The FTC has accused Easy Healthcare Corporation, makers of the Premom ovulation tracker app, of breaking both its privacy promises and the Health Breach Notification Rule by sharing users’ sensitive health data with third parties, including Google, AppsFlyer, and two firms based in China. The alleged violations raise serious concerns about the handling of consumers’ sensitive information, and continue the FTC’s trend of aggressive action to protect consumer health data, coming on the heels of its actions against the prescription app GoodRx, and the mental health company, BetterHelp.
According to the FTC’s complaint, Premom, a fertility tracking and ovulation app, allows users to input highly sensitive information, such as information regarding menstrual cycles, reproductive health conditions, fertility, pregnancy, and information from other health-related apps such as Apple Health. The app also collects users’ precise geolocation information, as well as social media and device data. Between approximately 2018 and 2020, Premom allegedly collected this sensitive data from hundreds of thousands of users.
Moreover, the FTC alleges that Premom integrated SDKs from Umeng, a Chinese mobile app analytics provider owned by Alibaba, and Jiguang, another Chinese mobile developer and analytics provider. Through these integrations, the Premom app allegedly shared additional sensitive data, including users’ social media account information and precise geolocation. This went against the company’s claims from 2017 to 2020 that it collected “nonidentifiable information” for tracking analytics.
The FTC’s propose settlement includes a $100,000 civil penalty (as well as another $100,000 to be split between Connecticut, Oregon, and the District of Columbia, which assisted the FTC’s investigation), a ban on Premom’s sharing of users’ personal health data with third parties for advertising purposes, a requirement that the company obtain express consent if it wants to share health data for any other purpose, the deletion of data shared with third parties, notice to affected users of the FTC’s allegations, and the implementation of a comprehensive privacy and data security program. The penalty is notable because it is for violations of the Health Breach Notification Rule, which the FTC also enforced in the GoodRx case. It may be a harbinger of federal authorities’ aggressive use of the Health Breach Notification Rule to hold companies accountable for the sale and sharing of any health-related data.
In its response to the complaint, Premom denied any wrongdoing, but agreed to the settlement in order to avoid protracted litigation. The company assured its users that it does not and will not sell any information about users’ health to third parties or share it for advertising purposes.
This case serves as a warning to companies that deal with sensitive consumer data, particularly health data, which have been key to the FTC’s privacy enforcement efforts of late. As before, several takeaways from this case include:
- Consider all data related to health or wellness to be “sensitive”. While Premom didn’t handle Protected Health Information (PHI) under HIPAA, the FTC has made clear that any information concerning consumer health, even if it isn’t diagnoses, treatments, or medications, should be considered sensitive, and should only be sold or shared with users’ consent.
If you have questions, please contact Bram Schumer at (310) 579-9658 or email@example.com, Daniel M. Goldberg at (310) 579-9616 or firstname.lastname@example.org, Rick Borden at (212) 705-4884 or email@example.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.