Flo Health, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 7382-7386 [2021-01697]

Download as PDF 7382 Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices by mail or email (with a link to the document) at: P.O. Box 1396, Houston, Texas 77251, Jordan.Kirwin@ williams.com. Any subsequent submissions by an intervenor must be served on the applicant and all other parties to the proceeding. Contact information for parties can be downloaded from the service list at the eService link on FERC Online. Tracking the Proceeding Throughout the proceeding, additional information about the project will be available from the Commission’s Office of External Affairs, at (866) 208– FERC, or on the FERC website at www.ferc.gov using the ‘‘eLibrary’’ link as described above. The eLibrary link also provides access to the texts of all formal documents issued by the Commission, such as orders, notices, and rulemakings. In addition, the Commission offers a free service called eSubscription which allows you to keep track of all formal issuances and submittals in specific dockets. This can reduce the amount of time you spend researching proceedings by automatically providing you with notification of these filings, document summaries, and direct links to the documents. For more information and to register, go to www.ferc.gov/docs-filing/ esubscription.asp. Dated: January 22, 2021. Kimberly D. Bose, Secretary. [FR Doc. 2021–01875 Filed 1–27–21; 8:45 am] BILLING CODE 6717–01–P Board of Governors of the Federal Reserve System, January 25, 2021. Michele Taylor Fennell, Deputy Associate Secretary of the Board. FEDERAL RESERVE SYSTEM [FR Doc. 2021–01893 Filed 1–27–21; 8:45 am] Notice of Proposals To Engage in or To Acquire Companies Engaged in Permissible Nonbanking Activities BILLING CODE P The companies listed in this notice have given notice under section 4 of the Bank Holding Company Act (12 U.S.C. 1843) (BHC Act) and Regulation Y, (12 CFR part 225) to engage de novo, or to acquire or control voting securities or assets of a company, including the companies listed below, that engages either directly or through a subsidiary or other company, in a nonbanking activity that is listed in § 225.28 of Regulation Y (12 CFR 225.28) or that the Board has determined by Order to be closely related to banking and permissible for bank holding companies. Unless otherwise noted, these activities will be conducted throughout the United States. The public portions of the applications listed below, as well as other related filings required by the VerDate Sep<11>2014 17:16 Jan 27, 2021 Jkt 253001 Board, if any, are available for immediate inspection at the Federal Reserve Bank(s) indicated below and at the offices of the Board of Governors. This information may also be obtained on an expedited basis, upon request, by contacting the appropriate Federal Reserve Bank and from the Board’s Freedom of Information Office at https://www.federalreserve.gov/foia/ request.htm. Interested persons may express their views in writing on the question whether the proposal complies with the standards of section 4 of the BHC Act. Unless otherwise noted, comments regarding the applications must be received at the Reserve Bank indicated or the offices of the Board of Governors, Ann E. Misback, Secretary of the Board, 20th Street and Constitution Avenue NW, Washington DC 20551–0001, not later than February 12, 2021. A. Federal Reserve Bank of Richmond (Adam M. Drimer, Assistant Vice President) 701 East Byrd Street, Richmond, Virginia 23219. Comments can also be sent electronically to or Comments.applications@rich.frb.org: 1. First Citizens Bancshares, Inc., through its subsidiary bank, FirstCitizens Bank & Trust Company, both of Raleigh, North Carolina; to indirectly acquire voting shares of CIT Strategic Credit Partners Holdings, LLC, and CIT Northbridge Credit, LLC, both of New York, New York, and thereby engage in extending credit and servicing loans pursuant to § 225.28(b)(1) of Regulation Y. FEDERAL TRADE COMMISSION [File No. 192 3133] Flo Health, Inc.; Analysis of Proposed Consent Order To Aid Public Comment Federal Trade Commission. Proposed consent agreement; request for comment. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order— embodied in the consent agreement— that would settle these allegations. SUMMARY: PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 Comments must be received on or before March 1, 2021. ADDRESSES: Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write ‘‘Flo Health, Inc.; File No. 192 3133’’ on your comment, and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Elisa Jillson (202–326–3001), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https:// www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 1, 2021. Write ‘‘Flo Health, Inc.; File No. 192 3133’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https:// www.regulations.gov website. Due to the COVID–19 pandemic and the agency’s heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https:// www.regulations.gov website. If you prefer to file your comment on paper, write ‘‘Flo Health, Inc.; File No. DATES: E:\FR\FM\28JAN1.SGM 28JAN1 Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices 192 3133’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https:// www.regulations.gov website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the VerDate Sep<11>2014 17:16 Jan 27, 2021 Jkt 253001 requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at http:// www.ftc.gov to read this Notice and the news release describing the proposed settlement. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before March 1, 2021. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission (the ‘‘Commission’’) has accepted, subject to final approval, an agreement containing a consent order from Flo Health, Inc. (‘‘Respondent’’ or ‘‘Flo Health’’). The proposed consent order (‘‘Proposed Order’’) has been placed on the public record for thirty (30) days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order. This matter involves Flo Health, a technology start-up that develops and distributes a mobile application called the Flo Period & Ovulation Tracker (‘‘App’’), which collects and stores menstruation and fertility information about millions of users worldwide. Respondent has been a participant in the EU-U.S. Privacy Shield (‘‘Privacy Shield’’) and the U.S.