The FTC recently gave us a sequel settlement to the Flo Health settlement (which itself ripped off the plotline of California’s Glow settlement, but I digress). This new settlement is against the makers of the PreMom app. The setup is familiar: a maker of a period and ovulation tracker app is accused of the disclosure of sensitive health data to marketing vendors via tracking technology (in this case, AppsFlyer and Google, but also running SDKs from Chinese analytics providers Jiguang and Umeng), failure to notify consumers of these disclosures, and the making of misleading statements about its privacy practices. According to the FTC, some of the data was particularly sensitive – precise geolocation, mobile device identifiers, social media account information, and wifi network identifiers.
Not wanting to bore us, however, FTC introduced a twist in this sequel by invoking the Health Breach Notification Rule (aka HBNR, aka the rule that makes failure to disclose privacy practices a “breach”) for the second time. The Rule allowed FTC to impose penalties and require the company to post a notice to consumers.
As part of the settlement, the app maker will be required to pay $100,000 to FTC and another $100,000 to the states assisting with the matter. More importantly, the company will be subject to limitations on the use and disclosure of data (including permanent prohibition on the sharing of data for advertising, and requirement for user consent prior to sharing of data with third parties), implement privacy and security programs, and post a consumer notice explaining the allegations and settlement.
Implications:
If you’re working with sensitive data, get affirmative consent for disclosure.
Don’t overstate your privacy practices.
Do disclose all uses and disclosures of data, with a focus on marketing.
Here are the links: