Flo is a woman health app that boasts over 150 million users. The app is designed to help woman track their reproductive cycle by tracking menstruation, cycle prediction, and preparation for conception.
Flo constantly told woman that their data was private however a 2019 report by the Wall Street Journal discovered that the app was sharing personal in-app data activity with Facebook. Some of the data sold to Facebook included when a user was having their period or if the user was hoping to get pregnant.
Flo never established a policy or path for users to opt out of their data being sent to third parties.
What is more of a joke is the punishment the company received from the FTC. After making at a minimum thousands of dollars off their users (company is valued from $200 million-$500 million) there is no cash settlement for users. The FTC terms are that Flo is “prohibited from misrepresenting the purposes for which it (or entities to whom it discloses data) collect, maintain, use or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security or compliance program; and how it collects, maintains, uses, discloses, deletes or protects users’ personal information.”
Flo refused to admit they did anything wrong and said the, “settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.”
“Apps that collect, use and share sensitive health information can provide valuable services but consumers need to be able to trust these apps. We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a statement.
Two commissioners on the Consumer Protection board thought that Flo’s punishment didn’t go far enough and believed the company violated the Health Breach Notification Rule (HIPAA).
In a dissent, Rohit Chopra and Rebecca Kelly Slaughter wrote, “In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google and others without their authorization. Flo did not do so, making the company liable under the rule.”
There you have it, a company violated woman’s privacy, sold them out, they and others profited off it, and the user got nothing.
Maybe these big tech companies would be more careful with our data if they you know…actually got punished.