-Swiss Privacy Shield framework since August 12, 2018. The Commission’s proposed complaint alleges that Flo Health deceived consumers, in violation of Section 5(a) of the Federal Trade Commission Act, in seven ways: • First, the complaint alleges that Flo Health represented that it would not disclose ‘‘information regarding . . . marked cycles, pregnancy, symptoms, notes . . .’’ to any third parties, or disclose ‘‘any data related to health’’ to particular third parties. In fact, Flo Health disclosed custom app events— records of individual users’ interactions with various features of the App, which conveyed identifying information about App users’ menstrual cycles, fertility, PO 00000 Frm 00031 Fmt 4703 Sfmt 4703 7383 and pregnancies—to various third-party marketing and analytics firms. • Second, the complaint alleges that Flo Health represented that it would only disclose device identifiers or personal data ‘‘like’’ device identifiers to certain third parties. In fact, in addition to disclosing device and advertising identifiers, Flo Health also disclosed custom app events conveying health information to those parties. • Third, the complaint alleges that Flo Health represented that third parties would not use Flo App users’ personal information ‘‘for any purpose except to provide services in connection with the App.’’ In fact, Flo Health agreed to terms with multiple third parties that permitted these third parties to use Flo App users’ personal health information for the third parties’ own purposes, including for advertising and product improvement. Indeed, from June 2016 to February 2019, one of the third parties (Facebook, Inc.) used Flo App users’ personal health information for its own purposes, including its own research and product development. • Counts IV through VII allege misrepresentations of compliance with the Privacy Shield Principles of Notice (Count IV), Choice (Count V), Accountability for Onward Transfers (Count VI), and Purpose Limitation (Count VII). Count IV alleges that Flo Health represented compliance with the Privacy Shield frameworks, when in fact it did not give Flo App users notice about to whom their data would be disclosed and for what purposes. Count V alleges that Flo Health disclosed this information without providing Flo App users with choice with respect to these disclosures or the purposes for which the data could be processed (e.g., Facebook’s advertising). Count VI alleges that Flo Health failed to limit by contract the third parties’ use of users’ health data or require by contract the third parties’ compliance with the Privacy Shield principles. And Count VII alleges that Flo Health processed users’ health data in a manner incompatible with the purposes for which it had been collected because Flo disclosed the data to third parties under contracts permitting them to use the data for their own purposes. The Proposed Order contains injunctive provisions addressing the alleged deceptive conduct. Part I prohibits Flo Health from making false or deceptive statements regarding: (1) The purposes for which Flo Health or any entity to whom it discloses Covered Information (i.e., personal information, including identifiable health information) collects, maintains, uses, or discloses such information; (2) the E:\FR\FM\28JAN1.SGM 28JAN1 7384 Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices extent to which consumers may exercise control over Flo Health’s access, collection, maintenance, use, disclosure, or deletion of Covered Information; (3) the extent to which Flo Health complies with any privacy, security, or compliance program, including the Privacy Shield; and (4) the extent to which Flo Health collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which Flo Health protects the availability, confidentiality, or integrity of Covered Information. Part II of the Proposed Order requires Flo Health to ask any ‘‘Third Party’’ (i.e., any party other than Flo Health, its service providers, or subcontractors) that has received ‘‘Health Information’’ about ‘‘Covered App Users’’ to destroy such information. Part III of the Proposed Order requires that Flo provide notice to users and the public that it shared certain information about users’ periods and pregnancies with the data analytics divisions (but not the social media divisions) of a number of third parties, including Facebook, Flurry, Fabric, and Google. Part IV of the Proposed Order requires that, before disclosing any consumer’s health information to a third party, Flo Health must provide notice and obtain express affirmative consent, including informing the user of the categories of information to be disclosed, the identities of the third parties, and how the information will be used. Part V of the Proposed Order requires an outside ‘‘Compliance Review,’’ conducted within 180 days after entry of the Proposed Order, to verify any attestations and assertions Flo Health made pursuant to the EU-U.S. Privacy Shield or the U.S.-Swiss Privacy Shield framework. Part VI of the Proposed Order requires Flo Health to cooperate with the Compliance Reviewer and Part VII requires that a senior manager of Flo Health certify Flo Health’s compliance with the Proposed Order. Part VIII of the Proposed Order requires notification of the Commission following any ‘‘Covered Incident,’’ which includes any incident in which Flo Health disclosed individually identifiable Health Information from or about a consumer to a third party without first receiving the consumer’s affirmative express consent. Parts IX through XII of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Flo Health to provide information or documents necessary for the Commission to monitor compliance with the Proposed VerDate Sep<11>2014 17:16 Jan 27, 2021 Jkt 253001 Order. Part XIII states that the Proposed Order will remain in effect for twenty (20) years, with certain exceptions. The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order’s terms. By direction of the Commission, Commissioners Chopra and Slaughter concurring in part and dissenting in part. Joel Christie, Acting Secretary. Statement of Commissioner Noah Joshua Phillips Despite representing that it would not share its users’ health details with anyone, Flo Health, Inc. (‘‘Flo’’) allegedly did so. As charged in the complaint, Flo coded app events, a mechanism by which app developers use third-party analytics to track how users use their apps, with words like ‘‘Pregnancy’’, and then shared them with analytics divisions of third parties including Facebook and Google.1 I support this complaint and