Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC settles with fertility-tracking app

Federal Issues FTC Enforcement Privacy/Cyber Risk & Data Security FTC Act UDAP EU-US Privacy Shield

Federal Issues

On June 22, the FTC issued a decision and order against a company operating a fertility-tracking mobile app. The order resolved claims that the company shared user’s sensitive health data with various marketing and analytics service providers to the company. The FTC filed a complaint in January claiming, among other things, that the company repeatedly promised to protect users’ personal health data but instead disclosed the data to third parties for years and did not contractually limit how those third parties could use the data. These actions, the FTC claimed, violated the FTC Act as well as frameworks under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, which the company represented to users that it participated in, and require companies to provide notice, choice, and accountability for the transfer of personal data to third parties. Under the terms of the decision and order, the company is required to provide notice to users about the disclosure of their health data, obtain users’ affirmative express consent to share the information, and instruct any third party that received users’ health information to destroy the data. Additionally, the company is prohibited from misrepresenting: (i) the purposes for which it (or any entity to whom it discloses personal data) collects, maintains, uses, or discloses the data; (ii) the extent to which consumers can control the use of the data; (iii) its adherence to any privacy, security, or compliance program; and (iv) the extent to which it “collects, maintains, uses, discloses, deletes, or permits or denies access to any” users’ personal information. The FTC further noted in its announcement that it is “currently undertaking a review of the Health Breach Notification Rule and is actively considering public comments regarding the application of the Rule to mobile applications and other direct-to-consumer technologies that handle consumers’ sensitive health information.”