For privacy-minded folks whose new year’s resolutions include a wellness commitment, read the fine print before donning a wearable or downloading an app to help you track health or wellness issues. Last week in its second information privacy and data security enforcement action of 2021, the Federal Trade Commission (FTC) announced its settlement with a popular women’s health tracking app developer who misled the public about disclosures it was making of its users’ health data. As it has in the past the FTC arrived at its resolution of this case by studying the privacy promises the app developer had made to users in comparison to how it actually conducted its business. The FTC found that the app developer Flo Health, Inc. (“FHI”) promised to keep its users’ data private but instead even after receiving adverse media coverage for disclosing sensitive health data stayed on a perilous course of oversharing. The FTC’s first 2021 information privacy and data security enforcement action, noted below, was against Everalbum, Inc. d/b/a “Ever” and “Paravision” for intentionally making unauthorized and unconsented uses and disclosures of consumers’ biometric information captured through a mobile app.
In its Consent Order, FHI has agreed to instruct any third parties to whom it improperly shared users’ data to delete and destroy any such information. In addition, it must take steps to inform all members of its workforce, its advisors and its vendors to, among other things, take steps to assure none misrepresent in “any manner, expressly or by implication” the ways in which users may control FHI’s use and disclosure of their own information, including deletion of that information.” Interestingly this Consent Order (and the Everalbum consent order) emphasizes two important fair information privacy principles as follows: first, exactly what a “clear and conspicuous” disclosure is to consumers regarding a company’s privacy policies; and, second, the importance of obtaining consumers’ “affirmative express consent.” As we experience an Administration change, it will be interesting to see if the features of these early 2021 information privacy and security enforcement actions are signaling a direction the FTC plans to take this year in pursuit of its commitment to assure that businesses using apps, websites, and other technology resources to interact with the public are keeping the privacy promises they make and are not misusing the “tsunami” of consumers’ information they collect from unsuspecting app users.
In last week’s press release, the FTC’s Director of its Bureau of Consumer Protection, Andrew Smith, explained that “apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps.” Director Smith promised that the FTC is looking closely “at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.” The FTC has been very effective flexing its enforcement powers for nearly two decades to challenge the privacy promises businesses make but fail to keep to the public. Since its original 2002 privacy and data security enforcement action brought against Eli Lilly & Co under the leadership of then Director J. Howard Beales, III, the FTC’s commitment to be a watchdog on privacy and data security issues from the public has remained unwavering. In that case, the FTC challenged Eli Lilly when it was responsible for the unauthorized disclosure of consumers’ sensitive information collected through its Prozac.com website, despite its public promises to consumers that it had implemented a host of measures to protect the confidentiality of the information “guests” shared with Eli Lilly via the website.
The FHI consent order requires FHI and Everalbum to obtain an independent third party consultant review of its privacy practices against the EU-U.S. Privacy Shield Framework Principles and defeats any basis FHI may have for withholding documentation on “the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.” FHI must also cooperate with the privacy consultant’s findings, must designate one or more persons to certify their compliance with the Consent Order, must submit any “covered incident” reports within thirty (30) days of discovering same that are the same or similar to the complaints that led to this enforcement action, and is subject to supervision and governance for five years from the date of the Consent Order.
The FHI case is not the FTC’s first privacy enforcement action of the year. A few days earlier the FTC announced it had reached a settlement with Everalbum, Inc. for failing to obtain consumers’ express consent before using facial recognition technology on the photos and videos consumers were uploading to an “Ever” app. Among the features of the FTC’s settlement is also a mandate that Everalbum delete all algorithms and models it developed through the use of unsuspecting users’ photos and videos. Unlike the FHI Consent Order’s five year reach, the Everalbum Consent Order appears to include compliance monitoring over a ten-year span but the Order itself will not terminate for twenty (20) years from the date it is issued.
Although the FTC voted unanimously to support the resolution of the Everalbum enforcement action, Commissioner Rohit Chopra — who is now President-elect Biden's pick for the post of Director at the Consumer Financial Protection Bureau — filed a compelling additional statement. Commissioner Chopra notes the importance of the FTC’s order that Everalbum delete its algorithms and models – which he characterizes as the “fruits of its deception.” He signals this as “an important course correction.” While he is disappointed that the FTC did not fine Everalbum for its deception he explains that “with the tsunami of data being collected on individuals, we need all hands on deck to keep these companies in check. … while special interest are actively lobbying for federal legislation to delete state data protection laws, it will be important for Congress to resist these efforts. Broad federal preemption would severely undercut this multi-front approach and leave more consumers less protected.”