consent, which sends an important message about the care app developers must take to level with users about how they share user data. I write to respond to the vision my colleagues articulate about when the Commission should use consumer notice in our data security and privacy enforcement program. The order we place on the public record for comment requires Flo to seek deletion of data it improperly shared with third parties; obtain users’ affirmative express consent before sharing their health information with third parties; report to the Commission future unauthorized disclosures; obtain an outside assessment of its privacy practices; and provide the following notice to consumers: Between June 1, 2016 and February 23, 2019, the company that makes the Flo Period & Ovulation Tracker app sent an identifying number related to you and information about your period and pregnancy to companies that help us measure and analyze trends, usage, and activities on the app, including the analytics divisions of Facebook, Flurry, Fabric, and Google. No information was shared with the social media divisions of 1 The Complaint does not challenge the use of third-party analytics services, upon which developers routinely rely. Because Flo Health coded events with names like ‘‘R_Pregnancy_Week_ Chosen’’, rather than something generic like ‘‘Event 1’’, the events conveyed health information. The Wall Street Journal reported this conveyance on February 22, 2019, and the next day Flo Health ceased its conduct. PO 00000 Frm 00032 Fmt 4703 Sfmt 4703 these companies. We did not share your name, address, or birthday with anyone at any time.2 In championing the consumer notice remedy in their concurring statement, Commissioners Chopra and Slaughter propose that the Commission no longer assess each case on its particular merits when determining when to order consumer notice.3 Rather, they assert ‘‘the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.’’ 4 I disagree with that approach. The Commission has used notice requirements to prevent ongoing harm to consumers and to enable them to remediate the effects of harm suffered. To that end, the Commission has required consumer notice in cases where: • Consumers’ health or safety is at risk; 5 • consumers are subject to recurring charges that they may be unaware of; 6 • consumers have a financial or legal interest that needs to be protected; 7 • notice is necessary to prevent the ongoing dissemination of deceptive information; 8 or • consumers on their own would not have been able to discover or determine 2 Consent, Exhibit A. Chopra and Slaughter also assert that the ‘‘plain language’’ of the Health Breach Notification Rule covers Flo. I disagree. We have never applied the Rule to a health app such as Flo in the past, in part because the language of the Rule is not so plain. And I do not support announcing such a novel interpretation of the Rule here, in the context of an enforcement action. See Joint Statement of Comm’r Chopra and Comm’r Slaughter, In re Flo Health, File No. 1923133 (Jan. 13, 2021). 4 Id. 5 For example, in Daniel Chapter One, No. 9329 (Jan. 25, 2010) https://www.ftc.gov/enforcement/ cases-proceedings/082–3085/daniel-chapter-one, the final order required the respondent to notify consumers that the company’s cancer treatment claims regarding its dietary supplements were deceptive, and the supplements could actually interfere with cancer treatment. 6 For example, in the stipulated final order in FTC v. Lumos Labs, Inc., No. 3:16–cv–0001, at 12–13, 22–23 (C.D. Cal. Jan. 8, 2016), the required notices described the FTC’s allegations and explained how to cancel service. 7 In FTC v. American Financial Benefits Center, No. 4:18–cv–00806 (N.D. Cal. Feb. 7, 2018), consumers were notified that their recurring payments to the company were not being used to pay off their student loans. 8 In FTC v. Applied Food Sciences, Inc., No. 1:14– cv–00851 at 12, 21 (W.D. Tex. Sept. 10, 2014), a wholesaler of dietary supplement ingredients distributed misleading information to supplement makers, touting the results of a clinical study that the FTC’s investigation had shown to be botched. The company was required to notify all supplement makers who had received the misleading information that the FTC did not find the study credible. 3 Commissioners E:\FR\FM\28JAN1.SGM 28JAN1 Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices the illegal behavior and would not know to take remedial action.9 Using these guidelines, the Commission has found consumer notice appropriate in some privacy and data security cases as well, such as when there was a need to inform consumers about ongoing data collection and sharing 10 or to correct a deceptive data breach notification.11 On the data security front, where it can be critical that consumers know sensitive information has been breached or exposed, a panoply of state breach notification laws require notice to consumers. When warranted, notice to consumers can be an important tool. But neither the Commission, nor any of the 50 states with data breach notification laws, have taken the position of requiring consumer notice for the mere sake of the notice itself. Commissioners Chopra and Slaughter stress that notice is warranted especially where redress is not paid to consumers. How consumer notice substitutes for redress, an equitable mechanism to return to consumers what they have lost, is not clear. Nor is it clear what, if anything, limits this approach to notice to data security and privacy cases. To the extent notice is intended as a penalty, I disagree. My view is that we should target notice as a means to help consumers take action to protect themselves. Contacting consumers when there is no remedial action that they can take runs the risk of undermining consumer trust and needlessly overwhelming consumers.12 Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter Concurring in Part, Dissenting in Part Today, the FTC is ordering Flo Health, Inc. (‘‘Flo’’) to notify consumers 9 For example, in Oracle Corp., No. C–4571 (Mar. 29, 2016), https://www.ftc.gov/enforcement/casesproceedings/132-3115/oracle-corporation-matter, the settlement required Oracle to notify consumers about certain data security risks and explain how to protect their personal information by deleting older versions of Java. 10 Unrollme Inc., No. C–4692 (Dec. 17, 2019), https://www.ftc.gov/enforcement/casesproceedings/172-3139/unrollme-inc-matter. 