Federal Trade Commission.
Proposed consent agreement; request for comment.
The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.
Comments must be received on or before March 1, 2021.
Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write “Flo Health, Inc.; File No. 192 3133” on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Elisa Jillson (202-326-3001), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
End Further Info
Start Supplemental Information
Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 1, 2021. Write “Flo Health, Inc.; File No. 192 3133” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.
Due to the COVID-19 pandemic and the agency's heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website.
If you prefer to file your comment on paper, write “Flo Health, Inc.; File No. Start Printed Page 7383192 3133” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (the “Commission”) has accepted, subject to final approval, an agreement containing a consent order from Flo Health, Inc. (“Respondent” or “Flo Health”).
The proposed consent order (“Proposed Order”) has been placed on the public record for thirty (30) days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order.
This matter involves Flo Health, a technology start-up that develops and distributes a mobile application called the Flo Period & Ovulation Tracker (“App”), which collects and stores menstruation and fertility information about millions of users worldwide. Respondent has been a participant in the EU-U.S. Privacy Shield (“Privacy Shield”) and the U.S.-Swiss Privacy Shield framework since August 12, 2018.
The Commission's proposed complaint alleges that Flo Health deceived consumers, in violation of Section 5(a) of the Federal Trade Commission Act, in seven ways:
- First, the complaint alleges that Flo Health represented that it would not disclose “information regarding . . . marked cycles, pregnancy, symptoms, notes . . .” to any third parties, or disclose “any data related to health” to particular third parties. In fact, Flo Health disclosed custom app events—records of individual users' interactions with various features of the App, which conveyed identifying information about App users' menstrual cycles, fertility, and pregnancies—to various third-party marketing and analytics firms.
- Second, the complaint alleges that Flo Health represented that it would only disclose device identifiers or personal data “like” device identifiers to certain third parties. In fact, in addition to disclosing device and advertising identifiers, Flo Health also disclosed custom app events conveying health information to those parties.
- Third, the complaint alleges that Flo Health represented that third parties would not use Flo App users' personal information “for any purpose except to provide services in connection with the App.” In fact, Flo Health agreed to terms with multiple third parties that permitted these third parties to use Flo App users' personal health information for the third parties' own purposes, including for advertising and product improvement. Indeed, from June 2016 to February 2019, one of the third parties (Facebook, Inc.) used Flo App users' personal health information for its own purposes, including its own research and product development.
- Counts IV through VII allege misrepresentations of compliance with the Privacy Shield Principles of Notice (Count IV), Choice (Count V), Accountability for Onward Transfers (Count VI), and Purpose Limitation (Count VII). Count IV alleges that Flo Health represented compliance with the Privacy Shield frameworks, when in fact it did not give Flo App users notice about to whom their data would be disclosed and for what purposes. Count V alleges that Flo Health disclosed this information without providing Flo App users with choice with respect to these disclosures or the purposes for which the data could be processed (e.g., Facebook's advertising). Count VI alleges that Flo Health failed to limit by contract the third parties' use of users' health data or require by contract the third parties' compliance with the Privacy Shield principles. And Count VII alleges that Flo Health processed users' health data in a manner incompatible with the purposes for which it had been collected because Flo disclosed the data to third parties under contracts permitting them to use the data for their own purposes.
The Proposed Order contains injunctive provisions addressing the alleged deceptive conduct. Part I prohibits Flo Health from making false or deceptive statements regarding: (1) The purposes for which Flo Health or any entity to whom it discloses Covered Information (i.e., personal information, including identifiable health information) collects, maintains, uses, or discloses such information; (2) the Start Printed Page 7384extent to which consumers may exercise control over Flo Health's access, collection, maintenance, use, disclosure, or deletion of Covered Information; (3) the extent to which Flo Health complies with any privacy, security, or compliance program, including the Privacy Shield; and (4) the extent to which Flo Health collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which Flo Health protects the availability, confidentiality, or integrity of Covered Information.
Part II of the Proposed Order requires Flo Health to ask any “Third Party” (i.e., any party other than Flo Health, its service providers, or subcontractors) that has received “Health Information” about “Covered App Users” to destroy such information. Part III of the Proposed Order requires that Flo provide notice to users and the public that it shared certain information about users' periods and pregnancies with the data analytics divisions (but not the social media divisions) of a number of third parties, including Facebook, Flurry, Fabric, and Google. Part IV of the Proposed Order requires that, before disclosing any consumer's health information to a third party, Flo Health must provide notice and obtain express affirmative consent, including informing the user of the categories of information to be disclosed, the identities of the third parties, and how the information will be used.
Part V of the Proposed Order requires an outside “Compliance Review,” conducted within 180 days after entry of the Proposed Order, to verify any attestations and assertions Flo Health made pursuant to the EU-U.S. Privacy Shield or the U.S.-Swiss Privacy Shield framework. Part VI of the Proposed Order requires Flo Health to cooperate with the Compliance Reviewer and Part VII requires that a senior manager of Flo Health certify Flo Health's compliance with the Proposed Order.
Part VIII of the Proposed Order requires notification of the Commission following any “Covered Incident,” which includes any incident in which Flo Health disclosed individually identifiable Health Information from or about a consumer to a third party without first receiving the consumer's affirmative express consent.
Parts IX through XII of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Flo Health to provide information or documents necessary for the Commission to monitor compliance with the Proposed Order. Part XIII states that the Proposed Order will remain in effect for twenty (20) years, with certain exceptions.
The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order's terms.
By direction of the Commission, Commissioners Chopra and Slaughter concurring in part and dissenting in part.
