The Federal Trade Commission charged that the developer of the fertility app Premom deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule (HBNR).
“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
This is the FTC’s second enforcement action involving the Health Breach Notification Rule following a settlement announced in February with telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC charged that GoodRx violated the rule by failing to notify users’about the company’s unauthorized disclosure of their personally identifiable health information to Facebook, Google and others.
As part of a proposed order filed by the Department of Justice on behalf of the FTC, Illinois-based Easy Healthcare Corporation, which operates the Premom app, would be barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose, and must tell consumers how their personal data will be used. The proposed order must be approved by the federal court to go into effect.
The Premom app, which is free to download and used by hundreds of thousands of people, helps users track ovulation, periods, and other health information, and also sells ovulation test kits. The app encourages users to provide information about their menstrual cycles, fertility, and pregnancy as well as to import their data from other apps such as Apple Health.
In a complaint also filed by the Department of Justice, the FTC says that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising. Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent, according to the FTC.
Premom failed to fully disclose its data sharing practices, and also violated direct promises to users, the FTC says. The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.
The FTC says Premom deceived users by disclosing such sensitive and identifiable health information to marketing firm AppsFlyer and Google through the integration of each company’s SDK. An SDK tracks a user’s interactions with an app and other identifiable information and shares that data with third parties.
Premom’s failure to notify users about the company’s unauthorized disclosure of their unsecured individually identifiable health information to third parties violated the FTC’s Health Breach Notification Rule, according to the complaint. The rule requires a vendor of personal health records to notify users, the FTC, and in some cases the media, when there has been an unauthorized acquisition of unsecured individually identifiable health information.
The FTC also says Premom integrated SDKs from other third parties into the Premom app including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint.
In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.
As part of the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the Health Breach Notification Rule and will also be:
- Permanently prohibited from sharing user personal health data with third parties for advertising;
- Required to obtain user consent before sharing personal health data with third parties for other purposes;
- Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
- Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBNR notification requirements for any future breach of security;
- Required to seek deletion of data it shared with third parties;
- Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
- Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.
As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.
The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of Illinois.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.
The lead staff attorneys on this matter were David Walko and Ronnie Solomon of the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.