Federal Register - January 28, 2021
Versione di testo Cosa è?Dateas è un sito indipendente non affiliato a entità governative. La fonte dei documenti PDF che pubblichiamo qui è l'entità governativa indicata in ciascuno di essi. Le versioni in testo sono trascrizioni che realizziamo per facilitare l'accesso e la ricerca di informazioni, ma possono contenere errori o non essere complete.
Source: Federal Register
Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices 192 3133 on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC5610 Annex D, Washington, DC
20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 Annex D, Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible website at https www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone elses Social Security number; date of birth; drivers license number or other state identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any trade secret or any commercial or financial information which . . . is privileged or confidentialas provided by Section 6f of the FTC Act, 15 U.S.C. 46f, and FTC Rule 4.10a2, 16 CFR 4.10a2
including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled Confidential, and must comply with FTC Rule 4.9c.
In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9c. Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https
www.regulations.gov websiteas legally required by FTC Rule 4.9bwe cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the
VerDate Sep<11>2014
17:16 Jan 27, 2021
Jkt 253001
requirements for such treatment under FTC Rule 4.9c, and the General Counsel grants that request.
Visit the FTC website at http
www.ftc.gov to read this Notice and the news release describing the proposed settlement. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before March 1, 2021. For information on the Commissions privacy policy, including routine uses permitted by the Privacy Act, see https www.ftc.gov/
site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission the Commission has accepted, subject to final approval, an agreement containing a consent order from Flo Health, Inc.
Respondent or Flo Health.
The proposed consent order Proposed Order has been placed on the public record for thirty 30 days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After thirty 30 days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order.
This matter involves Flo Health, a technology start-up that develops and distributes a mobile application called the Flo Period & Ovulation Tracker App, which collects and stores menstruation and fertility information about millions of users worldwide.
Respondent has been a participant in the EU-U.S. Privacy Shield Privacy Shield and the U.S.-Swiss Privacy Shield framework since August 12, 2018.
The Commissions proposed complaint alleges that Flo Health deceived consumers, in violation of Section 5a of the Federal Trade Commission Act, in seven ways:
First, the complaint alleges that Flo Health represented that it would not disclose information regarding . . .
marked cycles, pregnancy, symptoms, notes . . . to any third parties, or disclose any data related to health to particular third parties. In fact, Flo Health disclosed custom app events records of individual users interactions with various features of the App, which conveyed identifying information about App users menstrual cycles, fertility,
PO 00000
Frm 00031
Fmt 4703
Sfmt 4703
7383
and pregnanciesto various third-party marketing and analytics firms.
Second, the complaint alleges that Flo Health represented that it would only disclose device identifiers or personal data like device identifiers to certain third parties. In fact, in addition to disclosing device and advertising identifiers, Flo Health also disclosed custom app events conveying health information to those parties.
Third, the complaint alleges that Flo Health represented that third parties would not use Flo App users personal information for any purpose except to provide services in connection with the App. In fact, Flo Health agreed to terms with multiple third parties that permitted these third parties to use Flo App users personal health information for the third parties own purposes, including for advertising and product improvement. Indeed, from June 2016 to February 2019, one of the third parties Facebook, Inc. used Flo App users personal health information for its own purposes, including its own research and product development.
Counts IV through VII allege misrepresentations of compliance with the Privacy Shield Principles of Notice Count IV, Choice Count V, Accountability for Onward Transfers Count VI, and Purpose Limitation Count VII. Count IV alleges that Flo Health represented compliance with the Privacy Shield frameworks, when in fact it did not give Flo App users notice about to whom their data would be disclosed and for what purposes. Count V alleges that Flo Health disclosed this information without providing Flo App users with choice with respect to these disclosures or the purposes for which the data could be processed e.g., Facebooks advertising. Count VI
alleges that Flo Health failed to limit by contract the third parties use of users health data or require by contract the third parties compliance with the Privacy Shield principles. And Count VII alleges that Flo Health processed users health data in a manner incompatible with the purposes for which it had been collected because Flo disclosed the data to third parties under contracts permitting them to use the data for their own purposes.
The Proposed Order contains injunctive provisions addressing the alleged deceptive conduct. Part I
prohibits Flo Health from making false or deceptive statements regarding: 1
The purposes for which Flo Health or any entity to whom it discloses Covered Information i.e., personal information, including identifiable health information collects, maintains, uses, or discloses such information; 2 the
E:FRFM28JAN1.SGM
28JAN1