11 Skymed International, Inc., File No. 1923140 (Dec. 16, 2020), https://www.ftc.gov/enforcement/ cases-proceedings/1923140/skymed-internationalinc-matter. 12 I am also concerned about the possibility of notice fatigue. For example, in the context of security warnings on mobile devices, there is evidence of a decreased neurological response after repeated exposure to warnings. See, e.g., Anthony Vance et al., Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments, 42 MIS Quarterly, No. 2, June 2018, at 1, https://misq.org/ skin/frontend/default/misq/pdf/appendices/2018/ V42I1Appendices/14124_RA_VanceJenkins.pdf. VerDate Sep<11>2014 17:16 Jan 27, 2021 Jkt 253001 that it has been charged with sharing consumers’ menstruation and fertility information without their consent. This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action. We commend the agency’s staff for securing this relief and for addressing Flo’s concerning practices. While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation. The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it. Importance of Notice Flo Health is the developer of a popular mobile app that collects menstruation and fertility information from millions of users worldwide. As detailed in the Commission’s complaint, Flo promised these users that it would not disclose their sensitive information to third parties, but did so anyway— sharing it with Facebook, Google, and others.1 This alleged conduct broke user trust, and it broke the law. In addition to requiring Flo to improve its privacy practices, the FTC’s proposed order directs Flo to notify its users of this serious breach. Notice confers a number of benefits in cases like this one. Consumers deserve to know when a company made false privacy promises, so they can modify their usage or switch services. Notice also informs how consumers review a service, and whether they will recommend it to others. Finally, notice accords consumers the dignity of knowing what happened. For all these reasons, the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.2 1 Compl., In the Matter of Flo Health, Inc., Docket No. 1923133, ¶¶ 13–24. 2 In a separate statement, Commissioner Phillips argues that notice should be limited to circumstances under which it can ‘‘help consumers take action to protect themselves.’’ See Separate Statement of Commissioner Noah Joshua Phillips In the Matter of Flo Health, Inc. Comm’n File No. 1923133 at 2 (Jan. 13, 2021). In our view, the notice requirement here squarely meets that test, as consumers can switch to more privacy-protecting services or adjust their data-sharing behavior with companies that act unlawfully. Commissioner Phillips further suggests that notice is no substitute for redress. We agree. But when redress is not ordered, notice at least ensures consumers are aware of the FTC’s action, which might otherwise be achieved through a redress check. Finally, PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 7385 Health Breach Notification Rule The Commission must also ensure it is vigorously enforcing the laws on the books. Congress has entrusted the FTC with promulgating and enforcing the Health Breach Notification Rule, one of only a handful of federal privacy laws protecting consumers. The rule requires vendors of unsecured health information, including mobile health apps, to notify users and the FTC if there has been an unauthorized disclosure. Although the FTC has advised mobile health apps to examine their obligations under the rule,3 including through the use of an interactive tool,4 the FTC has never brought an action to enforce it.5 In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization.6 Flo Commissioner Phillips argues that consumers may not read all notices. This is a valid concern, and notice is no substitute for other remedies, such as admissions of liability or substantive limits on the collection, use, and abuse of personal data. 3 Mobile Health App Developers: FTC Best Practices, Fed. Trade Comm’n, https://www.ftc.gov/ tips-advice/business-center/guidance/mobilehealth-app-developers-ftc-best-practices (last visited on Jul. 31, 2020). 4 Mobile Health Apps Interactive Tool, Fed. Trade Comm’n, https://www.ftc.gov/tips-advice/businesscenter/guidance/mobile-health-apps-interactivetool (last visited on Jul. 31, 2020). 5 Commissioner Phillips suggests that enforcing the rule against Flo would be ‘‘novel.’’ Phillips Statement, supra note 2, at 1. But, this could be said of any enforcement action in this context, since the Commission has never enforced the Health Breach Notification Rule. If there is concern that Flo did not know it was violating the rule, that would be relevant to the question of whether Flo is liable for civil penalties. See 15 U.S.C. 45(m)(1)(A). Flo’s lack of knowledge about the rule’s requirements would not be relevant to the question of whether the Commission could charge Flo with a violation. 6 See Compl., supra note 1, ¶¶ 18–24. The FTC’s Health Breach Notification Rule covers (a) health care providers that (b) store unsecured, personally identifiable health information that (c) can be drawn from multiple sources, and the rule is triggered when such entities experience a ‘‘breach of security.’’ See 16 CFR 318. Under the definitions cross-referenced by the Rule, Flo—which markets itself as a ‘‘health assistant’’—is a ‘‘health care provider,’’ in that it ‘‘furnish[es] health care services and supplies.’’ See 16 CFR 318.2(e); 42 U.S.C. 1320d(6), d(3). Additionally, Flo stores personally identifiable health information that is not secured according to an HHS-approved method, and that can be drawn from multiple source. See 16 CFR 318.2(i); Fitness Trackers and Apps, Flo Health, https://flo.health/faq/fitness-trackers-andapps (last visited on Jan. 6, 2020) (instructing users on how to sync Flo with other apps). When Flo, according to the complaint, disclosed sensitive health information without users’ authorization, this was a ‘‘breach of security’’ under the rule 16 CFR 318.2(a) (defining ‘‘breach of security’’ as ‘‘acquisition of [PHR identifiable health information] without the authorization of the individual.’’). E:\FR\FM\28JAN1.SGM 28JAN1 7386 Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices did not do so, making the company liable under the rule.7 The Health Breach Notification Rule was first issued more than a decade ago, but the explosion in connected health apps make its requirements more important than ever. While we would prefer to see substantive limits