Many digital health app developers offering health and wellness solutions directly to consumers may find themselves in a space unregulated by the Health Insurance Portability and Accountability Act (“HIPAA”). While potentially outside the scope of HIPAA, developers in this space are reminded of the risks stemming from other federal and state privacy and security laws, including unfair or deceptive abuse acts and practices (UDAAP) laws. A recent Federal Trade Commission (“FTC”) settlement sheds light on the importance of accurately describing how information is collected, used, and shared.

Specifically, the FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared. In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies providing marketing and analytics services to the app.

Like many app developers, Flo tracked both standard app events such as launching or closing the app, as well as “custom” app events. Custom app events record user-interactions unique to those using the Flo app. For example, if a user enters a menstruation date, that interaction is logged as a custom app event. Flo used those custom app events to improve app functionality and identify features that might be of interest to the user. Flo also gave each custom app event a descriptive title, such as “R_PREGNANCY_WEEK_CHOSEN.” These custom app events, with that descriptive title, thus conveyed information about users’ menstruation, fertility, or pregnancies.

In its app, Flo integrated various third-party tools (software development kits or SDKs) that gathered advertising or other unique device identifiers. When doing this, the SDKs also gathered the custom app events revealing certain health information about users. The FTC alleged that this was sharing health information with third parties and directly contradicted statements in Flo’s privacy policy claiming to never share health data (e.g., “We may share certain non-identifiable information about you and some Personal Data (but never any data related to health).”). In addition, Flo did not limit what these companies could do with the users’ information, agreeing to each company’s standard terms of service. Besides allegedly violating its privacy policy, the FTC also pointed that out that this kind of sharing violated several of the third parties’ own terms of service/use. Those terms prohibited the sharing of health or sensitive information.

As part of the settlement, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data. In addition, separate from any privacy policy or terms of use, before sharing any health information with a third party in the future, Flo must disclose the categories of health information that will be shared, the identifies of the third parties, the purpose of such disclosure and how information will be used, and obtain the users affirmative express consent. The FTC did not impose any financial penalty as part of the settlement.

Our sister blog discusses more details of this case, including the allegations that Flo violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.

Practical Considerations

Apps collecting sensitive or health information should be aware that descriptive custom app event titles could inadvertently convey information not intended to be shared with third parties. This information could be viewed as sharing of personal information, and thus the FTC (and others) will expect that it be correctly described in the company’s privacy policy and elsewhere that representations about data use and sharing are made. Companies who have not done so already will want to think through app event titles and information that gets shared as part of SDK integrations and align that with their privacy disclosures. This case is also a reminder that companies in the health and wellness space have privacy and security obligations even if outside the scope of HIPAA applicability.