Business Blog
FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more personal than that?
Intimate facts about ovulation, fertility, and other sexual and reproductive health issues are about as personal as personal information can get. The FTC alleges that Easy Healthcare Corporation – the company behind the Premom Ovulation Tracker app – broke its privacy promises by disclosing users’ sensitive health data to Google and AppsFlyer and by sharing other personal information with two firms in China. The complaint, which alleges that Easy Healthcare violated the FTC Act and the Health Breach Notification Rule, is the latest action against a company for recklessly handling consumers’ sensitive information.
Defendant Easy Healthcare developed and distributed the Premom app, which allowed users to upload information about their menstrual cycles, reproductive health conditions, and other fertility-related data. The company also sold ovulation test strips that users could photograph and upload in an effort to predict when they would ovulate. Based on the company’s description that it was “the only fertility tracker and ovulation app that offers a pregnancy guarantee to help women who are trying to conceive (TTC) make their baby dreams come true,” hundreds of thousands of users downloaded the Premom app.
The defendant also encouraged users to connect Premom to third-party apps or products so Premom could import even more health information. As a result, Premom collected extensive sensitive data from consumers – for example, dates of their menstrual cycles, hormone test results, and even when their pregnancies started and ended.
According to the complaint, the defendant made multiple privacy assurances to consumers. For example, in a July 7, 2020, privacy policy, the defendant pledged:
WE PROMISE WE WILL NEVER SHARE YOUR EXACT AGE OR ANY DATA RELATED TO YOUR HEALTH WITH ANY THIRD PARTIES WITHOUT YOUR CONSENT OR KNOWLEDGE.
(Just to be clear, the all-caps format was Easy Healthcare’s choice, not ours.) A 2021 privacy policy said this: “Premom uses AppsFlyer, a mobile marketing platform based in the United States, to handle non-health Personal Data” and that “third party services do not have access to your health information through the Services unless you share that information directly with them.” Would people share all that highly sensitive information if they knew defendant’s privacy assurances were false? We don’t think so.
So that’s what the defendant promised, but the FTC says Easy Healthcare violated its own privacy representations. According to the lawsuit, the company built into the Premom app software development kits – SDKs – from third-party marketing and analytics firms without considering the stark discrepancy between the privacy promises the defendant made to users and how the SDKs in the app were operating behind the scenes to share users’ personal information. You’ll want to read the complaint for details, but the FTC says the company broke its promises by using SDKs in a way that shared that sensitive data with third parties.
Think of it from the consumer’s perspective. This was information so personal that some people may not have shared it with those closest to them – and yet the defendant turns around and hands it to Google and AppsFlyer? Really?
The FTC says the defendant’s betrayal of its privacy pledges didn’t end there. According to the complaint, Easy Healthcare also integrated SDKs from Umeng, a Chinese mobile app analytics provider owned by Alibaba, and Jiguang, a Chinese mobile developer and analytics provider. Through their SDKs, the Premom app turned over other sensitive data to those companies – for example, users’ social media account information and their precise geolocation. According to the complaint, Easy Healthcare did that despite telling consumers between 2017 and 2020 that it collected “nonidentifiable information for purposes of tracking analytics of the usage of [its] application.” Through Easy Healthcare’s use of third-party services, the FTC says that data can be traced back to a real person – rendering the defendant’s “nonidentifiable information” claim flat-out false.
The proposed settlement imposes an outright ban on the defendant’s sharing of users’ personal health data with third parties for advertising purposes. If the company wants to share health data for any other purpose, it must get users’ express consent. In addition to a $100,000 civil penalty for violating the Health Breach Notification Rule, the order requires – among other things – that the defendant seek the deletion of data it shared with third parties, contact users directly to tell them about the FTC’s allegations, and implement a comprehensive privacy and data security program subject to independent compliance assessment. As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective state laws.
The proposed settlement sends some strong signals to anyone in the information ecosystem.