on firms’ ability to collect and monetize our personal information, the rule at least ensures that services like Flo need to come clean when they experience privacy or security breaches. Over time, this may induce firms to take greater care in collecting and monetizing our most sensitive information. Conclusion We are pleased to see a notice provision in today’s proposed order, but there is much more the FTC can do to protect consumers’ data, and hold accountable those who abuse it. Where Congress has given us rulemaking authority, we should use it.8 And where we have rules already on the books, we should enforce them. Here, the Health Breach Notification Rule will have its intended effect only if the FTC is willing to enforce it. We believe enforcing the rule was warranted here, and we respectfully dissent from the Commission’s failure to do so. Particularly as we seek more authority from Congress in the privacy space, it is critical we demonstrate we are prepared to use the authorities we already have. [FR Doc. 2021–01697 Filed 1–27–21; 8:45 am] BILLING CODE 6750–01–P 7 See 16 CFR 318.7 (stating that a violation of the rule constitutes a violation of a trade regulation rule). Notably, California’s recent action against a similar fertility-tracking app charged with similar privacy violations included a $250,000 civil penalty. Press Release, Cal. Att’y Gen., Attorney General Becerra Announces Landmark Settlement Against Glow, Inc.—Fertility App Risked Exposing Millions of Women’s Personal and Medical Information (Sep. 17, 2020), https://oag.ca.gov/ news/press-releases/attorney-general-becerraannounces-landmark-settlement-against-glow-inc%E2%80%93. 8 We have previously articulated opportunities to make use of our existing authorities when it comes to data protection. See Statement of Commissioner Rohit Chopra Regarding the Report to Congress on the FTC’s Use of Its Authorities to Protect Consumer Privacy and Security, Comm’n File P065404 (June 18, 2020), https://www.ftc.gov/ public-statements/2020/06/statementcommissioner-rohit-chopra-regarding-reportcongress-ftcs-use-its; Remarks of Commissioner Rebecca Kelly Slaughter at Silicon Flatirons, The Near Future of U.S. Privacy Law, University of Colorado Law School (Sep. 6, 2019), https:// www.ftc.gov/system/files/documents/public_ statements/1543396/slaughter_silicon_flatirons_ remarks_9-6-19.pdf. VerDate Sep<11>2014 17:16 Jan 27, 2021 Jkt 253001 DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention [30Day–21–0909] Agency Forms Undergoing Paperwork Reduction Act Review In accordance with the Paperwork Reduction Act of 1995, the Centers for Disease Control and Prevention (CDC) has submitted the information collection request titled CDC Diabetes Prevention Recognition Program (DPRP) to the Office of Management and Budget (OMB) for review and approval. CDC previously published a ‘‘Proposed Data Collection Submitted for Public Comment and Recommendations’’ notice on June 15, 2020, to obtain comments from the public and affected agencies. CDC received 30 unique sets of public comments. Within the 30 sets of comments, there were 126 questions/ comments answered by CDC. This notice serves to allow an additional 30 days for public and affected agency comments. CDC will accept all comments for this proposed information collection project. The Office of Management and Budget is particularly interested in comments that: (a) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (b) Evaluate the accuracy of the agencies estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (c) Enhance the quality, utility, and clarity of the information to be collected; (d) Minimize the burden of the collection of information on those who are to respond, including, through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses; and (e) Assess information collection costs. To request additional information on the proposed project or to obtain a copy of the information collection plan and instruments, call (404) 639–7570. Comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/ do/PRAMain. Find this particular PO 00000 Frm 00034 Fmt 4703 Sfmt 4703 information collection by selecting ‘‘Currently under 30-day Review—Open for Public Comments’’ or by using the search function. Direct written comments and/or suggestions regarding the items contained in this notice to the Attention: CDC Desk Officer, Office of Management and Budget, 725 17th Street NW, Washington, DC 20503 or by fax to (202) 395–5806. Provide written comments within 30 days of notice publication. Proposed Project CDC Diabetes Prevention Recognition Program (DPRP) (OMB Control No. 0920–0909, Exp. 02/28/2021)— Revision—National Center for Chronic Disease Prevention and Health Promotion (NCCDPHP), Centers for Disease Control and Prevention (CDC). Background and Brief Description CDC’s Division of Diabetes Translation (DDT) established and administers the National Diabetes Prevention Program’s (National DPP) Diabetes Prevention Recognition Program (DPRP), which recognizes organizations that deliver diabetes prevention programs according to evidence-based requirements set forth in the ‘Centers for Disease Control and Prevention Diabetes Prevention Recognition Program Standards and Operating Procedures’ (DPRP Standards). Additionally, the Centers for Medicare and Medicaid Services (CMS) Medicare Diabetes Prevention Program (MDPP) expansion of CDC’s National DPP was announced in early 2016, when the Secretary of Health and Human Services determined that the Diabetes Prevention Program met the statutory criteria for inclusion in Medicare’s expanded list of healthcare services for beneficiaries (https:// innovation.cms.gov/initiatives/ medicare-diabetes-prevention-program/ ). This is the first time a preventive service model from the CMS Innovation (CMMI) Center has been expanded. After extensive testing of the DPP model in 17 sites across the U.S. in 2014–2016, CMS proposed the MDPP in Sections 1102 and 1871 of the Social Security Act (42 U.S.C. 1302 and 1395hh § 424.59), authorizing CDC-recognized organizations to prepare for enrollment as MDPP suppliers beginning in January 2018 in order to bill CMS for these services. Only organizations in good standing with the CDC DPRP are eligible as MDPP suppliers. CDC continues to work with CMS to support the MDPP. CDC requests an additional three years of OMB approval to continue collecting the information needed to administer the DPRP and information E:\FR\FM\28JAN1.SGM 28JAN1

