FTC Announces Proposed Settlement with Premom Fertility Tracking App for Personal Privacy Practices

On Might 17, 2023, the Federal Trade Commission (FTC) revealed a proposed settlement arrangement (in the type of a stated order) ¹ with Easy Health Care Corporation, which runs the Premom fertility tracking app (Premom). The FTC declares Premom misrepresented its information sharing practices to customers and stopped working to supply notification to users when it shared their health details without their approval. ²

This is the 2nd enforcement action that the FTC has actually brought under its broad analysis of the Health Breach Notice Guideline (HBNR), following its very first HBNR enforcement action in February versus GoodRx. The close distance in between these 2 enforcement actions, integrated with the FTC’s Notification of Proposed Rulemaking customizing the HBNR ( NPRM) recently, shows the FTC’s ongoing interest in controling digital health personal privacy.

The Grievance

The FTC grievance ( Grievance) charged Premom with 8 various counts: 3 counts of affirmative misleading representations, 2 counts of deceptiveness by omission, 2 counts of unfairness, and one count of breaking the HBNR.

Deceptiveness

According to the Grievance, Premom made misleading declarations in its personal privacy policy, consisting of declarations that: 1) Premom would not share health details with 3rd parties without users’ understanding or approval; 2) Premom would just gather and utilize nonidentifiable user details; and 3) Premom would utilize personally recognizable details entirely for its own analytics or marketing functions. Regardless of those representations, the Grievance declares, Premom did undoubtedly share users’ recognizable details, consisting of users’ recognizable health details, with 3rd parties.

Unfairness

To support its unfairness counts, the FTC declared that customers suffered real and increased threats of damage in 3 methods: 1) Premom sent out delicate user details to 3rd parties outside the U.S. (analytics business headquartered in China) without sufficient file encryption, thus subjecting that details to prospective interception or seizure by bad stars and foreign federal governments; 2) Premom sent out users’ nonresettable gadget identifiers and recognizable details to 3rd parties for marketing functions without users’ understanding or approval, thus allowing 3rd parties to track users in such a way that prevented os personal privacy controls; and 3) Premom’s disclosure of customized app occasions communicating delicate health details without user permission was most likely to trigger users preconception, humiliation, or psychological distress, and might likewise impact their capability to acquire or maintain work, real estate, medical insurance, special needs insurance coverage, or other services. The FTC’s grievance did not, nevertheless, declare any particular truths to support that these damages had in fact taken place or were most likely to take place.

Health Breach Notice Guideline

The Grievance summarily concluded that Premom is a “supplier of individual health records” under the HBNR due to the fact that it gathers and gets recognizable health details from several sources. Particularly, the Grievance specified that users had the ability to input health details into the Premom app and had the ability to import their health information from Bluetooth thermometers or third-party apps. The FTC then declared that Premom revealed this recognizable health details without users’ approval which such disclosures for that reason made up a breach of unsecured health details under the HBNR.

As kept in mind above, this is the 2nd time that the FTC has actually charged an app designer (or any other kind of entity, for that matter) with an infraction of the HBNR, in spite of the absence of statutory authority ( and even of a last guideline) that would bring app designers under the scope of the HBNR. As we have actually gone over in more information in other short articles, the FTC’s broad analysis and enforcement of the HBNR represents an unapproved growth of FTC authority.

The Stipulated Order

Under the proposed order, Premom would be needed to, to name a few things:

• completely stop the sharing of health details with 3rd parties for marketing functions;
• acquire users’ affirmative reveal approval prior to sharing user health details with 3rd parties for a non-advertising function;
• supply adequate notification to the media, the FTC, and each user whose unsecured separately recognizable health details was gotten by an unapproved 3rd party in accordance with the HBNR;
• need the 3rd parties that got user health details from Premom to erase the details;
• execute a detailed personal privacy program that safeguards the personal privacy, security, and privacy of users’ individual details, including their health details;
• develop, record, and stick to an information retention schedule that is openly readily available with information about the details Premom gathers and why such collection is required; and
• acquire a preliminary and biannual personal privacy evaluation carried out by an independent, third-party specialist that needs to be authorized by the FTC.

Secret Observations

The requirements of the stated order are noticeably comparable to the requirements enforced under the BetterHelp and GoodRx orders, suggesting that the FTC is most likely to take a comparable method to orders in any future health details personal privacy cases. Nonetheless, there are likewise some parts of the Grievance and order that are special and supply insight into how the FTC is approaching the disclosure of customer details more normally.

• Categorizing exact geolocation information and resettable identifiers as recognizable details. The FTC is taking a significantly broad method to what makes up recognizable details. In the Grievance, the FTC argued that 3rd parties can utilize gadget identifiers combined with area signals to recognize specific people which this details exposes delicate details about customers.
• Revealing issues about moving information outside the U.S. In the Grievance, the FTC highlighted that Premom was moving details to business with servers outside the United States (in this case, Chinese analytics business) and argued that the insufficient security procedures utilized by these business exposed the details to prospective acquisition by foreign federal governments or other bad stars. We have actually not seen this kind of accusation in previous FTC cases.
• Continuing to integrate information security requirements into health personal privacy cases. As gone over in our customer alert on the BetterHelp settlement, the FTC’s current health personal privacy cases have actually developed a more comprehensive meaning of “breach” and are enforcing reporting requirements on digital health business no matter whether a standard security breach has actually taken place. Rather, the FTC is translating the HBNR to claim that a breach has actually taken place whenever health details is revealed without user approval.
• Enforcing constraints beyond customer approval. By enforcing a blanket restriction on the disclosure of health details to 3rd parties for marketing functions, the FTC is enhancing the concept that customer approval might no longer be an enough basis on which business can validate the collection and usage of delicate details in specific situations.

Wilson Sonsini Goodrich & & Rosati regularly assists business browse intricate personal privacy and information security concerns. For additional information or suggestions worrying cybersecurity compliance or examinations, please contact Maneesha Mithal, Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, and Laura Ahmed, or any member of the company’s personal privacy and cybersecurity practice.

^[1] The FTC commissioners all voted to refer the grievance and stated last order to the U.S. Department of Justice for filing. The last order needs to be authorized by the federal court to enter into result.

^[2] Premom likewise consented to a settlement with the chief law officers for Washington, D.C., Connecticut, and Oregon based upon associated conduct. Premom will be needed to pay another $100,000 under that settlement, that includes injunctive arrangements comparable to those consisted of in the FTC’s proposed order.