A popular period and fertility tracking app has settled with the Federal Trade Commission over allegations that it lied to users about sharing private health information with third-party firms, including Facebook and Google. Flo, a period and ovulation tracking app, has more than 100 million users.
In the complaint, the FTC alleges Flo told users their information would be kept private. Then it shared their sensitive health data, including the dates of their periods and their pregnancy plans, with outside companies that provided marketing and analytics services to the app. It also failed to limit how this data would be used.
The move could have allowed Facebook to match sensitive health information with users’ profiles and target ads at them more effectively. As some users are more willing to share private information with an app like Flo than a major social network, the disclosures can feel invasive.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
News of the settlement follows a 2019 report from The Wall Street Journal, which revealed that Flo was secretly sharing sensitive user data with Facebook.
A 2019 study published in JAMA Network Open also showed that apps marketed to people with depression or who wanted to quit smoking were sharing health data with Facebook and Google as well.
As part of the settlement, Flo has to notify users about how their personal information was shared and ask for their permission before sharing more information in the future. The company also has to receive an independent audit of its privacy practices. It did not admit any wrongdoing.
In a statement emailed to The Verge, a spokesperson for Flo said: “We are glad to have reached an agreement with the FTC and resolved the matter. We will be conducting a compliance review into our policies and procedures as requested as part of the Consent Agreement and providing the FTC with regular updates. We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount.”