It has never been easier to keep track of personal health and fitness. Individuals now have access to hundreds of health-related apps at their fingertips, which can help with achieving personal health goals and keeping track of everything from diet to sleep cycle. But these apps come with a catch-they require a user's personal information. As such, while most health-related apps may be free to use, does that use come at a cost to a user's privacy?
A recently revealed privacy incident involving the Flo: Health& Period Tracker app1-also known as "Flo"-offers some insight. On January 13, 2021, the Federal Trade Commission in the U.S. ("FTC") announced that it reached a proposed settlement with Flo Health, Inc., the developer of Flo, to resolve allegations respecting the company's improper sharing of users' personal health data with unauthorized third parties. This incident comes as a warning to all smartphone users to take care when entering personal information-particularly sensitive health information-into a health-related app.
What is the Flo app?
Flo is a widely used period, ovulation and fertility tracking app. It provides assistance with predicting ovulation and fertility and offers insights into a variety of women's health topics including pregnancy and childbirth, among other things. It is available for free download in Canada and around the world.2
What personal information does the Flo app collect from users and is it sensitive?
Like other health-related apps, Flo collects both general (i.e., name, email address, date of birth, place of residence) and health-related information from its users, including data relating to a user's reproductive health and well-being such as:
- body temperature;
- menstrual cycle dates;
- various symptoms related to menstrual cycle and health;
- sexual activities; and
- information about a user's personal life.3
This information is not only sensitive and private but, if exposed or placed in the wrong hands, this kind of intimate data may present a real risk of significant harm to an individual including, among other things, humiliation and damage to reputation or relationships. Accordingly, by law, this type of information must be safeguarded against unauthorized access, disclosure, and use.4
What was the Flo privacy incident and what user data was involved?
According to the complaint lodged by the FTC, despite promising users that health information shared with Flo would be kept private and that such data would only be used to provide app-related services to users, Flo Health, Inc. allegedly disclosed unencrypted identifying user health information-including data about users' menstrual cycles, fertility, and pregnancies-to various third party marketing and analytics firms from June 2016 to February 2019.
Per the complaint, Flo also did not limit how these third parties could use this private data. It agreed to permit third parties-without user knowledge or consent-to use any information obtained from the App for the third party's own purposes including advertising, product improvement, research, and development.
The proposed FTC settlement will become final on or after March 1, 2021. Pursuant to the settlement, Flo must (i) no longer misrepresent how and the purposes for which it collects, maintains, uses, discloses, deletes or protects users' personal information, and (ii) notify affected users about the disclosure of their personal information to unauthorized third parties.
Are there steps I can take to protect my personal information when using a health-related app?
The FTC issued a helpful guide for using health-related apps, with tips about how users can protect their privacy and reduce privacy risks when downloading and using such apps. When looking to download a health app, a user should compare the privacy settings of several similar health apps and ask:
- why does each app collect information?
- how does each app share information and with whom? and
- does one app allow for more control over the collection and sharing of personal information than others?
Ultimately, users should consider the dangers of sharing personal information with an app, and whether using the app's services is worth risking that their personal information may fall into the wrong hands.
What do I do if my personal information is compromised by an app?
If you are concerned or notified that your personal information may have been impacted in an app-related privacy breach, you may have a legal claim for compensation. Siskinds LLP is here to help.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.