Fertility-tracking app Flo Health has settled Federal Trade Commission (FTC) allegations that it shared user data with third parties, despite pushing the contrary.
As part of the proposed settlement [PDF], the developer of the period and fertility-tracking app, which the FTC said is used by more than 100 million consumers, is required to obtain an independent review of its privacy practices and get app users' consent before sharing their health information.
Flo will also be prohibited from misrepresenting the purposes for which it or entities to whom it discloses data collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users' personal information.
In addition, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users' health information to destroy that data.
In its complaint [PDF], the FTC alleges that Flo promised to keep users' health data private and only use it to provide the app's services to users.
According to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook's analytics division, Google's analytics division, Google's Fabric service, AppsFlyer, and Flurry.
The FTC said Flo disclosed sensitive health information, such as a user's pregnancy, to third parties in the form of "app events," which is app data transferred to third parties for various reasons.
The complaint alleges Flo did not limit how third parties could use this health data.
Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app's users, the FTC said.
"Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps," director of the FTC's Bureau of Consumer Protection Andrew Smith said. "We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly."
The FTC also alleges that Flo violated the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks, which require notice, choice, and protection of personal data transferred to third parties.
A Flo Spokesperson told ZDNet the company's highest priority is protecting its users' data.
"We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use."
The spokesperson said Flo is transparent about its practices and adheres strictly to all applicable regulations.
"Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us," they said.
"Flo did not at any time share users' names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users' health with any company unless we get their permission."
Updated 10:43am AEDT 14 January 2021: Added comments from Flo Health spokesperson.
App allows iPhone users to download their medical records to their smartphones.
Under Armour will sunset Endomondo fitness platform by end of 2020 and keep MapMyFitness. MapMyRun now has 1 million connected Under Armour shoes.
The wristband is the latest step in the tech giant's plan to remake an entire industry.
There's a period-tracking app built into your wrist and iPhone.