A new order passed down by the Federal Trade Commission (FTC) will bar ovulation tracking app Premom from sharing health data for advertising purposes.
According to the FTC, the company disclosed personal health information (PHI) to third parties while deceiving users about its data-sharing practices and violating the Health Breach Notification Rule (HBNR). Sensitive personal information was reportedly shared with two China-based firms, while sensitive health data was passed to AppsFlyer and Google.
“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
The ruling follows similar actions taken against companies including a settlement with online therapy company BetterHelp, which is owned by Teladoc, and telehealth and prescription drug discount provider GoodRx. The FTC claimed that GoodRx violated the Health Breach Notification Rule by failing to make users aware of the unauthorized disclosures of personally identifiable health information to Facebook, Google and other third-party advertisers.
If the proposed order is approved by a federal court, Easy Healthcare Corporation, Premom’s developer, would be barred from sharing users’ PHI with third parties for advertising purposes, required to obtain users’ consent before sharing health data for any other purpose and must tell consumers how their personal data will be used.
Premom is a free app used to track ovulation and periods while also selling ovulation test kits. Users can also import data from other apps including Apple Health and are prompted to include reproductive information as to better inform menstruation-related insights.
Both the proposed order and an additional complaint were filed by the Department of Justice on behalf of the FTC. The complaint states that Easy Healthcare “repeatedly and deceptively” promised users that it would not share PHI or identifiable information with third parties. The company failed to inform users that an automated tracking tool was sharing information for advertising purposes.
The tracking tool, a part of a group of tools known as software development kits, collected highly personal information including users’ sexual and reproductive health and parental and pregnancy information. In a press release shared on the Premom website, Easy Healthcare did not admit to any wrongdoing but stated that the company had reached a settlement with FTC “to avoid the time and expense of litigation.”
“Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes,” the company wrote in a statement. “At Easy Healthcare, we adhere to the promises we make to our users. Protecting users’ data is a high priority, which is why we have always been transparent with and cooperated fully throughout the FTC’s review of our privacy program. We remain committed to these principles.”
Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR which requires that vendors notify users and the FTC when an unauthorized acquisition of individually identifiable health information has taken place.
On top of the settlement, the Illinois-based company will be permanently prohibited from sharing users’ PHI with third parties for advertising purposes, required to obtain consent before sharing such information and required to seek the deletion of the data shared.
A consumer notice must also be posted to explain the FTC’s allegations and a comprehensive security and privacy program must be put into place.
In February, GoodRx received a $1.5 million penalty from the FTC in a first-of-its-kind enforcement of the HBNR. In March, BetterHelp agreed to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties for advertising after promising to keep such data private.
The moves signal that the FTC is stepping up its focus on protecting consumer privacy and should serve as a warning to other digital health companies using consumer tracking tools like software development kits and pixel technology.