Quiero saber acerca de...

7384

Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices
extent to which consumers may exercise control over Flo Healths access, collection, maintenance, use, disclosure, or deletion of Covered Information; 3
the extent to which Flo Health complies with any privacy, security, or compliance program, including the Privacy Shield; and 4 the extent to which Flo Health collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which Flo Health protects the availability, confidentiality, or integrity of Covered Information.
Part II of the Proposed Order requires Flo Health to ask any Third Party i.e., any party other than Flo Health, its service providers, or subcontractors that has received Health Information about Covered App Users to destroy such information. Part III of the Proposed Order requires that Flo provide notice to users and the public that it shared certain information about users periods and pregnancies with the data analytics divisions but not the social media divisions of a number of third parties, including Facebook, Flurry, Fabric, and Google. Part IV of the Proposed Order requires that, before disclosing any consumers health information to a third party, Flo Health must provide notice and obtain express affirmative consent, including informing the user of the categories of information to be disclosed, the identities of the third parties, and how the information will be used.
Part V of the Proposed Order requires an outside Compliance Review, conducted within 180 days after entry of the Proposed Order, to verify any attestations and assertions Flo Health made pursuant to the EU-U.S. Privacy Shield or the U.S.-Swiss Privacy Shield framework. Part VI of the Proposed Order requires Flo Health to cooperate with the Compliance Reviewer and Part VII requires that a senior manager of Flo Health certify Flo Healths compliance with the Proposed Order.
Part VIII of the Proposed Order requires notification of the Commission following any Covered Incident, which includes any incident in which Flo Health disclosed individually identifiable Health Information from or about a consumer to a third party without first receiving the consumers affirmative express consent.
Parts IX through XII of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Flo Health to provide information or documents necessary for the Commission to monitor compliance with the Proposed
VerDate Sep<11>2014

17:16 Jan 27, 2021

Jkt 253001

Order. Part XIII states that the Proposed Order will remain in effect for twenty 20 years, with certain exceptions.
The purpose of this analysis is to aid public comment on the Proposed Order.
It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Orders terms.
By direction of the Commission, Commissioners Chopra and Slaughter concurring in part and dissenting in part.
Joel Christie, Acting Secretary.

Statement of Commissioner Noah Joshua Phillips Despite representing that it would not share its users health details with anyone, Flo Health, Inc. Flo allegedly did so. As charged in the complaint, Flo coded app events, a mechanism by which app developers use third-party analytics to track how users use their apps, with words like Pregnancy, and then shared them with analytics divisions of third parties including Facebook and Google.1 I
support this complaint and consent, which sends an important message about the care app developers must take to level with users about how they share user data.
I write to respond to the vision my colleagues articulate about when the Commission should use consumer notice in our data security and privacy enforcement program.
The order we place on the public record for comment requires Flo to seek deletion of data it improperly shared with third parties; obtain users affirmative express consent before sharing their health information with third parties; report to the Commission future unauthorized disclosures; obtain an outside assessment of its privacy practices; and provide the following notice to consumers:
Between June 1, 2016 and February 23, 2019, the company that makes the Flo Period & Ovulation Tracker app sent an identifying number related to you and information about your period and pregnancy to companies that help us measure and analyze trends, usage, and activities on the app, including the analytics divisions of Facebook, Flurry, Fabric, and Google. No information was shared with the social media divisions of 1 The Complaint does not challenge the use of third-party analytics services, upon which developers routinely rely. Because Flo Health coded events with names like R_Pregnancy_Week_
Chosen, rather than something generic like Event 1, the events conveyed health information. The Wall Street Journal reported this conveyance on February 22, 2019, and the next day Flo Health ceased its conduct.

PO 00000

Frm 00032

Fmt 4703

Sfmt 4703

these companies. We did not share your name, address, or birthday with anyone at any time.2

In championing the consumer notice remedy in their concurring statement, Commissioners Chopra and Slaughter propose that the Commission no longer assess each case on its particular merits when determining when to order consumer notice.3 Rather, they assert the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims. 4 I disagree with that approach.
The Commission has used notice requirements to prevent ongoing harm to consumers and to enable them to remediate the effects of harm suffered.
To that end, the Commission has required consumer notice in cases where:
Consumers health or safety is at risk; 5
consumers are subject to recurring charges that they may be unaware of; 6
consumers have a financial or legal interest that needs to be protected; 7
notice is necessary to prevent the ongoing dissemination of deceptive information; 8 or consumers on their own would not have been able to discover or determine 2 Consent,
Exhibit A.
Chopra and Slaughter also assert that the plain language of the Health Breach Notification Rule covers Flo. I disagree. We have never applied the Rule to a health app such as Flo in the past, in part because the language of the Rule is not so plain. And I do not support announcing such a novel interpretation of the Rule here, in the context of an enforcement action. See Joint Statement of Commr Chopra and Commr Slaughter, In re Flo Health, File No. 1923133 Jan.
13, 2021.
4 Id.
5 For example, in Daniel Chapter One, No. 9329
Jan. 25, 2010 https www.ftc.gov/enforcement/
cases-proceedings/0823085/daniel-chapter-one, the final order required the respondent to notify consumers that the companys cancer treatment claims regarding its dietary supplements were deceptive, and the supplements could actually interfere with cancer treatment.
6 For example, in the stipulated final order in FTC
v. Lumos Labs, Inc., No. 3:16cv0001, at 1213, 2223 C.D. Cal. Jan. 8, 2016, the required notices described the FTCs allegations and explained how to cancel service.
7 In FTC v. American Financial Benefits Center, No. 4:18cv00806 N.D. Cal. Feb. 7, 2018, consumers were notified that their recurring payments to the company were not being used to pay off their student loans.
8 In FTC v. Applied Food Sciences, Inc., No. 1:14
cv00851 at 12, 21 W.D. Tex. Sept. 10, 2014, a wholesaler of dietary supplement ingredients distributed misleading information to supplement makers, touting the results of a clinical study that the FTCs investigation had shown to be botched.
The company was required to notify all supplement makers who had received the misleading information that the FTC did not find the study credible.
3 Commissioners
E:FRFM28JAN1.SGM

28JAN1