Menendez, Watson Coleman, Sherrill Call on FTC to Crack Down on Period-Tracking Mobile Apps that Share Women’s Private Health Information Without Consent
Despite several high-profile news investigations revealing privacy violations, FTC has failed to take meaningful enforcement action to protect the personal health information of women using apps
WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.) and Congresswomen Bonnie Watson Coleman (N.J.-12) and Mikie Sherrill (N.J.-11) today called on the Federal Trade Commission (FTC) to fully utilize its enforcement authority under the Health Breach Notification Rule to crack down on menstruation-tracking mobile apps that share women’s personal health information with third parties without their consent. Under the Rule, the FTC can exact financial and other penalties against companies that violate its requirements to notify consumers if their private health data is exposed.
“The Health Breach Notification Rule has been in force for more than ten years, and during that time, the tech industry has spawned dozens of popular menstruation-trackers and other mobile health apps,” the lawmakers wrote to Acting FTC Chair Rebecca Kelly Slaughter. “However, despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule.”
Several recent news investigations
have revealed that the sensitive data collected by period-tracking apps are frequently disclosed to third parties without the knowledge or consent of users. For example, a 2019 Wall Street Journal investigation revealed that while the mobile app Flo was promising users it would safeguard their personal health information, it was sharing their data with Big Tech firms such as Facebook and Google.
“While the FTC recently filed a complaint against Flo that cites various privacy violations and other deceptive practices, the complaint does not address the possibility that Flo violated the Health Breach Notification Rule,” the lawmakers wrote. “Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women…from mobile apps that exploit their personal data.”
In March of 2020, Menendez, Watson Coleman and Sherrill called on Apple, Samsung and Google’s App stores to immediately remove any app which shares users’ private health data with third parties without obtaining explicit consent before an individual begins to use it.
The full letter is here and below.
March 4, 2021
The Honorable Rebecca Kelly Slaughter
Federal Trade Commission
600 Pennsylvania Ave NW
Washington, D.C. 20580
Dear Acting Chairwoman Slaughter,
We write in support of the Federal Trade Commission (FTC) using its full existing authorities to protect personal health data. Specifically, we urge the FTC to take enforcement action against menstruation-tracking mobile apps that violate the Health Breach Notification Rule or other applicable regulations. The FTC must fulfill its mandate from Congress to protect Americans from bad actors who betray their trust and misuse their personal health data.
The Health Breach Notification Rule implements Section 13407 of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5) and addresses privacy issues related to personal health records, including many menstruation-tracking mobile apps. The rule requires personal health record vendors to promptly notify users if an entity has acquired their identifiable health information without their authorization. The vendor must also notify the FTC, and, in the event of a large breach, notify local media outlets if a threshold number of consumers are impacted in a particular geographical area. The Health Breach Notification Rule has been in force for more than ten years, and during that time, the tech industry has spawned dozens of popular menstruation-trackers and other mobile health apps. However, despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule.
For example, a 2019 Wall Street Journal investigation uncovered that the mobile app Flo was inappropriately sharing users’ personal health data. Flo is a menstruation-tracking app that purports to give its users the “most precise AI-based period and ovulation predictions.” The app repeatedly promised users that it would safeguard their personal health information and would not share their data with any third parties. Accordingly, millions of individuals inputted highly personal information, including data regarding their menstruation cycles and pregnancy status. Meanwhile, Flo was in fact sharing this data with numerous third parties, including Big Tech firms such as Facebook and Google, without ever notifying its customers. While the FTC recently filed a complaint against Flo that cites various privacy violations and other deceptive practices, the complaint does not address the possibility that Flo violated the Health Breach Notification Rule.
We believe that, when similar cases as described above arise in the future, the FTC should enforce all applicable regulations. In doing so, the FTC would send a clear message that it is no longer acceptable for mobile health apps to improperly divulge users’ data. Stronger enforcement would be especially impactful in the case of period-tracking apps, which manage data that is both deeply personal and highly valuable to advertisers. Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women and all menstruating people from mobile apps that exploit their personal data.
Thank you for your consideration of this critical and timely issue.