Agencies

[Federal Register Volume 86, Number 17 (Thursday, January 28, 2021)]
[Notices]
[Pages 7382-7386]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-01697]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3133]


Flo Health, Inc.; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the draft complaint 
and the terms of the consent order--embodied in the consent agreement--
that would settle these allegations.

DATES: Comments must be received on or before March 1, 2021.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Flo Health, 
Inc.; File No. 192 3133'' on your comment, and file your comment online 
at https://www.regulations.gov by following the instructions on the 
web-based form. If you prefer to file your comment on paper, mail your 
comment to the following address: Federal Trade Commission, Office of 
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Elisa Jillson (202-326-3001), Bureau 
of Consumer Protection, Federal Trade Commission, 600 Pennsylvania 
Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
at https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before March 1, 2021. 
Write ``Flo Health, Inc.; File No. 192 3133'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the https://www.regulations.gov website.
    Due to the COVID-19 pandemic and the agency's heightened security 
screening, postal mail addressed to the Commission will be subject to 
delay. We strongly encourage you to submit your comments online through 
the https://www.regulations.gov website.
    If you prefer to file your comment on paper, write ``Flo Health, 
Inc.; File No.

[[Page 7383]]

192 3133'' on your comment and on the envelope, and mail your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), 
Washington, DC 20580; or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the https://www.regulations.gov website--as legally 
required by FTC Rule 4.9(b)--we cannot redact or remove your comment 
from that website, unless you submit a confidentiality request that 
meets the requirements for such treatment under FTC Rule 4.9(c), and 
the General Counsel grants that request.
    Visit the FTC website at http://www.ftc.gov to read this Notice and 
the news release describing the proposed settlement. The FTC Act and 
other laws that the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
that it receives on or before March 1, 2021. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (the ``Commission'') has accepted, 
subject to final approval, an agreement containing a consent order from 
Flo Health, Inc. (``Respondent'' or ``Flo Health'').
    The proposed consent order (``Proposed Order'') has been placed on 
the public record for thirty (30) days for receipt of comments from 
interested persons. Comments received during this period will become 
part of the public record. After thirty (30) days, the Commission will 
again review the agreement, along with any comments received, and will 
decide whether it should withdraw from the agreement and take 
appropriate action or make final the Proposed Order.
    This matter involves Flo Health, a technology start-up that 
develops and distributes a mobile application called the Flo Period & 
Ovulation Tracker (``App''), which collects and stores menstruation and 
fertility information about millions of users worldwide. Respondent has 
been a participant in the EU-U.S. Privacy Shield (``Privacy Shield'') 
and the U.S.-Swiss Privacy Shield framework since August 12, 2018.
    The Commission's proposed complaint alleges that Flo Health 
deceived consumers, in violation of Section 5(a) of the Federal Trade 
Commission Act, in seven ways:
     First, the complaint alleges that Flo Health represented 
that it would not disclose ``information regarding . . . marked cycles, 
pregnancy, symptoms, notes . . .'' to any third parties, or disclose 
``any data related to health'' to particular third parties. In fact, 
Flo Health disclosed custom app events--records of individual users' 
interactions with various features of the App, which conveyed 
identifying information about App users' menstrual cycles, fertility, 
and pregnancies--to various third-party marketing and analytics firms.
     Second, the complaint alleges that Flo Health represented 
that it would only disclose device identifiers or personal data 
``like'' device identifiers to certain third parties. In fact, in 
addition to disclosing device and advertising identifiers, Flo Health 
also disclosed custom app events conveying health information to those 
parties.
     Third, the complaint alleges that Flo Health represented 
that third parties would not use Flo App users' personal information 
``for any purpose except to provide services in connection with the 
App.'' In fact, Flo Health agreed to terms with multiple third parties 
that permitted these third parties to use Flo App users' personal 