Statement of Commissioner Noah Joshua Phillips
Despite representing that it would not share its users' health details with anyone, Flo Health, Inc. (“Flo”) allegedly did so. As charged in the complaint, Flo coded app events, a mechanism by which app developers use third-party analytics to track how users use their apps, with words like “Pregnancy”, and then shared them with analytics divisions of third parties including Facebook and Google.
I support this complaint and consent, which sends an important message about the care app developers must take to level with users about how they share user data.
I write to respond to the vision my colleagues articulate about when the Commission should use consumer notice in our data security and privacy enforcement program.
The order we place on the public record for comment requires Flo to seek deletion of data it improperly shared with third parties; obtain users' affirmative express consent before sharing their health information with third parties; report to the Commission future unauthorized disclosures; obtain an outside assessment of its privacy practices; and provide the following notice to consumers:
Between June 1, 2016 and February 23, 2019, the company that makes the Flo Period & Ovulation Tracker app sent an identifying number related to you and information about your period and pregnancy to companies that help us measure and analyze trends, usage, and activities on the app, including the analytics divisions of Facebook, Flurry, Fabric, and Google. No information was shared with the social media divisions of these companies. We did not share your name, address, or birthday with anyone at any time.
In championing the consumer notice remedy in their concurring statement, Commissioners Chopra and Slaughter propose that the Commission no longer assess each case on its particular merits when determining when to order consumer notice.
Rather, they assert “the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.” 
I disagree with that approach.
The Commission has used notice requirements to prevent ongoing harm to consumers and to enable them to remediate the effects of harm suffered. To that end, the Commission has required consumer notice in cases where:
- Consumers' health or safety is at risk; 
- consumers are subject to recurring charges that they may be unaware of; 
- consumers have a financial or legal interest that needs to be protected; 
- notice is necessary to prevent the ongoing dissemination of deceptive information; 
- consumers on their own would not have been able to discover or determine Start Printed Page 7385the illegal behavior and would not know to take remedial action.
Using these guidelines, the Commission has found consumer notice appropriate in some privacy and data security cases as well, such as when there was a need to inform consumers about ongoing data collection and sharing 
or to correct a deceptive data breach notification.
On the data security front, where it can be critical that consumers know sensitive information has been breached or exposed, a panoply of state breach notification laws require notice to consumers.
When warranted, notice to consumers can be an important tool. But neither the Commission, nor any of the 50 states with data breach notification laws, have taken the position of requiring consumer notice for the mere sake of the notice itself.
Commissioners Chopra and Slaughter stress that notice is warranted especially where redress is not paid to consumers. How consumer notice substitutes for redress, an equitable mechanism to return to consumers what they have lost, is not clear. Nor is it clear what, if anything, limits this approach to notice to data security and privacy cases. To the extent notice is intended as a penalty, I disagree. My view is that we should target notice as a means to help consumers take action to protect themselves. Contacting consumers when there is no remedial action that they can take runs the risk of undermining consumer trust and needlessly overwhelming consumers.
Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter Concurring in Part, Dissenting in Part
Today, the FTC is ordering Flo Health, Inc. (“Flo”) to notify consumers that it has been charged with sharing consumers' menstruation and fertility information without their consent. This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action. We commend the agency's staff for securing this relief and for addressing Flo's concerning practices.
While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo's conduct violated the Health Breach Notification Rule, yet the Commission's proposed complaint fails to include this allegation. The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it.
Importance of Notice
Flo Health is the developer of a popular mobile app that collects menstruation and fertility information from millions of users worldwide. As detailed in the Commission's complaint, Flo promised these users that it would not disclose their sensitive information to third parties, but did so anyway—sharing it with Facebook, Google, and others.
This alleged conduct broke user trust, and it broke the law.
In addition to requiring Flo to improve its privacy practices, the FTC's proposed order directs Flo to notify its users of this serious breach. Notice confers a number of benefits in cases like this one. Consumers deserve to know when a company made false privacy promises, so they can modify their usage or switch services. Notice also informs how consumers review a service, and whether they will recommend it to others. Finally, notice accords consumers the dignity of knowing what happened. For all these reasons, the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.
Health Breach Notification Rule
The Commission must also ensure it is vigorously enforcing the laws on the books. Congress has entrusted the FTC with promulgating and enforcing the Health Breach Notification Rule, one of only a handful of federal privacy laws protecting consumers. The rule requires vendors of unsecured health information, including mobile health apps, to notify users and the FTC if there has been an unauthorized disclosure. Although the FTC has advised mobile health apps to examine their obligations under the rule,
including through the use of an interactive tool,
the FTC has never brought an action to enforce it.
In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization.
Flo Start Printed Page 7386did not do so, making the company liable under the rule.
The Health Breach Notification Rule was first issued more than a decade ago, but the explosion in connected health apps make its requirements more important than ever. While we would prefer to see substantive limits on firms' ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches. Over time, this may induce firms to take greater care in collecting and monetizing our most sensitive information.
We are pleased to see a notice provision in today's proposed order, but there is much more the FTC can do to protect consumers' data, and hold accountable those who abuse it. Where Congress has given us rulemaking authority, we should use it.
And where we have rules already on the books, we should enforce them. Here, the Health Breach Notification Rule will have its intended effect only if the FTC is willing to enforce it.
We believe enforcing the rule was warranted here, and we respectfully dissent from the Commission's failure to do so. Particularly as we seek more authority from Congress in the privacy space, it is critical we demonstrate we are prepared to use the authorities we already have.
End Supplemental Information
[FR Doc. 2021-01697 Filed 1-27-21; 8:45 am]
BILLING CODE 6750-01-P