quite intentionally, has about 8% of the staff focused on privacy as UK privacy regulators do, despite the UK having one-fifth as many citizens. This is, much like our inability to pass even basic privacy guidelines for the internet era, by design, not accident. We hamstring, underfund, and understaff our regulators (when we’re not busy actively sabotaging their legal authority), then stand around with a dumb look on our collective faces wondering why US privacy is such a hot mess.
The settlement includes no financial penalty whatsoever, and while Flo will now inform users their data is being sold to third parties, it doesn’t have to acknowledge any wrongdoing. Surely that will fix things.