Image credits: Getty Images
A new complaint from the Federal Trade Commission alleged that a popular fertility-tracking app shared users’ sensitive health information with third-party advertisers without their consent.
The FTC’s investigation into Premom, a fertility-tracking app developed by Easy Healthcare that allows users to track ovulation, periods, and other health information, found that the company had shared identifiable health and location information with Google and marketing company AppsFlyer since 2018.
Premom has collected and shared data on “hundreds of thousands” of users, including details about their sexual and reproductive health, parental and pregnancy status, as well as other information about individuals’ physical health conditions and condition. The app also shared users’ location data along with unique ads and device identifiers, which other advertisers could use to track users across the Internet and other apps.
In its complaint, the FTC said that ultimately it was possible for third parties to link pregnancy and fertility data to “a specific individual.”
The FTC said that sharing such third-party data repeatedly violated the privacy policies of Easy Healthcare, which promised to share “non-identifying data” with third parties, in violation of the FTC’s health breach notification rule.
Easy Healthcare also allegedly shared users’ sensitive identifiable data with two China-based mobile phone analytics companies known for “shady privacy practices,” according to a statement from Connecticut Attorney General William Tong. Data including IMEI numbers — strings of numbers associated with individual devices — and precise geolocation data were transferred to analytics firms Jiguang and Umeng between 2018 and 2020, according to the FTC.
The FTC alleges the company did this knowing Jiguang and Umeng could use this data for their own business purposes or could pass the data on to additional third parties, and says Easy Healthcare only stopped sharing that data when Google notified the app maker in 2020 That data transfer to Umeng violated Google Play Store policies.
“Prium lived up to its promise and created consumer privacy,” said Samuel Levine, director of the Federal Trade Commission’s Office of Consumer Protection. “We will aggressively enforce the health breach notification rule to defend consumer health data from exploitation. Companies that collect this information should know that the FTC will not tolerate violations of health privacy.”
As part of a proposed settlement filed by the Department of Justice, Easy Healthcare has agreed to pay a civil fine of $100,000 for violating the FTC’s health breach notification rule. She has also agreed to pay a total of $100,000 to the states of Connecticut, Oregon, and the District of Columbia, which she assisted in the FTC investigation.
As part of the order, Easy Healthcare also agreed to stop sharing personal health data with third parties for advertising and is required to ask third parties to delete the data (although the companies are not legally obligated to comply). Easy Healthcare also agreed to implement new privacy and security programs and provide privacy and security audits to agencies.
Easy Healthcare did not respond to TechCrunch’s request for comment. However, in a statement on its website, Primom said its agreement with the FTC “is not an admission of wrongdoing.”
This is the second time the FTC has filed an enforcement action against a company for violating the health breach notification rule. In February of this year, the agency reached a settlement with online pharmacy GoodRx for failing to disclose to users that it shared personally identifiable health information with Facebook, Google, and other third parties.
#FTC #Premom #fertility #app #shared #sensitive #data #Chinese #analytics #companies