The FTC has accused Easy Healthcare Corporation, makers of the Premom ovulation tracker app, of breaking both its privacy promises and the Health Breach Notification Rule by sharing users’ sensitive health data with third parties, including Google, AppsFlyer, and two firms based in China. The alleged violations raise serious concerns about the handling of consumers’ sensitive information, and continue the FTC’s trend of aggressive action to protect consumer health data, coming on the heels of its actions against the prescription app GoodRx, and the mental health company, BetterHelp.

According to the FTC’s complaint, Premom, a fertility tracking and ovulation app, allows users to input highly sensitive information, such as information regarding menstrual cycles, reproductive health conditions, fertility, pregnancy, and information from other health-related apps such as Apple Health. The app also collects users’ precise geolocation information, as well as social media and device data. Between approximately 2018 and 2020, Premom allegedly collected this sensitive data from hundreds of thousands of users.

While the collection of such information by a fertility app was not necessarily problematic alone, according to the FTC’s complaint, Premom’s privacy policy misrepresented how it shared the data. The privacy policy pledged (in all caps): “WE PROMISE WE WILL NEVER SHARE YOUR EXACT AGE OR ANY DATA RELATED TO YOUR HEALTH WITH ANY THIRD PARTIES WITHOUT YOUR CONSENT OR KNOWLEDGE.” In addition, the policy stated that, “Premom uses AppsFlyer, a mobile marketing platform based in the United States, to handle non-health Personal Data” and that “third party services do not have access to your health information through the Services unless you share that information directly with them” (emphasis added). Per the FTC, despite these promises, Premom integrated software development kits (SDKs) from third-party marketing and analytics firms, which were operating behind the scenes to share users’ personal information.

Moreover, the FTC alleges that Premom integrated SDKs from Umeng, a Chinese mobile app analytics provider owned by Alibaba, and Jiguang, another Chinese mobile developer and analytics provider. Through these integrations, the Premom app allegedly shared additional sensitive data, including users’ social media account information and precise geolocation. This went against the company’s claims from 2017 to 2020 that it collected “nonidentifiable information” for tracking analytics.

The FTC’s propose settlement includes a $100,000 civil penalty (as well as another $100,000 to be split between Connecticut, Oregon, and the District of Columbia, which assisted the FTC’s investigation), a ban on Premom’s sharing of users’ personal health data with third parties for advertising purposes, a requirement that the company obtain express consent if it wants to share health data for any other purpose, the deletion of data shared with third parties, notice to affected users of the FTC’s allegations, and the implementation of a comprehensive privacy and data security program. The penalty is notable because it is for violations of the Health Breach Notification Rule, which the FTC also enforced in the GoodRx case. It may be a harbinger of federal authorities’ aggressive use of the Health Breach Notification Rule to hold companies accountable for the sale and sharing of any health-related data.

In its response to the complaint, Premom denied any wrongdoing, but agreed to the settlement in order to avoid protracted litigation. The company assured its users that it does not and will not sell any information about users’ health to third parties or share it for advertising purposes.

Takeaways

This case serves as a warning to companies that deal with sensitive consumer data, particularly health data, which have been key to the FTC’s privacy enforcement efforts of late. As before, several takeaways from this case include:

  • Consider all data related to health or wellness to be “sensitive”. While Premom didn’t handle Protected Health Information (PHI) under HIPAA, the FTC has made clear that any information concerning consumer health, even if it isn’t diagnoses, treatments, or medications, should be considered sensitive, and should only be sold or shared with users’ consent.
  • Never say “never”. Like in the GoodRx and BetterHelp cases, Premom made sweeping statements in its privacy policy that it “never” disclosed users’ health information, which turned out to be false. Companies should review their privacy policies to ensure that they accurately and comprehensively describe their data handling practices, without making promises they do not keep.
  • Carefully review your data handling practices, particularly if your company is in the health or wellness space in any way. Consumer health data is a top concern for regulators at the state and federal level. The FTC for its part has signaled an aggressive stance towards entities that handle any health or health-related information, essentially imposing a requirement that users must affirmatively give consent prior to companies’ selling or sharing such data. In addition, any misrepresentations in a company’s privacy policy regarding such data will be closely scrutinized. Meanwhile, Washington State recently enacted the My Health My Data Act, which requires that any entities doing business in or directed at Washington must obtain consent prior to collecting any “consumer health information” – a very broadly defined term – and must also collect separate written authorizations prior to selling or sharing any such data, a requirement which experts believe cannot be reasonably scaled, and thus spells the end of targeted advertising using any health-related data. The My Health My Data Act also grants a private right of action, meaning that Washington entities that don’t carefully comply are almost certain to be sued.

If you have questions, please contact Bram Schumer at (310) 579-9658 or bschumer@fkks.com, Daniel M. Goldberg at (310) 579-9616 or dgoldberg@fkks.com, Rick Borden at (212) 705-4884 or rborden@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.