Many digital health app developers offering health and wellness solutions directly to consumers may find themselves in a space unregulated by the Health Insurance Portability and Accountability Act (“HIPAA”). While potentially outside the scope of HIPAA, developers in this space are reminded of the risks stemming from other federal and state privacy and security laws, including unfair or deceptive abuse acts and practices (UDAAP) laws. A recent Federal Trade Commission (“FTC”) settlement sheds light on the importance of accurately describing how information is collected, used, and shared.
Specifically, the FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared. In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies providing marketing and analytics services to the app.
Like many app developers, Flo tracked both standard app events such as launching or closing the app, as well as “custom” app events. Custom app events record user-interactions unique to those using the Flo app. For example, if a user enters a menstruation date, that interaction is logged as a custom app event. Flo used those custom app events to improve app functionality and identify features that might be of interest to the user. Flo also gave each custom app event a descriptive title, such as “R_PREGNANCY_WEEK_CHOSEN.” These custom app events, with that descriptive title, thus conveyed information about users’ menstruation, fertility, or pregnancies.
Our sister blog discusses more details of this case, including the allegations that Flo violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.