- A 2019 survey by Pew Research Center found that 79% of Americans are concerned with how companies collect and use data on consumers.
- Another study conducted by the cybersecurity firm, RSA (2019), determined that 45% of Americans have had their personal information comprised within the last five years, due to a data breach.
- In 2020, Security.org conducted a survey, which revealed that more than 60% of survey participants had fallen victim to some type of hack, scam, or financial information theft.
In 2019, the Wall Street Journal (WSJ) published an article, highlighting the data-sharing activity of several popular apps. One of the apps listed in the article was Flo, a widely used fertility tracking app, which has been downloaded more than 140 million times! When using an app of this standing, a user would think that their health data would remain confidential. In fact, Flo Health, Inc affirmed that user information would always remain private. Unfortunately, this was not the case. Analysis conducted by the WSJ revealed that Flo frequently shared “in-app” activity with Facebook. This data consisted of when a user was having her period, and/or if she intended to get pregnant. The Wall Street Journal concluded that it was impossible for a Flo user to opt out of having this sensitive information shared with Facebook.
When Facebook received a user’s data from Flo, they would send the user targeted ads. Furthermore, it was noted that fertility data were subsequently shared with Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry. To add insult to injury, Facebook originally denied that they shared users’ sensitive health data with other establishments. Flo eventually stopped disclosing customers’ data when the company’s deceptive practices were exposed by the Wall Street Journal. This despicable invasion of privacy was ultimately brought to the attention of the FTC and, on January 13th, 2021, Flo and the FTC reached a settlement.
The FTC settlement requires that Flo Health, Inc. obtain an independent privacy review and the user’s consent, before sharing their health information. The FTC also specified that “Flo is prohibited from misrepresenting the purposes for which it or entities to whom it discloses data, collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information. In addition, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.”
Some may consider the FTC’s settlement as a slap on the wrist, given that no financial penalties were levied against Flo Health, Inc. However, it is worth noting that this settlement is a win for privacy advocates, since this is the first time that a U.S. regulator has ordered notice of a privacy action! Flo is not the only app on the market that has sold customers data, despite vehemently declaring that they would never do so. In our next article, we will continue the data privacy conversation by examining ways we can protect our data. In the meantime, do not hesitate to contact us if you have additional data privacy questions, and make sure to subscribe to our newsletter to stay up to date with our latest content!