health information for the third parties' own purposes, including for 
advertising and product improvement. Indeed, from June 2016 to February 
2019, one of the third parties (Facebook, Inc.) used Flo App users' 
personal health information for its own purposes, including its own 
research and product development.
     Counts IV through VII allege misrepresentations of 
compliance with the Privacy Shield Principles of Notice (Count IV), 
Choice (Count V), Accountability for Onward Transfers (Count VI), and 
Purpose Limitation (Count VII). Count IV alleges that Flo Health 
represented compliance with the Privacy Shield frameworks, when in fact 
it did not give Flo App users notice about to whom their data would be 
disclosed and for what purposes. Count V alleges that Flo Health 
disclosed this information without providing Flo App users with choice 
with respect to these disclosures or the purposes for which the data 
could be processed (e.g., Facebook's advertising). Count VI alleges 
that Flo Health failed to limit by contract the third parties' use of 
users' health data or require by contract the third parties' compliance 
with the Privacy Shield principles. And Count VII alleges that Flo 
Health processed users' health data in a manner incompatible with the 
purposes for which it had been collected because Flo disclosed the data 
to third parties under contracts permitting them to use the data for 
their own purposes.
    The Proposed Order contains injunctive provisions addressing the 
alleged deceptive conduct. Part I prohibits Flo Health from making 
false or deceptive statements regarding: (1) The purposes for which Flo 
Health or any entity to whom it discloses Covered Information (i.e., 
personal information, including identifiable health information) 
collects, maintains, uses, or discloses such information; (2) the

[[Page 7384]]

extent to which consumers may exercise control over Flo Health's 
access, collection, maintenance, use, disclosure, or deletion of 
Covered Information; (3) the extent to which Flo Health complies with 
any privacy, security, or compliance program, including the Privacy 
Shield; and (4) the extent to which Flo Health collects, maintains, 
uses, discloses, deletes, or permits or denies access to any Covered 
Information, or the extent to which Flo Health protects the 
availability, confidentiality, or integrity of Covered Information.
    Part II of the Proposed Order requires Flo Health to ask any 
``Third Party'' (i.e., any party other than Flo Health, its service 
providers, or subcontractors) that has received ``Health Information'' 
about ``Covered App Users'' to destroy such information. Part III of 
the Proposed Order requires that Flo provide notice to users and the 
public that it shared certain information about users' periods and 
pregnancies with the data analytics divisions (but not the social media 
divisions) of a number of third parties, including Facebook, Flurry, 
Fabric, and Google. Part IV of the Proposed Order requires that, before 
disclosing any consumer's health information to a third party, Flo 
Health must provide notice and obtain express affirmative consent, 
including informing the user of the categories of information to be 
disclosed, the identities of the third parties, and how the information 
will be used.
    Part V of the Proposed Order requires an outside ``Compliance 
Review,'' conducted within 180 days after entry of the Proposed Order, 
to verify any attestations and assertions Flo Health made pursuant to 
the EU-U.S. Privacy Shield or the U.S.-Swiss Privacy Shield framework. 
Part VI of the Proposed Order requires Flo Health to cooperate with the 
Compliance Reviewer and Part VII requires that a senior manager of Flo 
Health certify Flo Health's compliance with the Proposed Order.
    Part VIII of the Proposed Order requires notification of the 
Commission following any ``Covered Incident,'' which includes any 
incident in which Flo Health disclosed individually identifiable Health 
Information from or about a consumer to a third party without first 
receiving the consumer's affirmative express consent.
    Parts IX through XII of the Proposed Order are reporting and 
compliance provisions, which include recordkeeping requirements and 
provisions requiring Flo Health to provide information or documents 
necessary for the Commission to monitor compliance with the Proposed 
Order. Part XIII states that the Proposed Order will remain in effect 
for twenty (20) years, with certain exceptions.
    The purpose of this analysis is to aid public comment on the 
Proposed Order. It is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify in any 
way the Proposed Order's terms.
    By direction of the Commission, Commissioners Chopra and Slaughter 
concurring in part and dissenting in part.

Joel Christie,
Acting Secretary.

