In a first, the Federal Trade Commission is requiring a company prosecuted for privacy violations to notify consumers that it shared information about them with outside companies.
That mandate is part of the FTC's proposed settlement with fertility app Flo Health. The app allegedly broke its privacy promises by sharing pseudonymized data about consumers -- including their pregnancies -- with Facebook, Google and other analytics companies. While the data wasn't explicitly tied to users' names or addresses, it was connected to an “ad identifier.”
A report about Flo's data practices appeared nearly two years ago in The Wall Street Journal. The following day, Flo ceased sharing the information, according to the FTC.
Still, news of the prior practice obviously left consumers unsettled. After the Journal article appeared, “hundreds of users wrote to [Flo], stating that they were 'outraged,' 'incredibly upset,' 'disturbed,' 'appalled,' and 'very angry,'” the FTC alleged in a complaint unveiled this week.
In addition to notifying customers about the prior data sharing, Flo agreed to secure consumers' permission before sharing their health information, and to obtain an independent review of its privacy practices.
Flo didn't admit wrongdoing as part of the deal. The company says on its website that it settled in order “to avoid the time and expense of litigation and ... to decisively put this matter behind us.”
The agency's two Democrats, Rohit Chopra and Rebecca Kelly Slaughter, said they would have also charged Flo with violating the Health Breach Notification Rule, which requires vendors of health information to notify the FTC about unauthorized disclosures.
But Chopra and Slaughter cheered the portion of the settlement that requires Flo to notify consumers about its prosecution.
“Notice confers a number of benefits in cases like this one,” they stated. “Consumers deserve to know when a company made false privacy promises, so they can modify their usage or switch services. Notice also informs how consumers review a service, and whether they will recommend it to others. Finally, notice accords consumers the dignity of knowing what happened.”
The pair added that the FTC “should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.”
Republican Noah Joshua Phillips disagreed that the agency should always require alleged privacy violators to tell consumers about FTC prosecutions.
“How consumer notice substitutes for redress, an equitable mechanism to return to consumers what they have lost, is not clear,” he stated. “Contacting consumers when there is no remedial action that they can take runs the risk of undermining consumer trust and needlessly overwhelming consumers.”