The FTC couldn’t be more serious about protecting consumers’ privacy. Have you noticed an enforcement uptick against companies that violate consumers’ privacy through unfair or deceptive conduct? Good. That’s a message the FTC intends to send to app developers, the advertising technology industry, and anyone that attempts to exploit consumers’ privacy for profit.
Undertake a Health Breach Notification Rule refresher. This is the FTC’s second case in just a few months alleging a violation of the Health Breach Notification Rule. The Rule requires covered companies to notify users, the FTC, and in some cases the media, whenever there is the unauthorized acquisition of unsecured individually identifiable health information. Read Complying with FTC’s Health Breach Notification Rule to see how your company’s practices measure up.
Set the standard for non-resettable device identifiers. This is the FTC’s first case specifically alleging that non-resettable device identifiers (like International Mobile Equipment Identity numbers) are identifiable information, and therefore highly sensitive in nature. Premom’s collection and sharing of these and other mobile device identifiers allowed third parties to circumvent operating systems’ privacy controls, track individuals, infer the identity of individual users, and ultimately associate that user with a fertility app.
Consider the implications of lax data security. The complaint lists a number of ways in which Easy Healthcare didn’t employ reasonable privacy and data security measures, including its failure to assess the risks of third-party SDKs it incorporated into Premom. One particular concern in this case: that consumers are injured when their sensitive information is sent together with a decryption key to third parties, subjecting the data to potential interception.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Thank you, DPIP, for bringing this great case!
DISGUSTING both THEM & YOUR RESPONSE!!!
You saying that fining Premom $100,000 and asking them to try and retrieve user's personal information is absurd. If you think that shows any level of punishment that will get the attention of this or any other company, then you, FTC, are at best naive. This and other companies didn't just share this information, they SOLD this info, so your pittance of a fine means nothing to this nor any company contemplating this behavior. YOU have done nothing here to protect users of any health related app. YOU merely picked up a little pocket change, or in mafia terms, protection money from the companies whom YOU FTC are supposed to protect WE THE CONSUMERS! Pick one with deep pockets, make an example of them by imposing significant monies be paid to the consumers to the point of companies truly felt financial loss & only then have you accomplished anything. Stop patting yourselves on the back whilst collecting YOUR check and hanging consumers out to dry. DISGUSTING both THEM & YOUR RESPONSE!!!
In reply to DISGUSTING both THEM & YOUR… by Frankie Reed
The Civil Penalty is paid to the United States Treasury.
In reply to DISGUSTING both THEM & YOUR… by Frankie Reed
Agreed! I as a consumer who had been affected by this breech feel concerned for my info just floating around out there and them “demanding the info not be shared” at this point is useless. The damage has already been done.
They’re going to demand the info shared be erased? Is that a joke? I thought it was a joke in the email I received from Premom but now I see this is something the FTC is proud to announce. Even if the companies complied, which is completely unlikely, t’s too late, info has been shared and used! Do better.
How absurd. At this point, the damage has already been done. Even if the third parties "erase" the data (which I highly doubt they will), who knows where else the information has already wound up. There's no taking it back, and now the innocent consumers have already had our trust violated. We're the ones who suffer from this betrayal, yet the Department of Treasury gets to reap the benefit of fines. That money (plus a lot more where that came from) should go to the consumer for stress and damages. It's OUR personal information that was wrongfully shared. And what do we get for it? An apology and another promise that it won't happen again? Ridiculous.
Settlement? Where? And to WHOM?
I was one of the app users affected by this breach of HIGHLY personal health data and information. This is no apology. I also recommended app to lots of other women in my position.
In reply to Settlement? Where? And to… by CC
Agreed!! I advocated for many woman TTC who had the same issues. While the app was extremely helpful in tracking, it's sad that all of our information was breached an no one made us aware of it or got a penny for any of it. I was wondering why the app changed recently and it all makes sense. Won't be spending any more money on the app. And shame on the settlement where thw government gets to pocket money once again off the backs of other people. Sickness.
I was also a user! The users should get compensated!!!!! My data was compromised without my consent!