The analytics divisions of Facebook, Google and AppsFlyer were among third-party recipients of highly intimate information from the Flo Health period and fertility tracking-app, which has now settled a dispute with the US Federal Trade Commission (FTC) agency over the improper sharing of data with its marketing services.
FTC maintains in a complaint against the tracker that millions of the app’s users were deceived by the company, which has reportedly argued that no "information regarding ... marked cycles, pregnancy, symptoms [and] notes" would be provided to any third parties. But some sensitive info, including the pregnancy status of some users, was eventually obtained by marketers in the form of “app events”, the Financial Times unveiled, as cited by MobiHealthNews.
The tracker had been reportedly engaged in these practices until February 2019, when the “bloody” issue came to light after a Wall Street Journal report titled “You Give Apps Sensitive Personal Information. Then They Tell Facebook.” The article has prompted “hundreds of complaints” from the calendar’s users, the FTC said.
However, Flo Health maintains that it has not done anything wrong, despite signalling full cooperation with the FTC during a privacy policies review.
The settlement “is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us,” the company’s spokesperson argued.
“Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission,” the app’s representatives maintained in a statement.
According to the proposed settlement, Flo will now have to notify all the affected users about the breach of their personal data and instruct the third party involved in the info collection to destroy all the retrieved records. The app, which has now been pushed for an independent review of its privacy policies, will also be required to get the users’ consent before being involved into such practices in the future, as well as forbidden from misrepresenting the collection and handling of their info.
It is not clear whether the company, which is believed to have over 100 million users worldwide, will be slapped with financial penalties for its actions.