Flo Health, the developer of a period- and fertility-tracking app, recently settled federal charges alleging that it had misled users about the way it uses their data.
However, the FTC (Federal Trade Commission) found that Flo shared millions of users’ data with several third parties, including Facebook and Google.
Two mobile analytics services, AppsFlyer and Flurry, also received user data from Flo.
An investigation discovered that there were no limits on what these third parties could do with the information, meaning they were free to use it for advertising purposes.
What did Flo do wrong?
Although this seems like a clear-cut case of an organization breaching data privacy laws, the reality is more complicated. Following the settlement, Flo released a statement:
Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.
This may be true, but the FTC’s complaint stems not from the fact that Flo shared data but in its lack of transparency over those practices.
In the U.S., there are few limits on what organizations can do with personal data provided that they have collected it legitimately and don’t mislead customers over the way it will be used.
Even if you’re in favor of such loose regulatory requirements, it’s hard not to argue that the rules put individuals in a difficult position.
Privacy policies are often written in vague terms, making it hard for people to understand exactly what their data will be used for. Individuals must therefore agree to the terms and hope for the best or not use the website or app.
Flo can continue to share personal data
Despite the settlement, Flo will still be allowed to share users’ personal data with third parties. It just now requires people to provide their consent.
This is far from ideal, because many people give their consent without understanding what they’re consenting to – either as a result of not reading the lengthy terms thoroughly or because those terms aren’t written in clear and plain language.
It was these problems that led to EU lawmakers urging organizations to avoid relying on consent under the GDPR (General Data Protection Regulation).
The Regulation says consent should only be used if none of the other five lawful bases for processing applies. This includes information collected to fulfill contractual obligations or to carry out tasks in the public interest.
Measures like this are increasingly necessary, as organizations collect ever greater amounts of personal data and use it in diverse ways.
We are seeing stricter data protection and data privacy requirements in the U.S., such as the CCPA (California Consumer Privacy Act), which came into effect in 2020.
Its requirements state that large organizations must show people what personal data they have collected on them and who they have shared it with.
Individuals can also instruct organizations to delete their personal data and not to sell that information.
This is a step up for data privacy laws in the U.S. – and will be expanded in 2023 with the CPRA (California Privacy Rights Act).
Although both laws only apply to California residents, they will surely pave the way for similar regulation across the country, as data privacy and data protection become unavoidable issues.
You can find out more by reading The California Consumer Privacy Act (CCPA): An implementation guide.
This ideal resource for understanding the CCPA demonstrates how you can implement a strategy to ensure your organization complies with the legislation.
It gives you a comprehensive understanding of the Act, providing definitions of key terms and explanations of the security requirements.
It also explains the the breach notification procedure, and includes information about the penalties for non-compliance.