FTC Announces Two Information Privacy and Data Security Enforcement Actions

For privacy-minded folks whose new year’s resolutions include a wellness commitment, read the fine print before donning a wearable or downloading an app to help you track health or wellness issues. Last week in its second information privacy and data security enforcement action of 2021, the Federal Trade Commission (FTC) announced its settlement with a popular women’s health tracking app developer who misled the public about disclosures it was making of its users’ health data. As it has in the past the FTC arrived at its resolution of this case by studying the privacy promises the app developer had made to users in comparison to how it actually conducted its business. The FTC found that the app developer Flo Health, Inc. (“FHI”) promised to keep its users’ data private but instead even after receiving adverse media coverage for disclosing sensitive health data stayed on a perilous course of oversharing. The FTC’s first 2021 information privacy and data security enforcement action, noted below, was against Everalbum, Inc. d/b/a “Ever” and “Paravision” for intentionally making unauthorized and unconsented uses and disclosures of consumers’ biometric information captured through a mobile app. 

In its Consent Order, FHI has agreed to instruct any third parties to whom it improperly shared users’ data to delete and destroy any such information. In addition, it must take steps to inform all members of its workforce, its advisors and its vendors to, among other things, take steps to assure none misrepresent in “any manner, expressly or by implication” the ways in which users may control FHI’s use and disclosure of their own information, including deletion of that information.” Interestingly this Consent Order (and the Everalbum consent order) emphasizes two important fair information privacy principles as follows: first, exactly what a “clear and conspicuous” disclosure is to consumers regarding a company’s privacy policies; and, second, the importance of obtaining consumers’ “affirmative express consent.” As we experience an Administration change, it will be interesting to see if the features of these early 2021 information privacy and security enforcement actions are signaling a direction the FTC plans to take this year in pursuit of its commitment to assure that businesses using apps, websites, and other technology resources to interact with the public are keeping the privacy promises they make and are not misusing the “tsunami” of consumers’ information they collect from unsuspecting app users.  

In last week’s press release, the FTC’s Director of its Bureau of Consumer Protection, Andrew Smith, explained that “apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps.” Director Smith promised that the FTC is looking closely “at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.” The FTC has been very effective flexing its enforcement powers for nearly two decades to challenge the privacy promises businesses make but fail to keep to the public. Since its original 2002 privacy and data security enforcement action brought against Eli Lilly & Co under the leadership of then Director J. Howard Beales, III, the FTC’s commitment to be a watchdog on privacy and data security issues from the public has remained unwavering. In that case, the FTC challenged Eli Lilly when it was responsible for the unauthorized disclosure of consumers’ sensitive information collected through its Prozac.com website, despite its public promises to consumers that it had implemented a host of measures to protect the confidentiality of the information “guests” shared with Eli Lilly via the website. 

View this content by subscribing

Please register to unlock this content

I already have an account. Log in