Statement of Commissioner Noah Joshua Phillips

    Despite representing that it would not share its users' health 
details with anyone, Flo Health, Inc. (``Flo'') allegedly did so. As 
charged in the complaint, Flo coded app events, a mechanism by which 
app developers use third-party analytics to track how users use their 
apps, with words like ``Pregnancy'', and then shared them with 
analytics divisions of third parties including Facebook and Google.\1\ 
I support this complaint and consent, which sends an important message 
about the care app developers must take to level with users about how 
they share user data.
---------------------------------------------------------------------------

    \1\ The Complaint does not challenge the use of third-party 
analytics services, upon which developers routinely rely. Because 
Flo Health coded events with names like ``R_Pregnancy_Week_Chosen'', 
rather than something generic like ``Event 1'', the events conveyed 
health information. The Wall Street Journal reported this conveyance 
on February 22, 2019, and the next day Flo Health ceased its 
conduct.
---------------------------------------------------------------------------

    I write to respond to the vision my colleagues articulate about 
when the Commission should use consumer notice in our data security and 
privacy enforcement program.
    The order we place on the public record for comment requires Flo to 
seek deletion of data it improperly shared with third parties; obtain 
users' affirmative express consent before sharing their health 
information with third parties; report to the Commission future 
unauthorized disclosures; obtain an outside assessment of its privacy 
practices; and provide the following notice to consumers:

    Between June 1, 2016 and February 23, 2019, the company that 
makes the Flo Period & Ovulation Tracker app sent an identifying 
number related to you and information about your period and 
pregnancy to companies that help us measure and analyze trends, 
usage, and activities on the app, including the analytics divisions 
of Facebook, Flurry, Fabric, and Google. No information was shared 
with the social media divisions of these companies. We did not share 
your name, address, or birthday with anyone at any time.\2\
---------------------------------------------------------------------------

    \2\ Consent, Exhibit A.

    In championing the consumer notice remedy in their concurring 
statement, Commissioners Chopra and Slaughter propose that the 
Commission no longer assess each case on its particular merits when 
determining when to order consumer notice.\3\ Rather, they assert ``the 
Commission should presumptively seek notice provisions in privacy and 
data security matters, especially in matters that do not include 
redress for victims.'' \4\ I disagree with that approach.
---------------------------------------------------------------------------

    \3\ Commissioners Chopra and Slaughter also assert that the 
``plain language'' of the Health Breach Notification Rule covers 
Flo. I disagree. We have never applied the Rule to a health app such 
as Flo in the past, in part because the language of the Rule is not 
so plain. And I do not support announcing such a novel 
interpretation of the Rule here, in the context of an enforcement 
action. See Joint Statement of Comm'r Chopra and Comm'r Slaughter, 
In re Flo Health, File No. 1923133 (Jan. 13, 2021).
    \4\ Id.
---------------------------------------------------------------------------

    The Commission has used notice requirements to prevent ongoing harm 
to consumers and to enable them to remediate the effects of harm 
suffered. To that end, the Commission has required consumer notice in 
cases where:
     Consumers' health or safety is at risk; \5\
---------------------------------------------------------------------------

    \5\ For example, in Daniel Chapter One, No. 9329 (Jan. 25, 2010) 
https://www.ftc.gov/enforcement/cases-proceedings/082-3085/daniel-chapter-one, the final order required the respondent to notify 
consumers that the company's cancer treatment claims regarding its 
dietary supplements were deceptive, and the supplements could 
actually interfere with cancer treatment.
---------------------------------------------------------------------------

     consumers are subject to recurring charges that they may 
be unaware of; \6\
---------------------------------------------------------------------------

    \6\ For example, in the stipulated final order in FTC v. Lumos 
Labs, Inc., No. 3:16-cv-0001, at 12-13, 22-23 (C.D. Cal. Jan. 8, 
2016), the required notices described the FTC's allegations and 
explained how to cancel service.
---------------------------------------------------------------------------

     consumers have a financial or legal interest that needs to 
be protected; \7\
---------------------------------------------------------------------------

    \7\ In FTC v. American Financial Benefits Center, No. 4:18-cv-
00806 (N.D. Cal. Feb. 7, 2018), consumers were notified that their 
recurring payments to the company were not being used to pay off 
their student loans.
---------------------------------------------------------------------------

     notice is necessary to prevent the ongoing dissemination 
of deceptive information; \8\ or
---------------------------------------------------------------------------

    \8\ In FTC v. Applied Food Sciences, Inc., No. 1:14-cv-00851 at 
12, 21 (W.D. Tex. Sept. 10, 2014), a wholesaler of dietary 
supplement ingredients distributed misleading information to 
supplement makers, touting the results of a clinical study that the 
FTC's investigation had shown to be botched. The company was 
required to notify all supplement makers who had received the 
misleading information that the FTC did not find the study credible.
---------------------------------------------------------------------------

     consumers on their own would not have been able to 
discover or determine

[[Page 7385]]

the illegal behavior and would not know to take remedial action.\9\
---------------------------------------------------------------------------

    \9\ For example, in Oracle Corp., No. C-4571 (Mar. 29, 2016), 
https://www.ftc.gov/enforcement/cases-proceedings/132-3115/oracle-corporation-matter, the settlement required Oracle to notify 
consumers about certain data security risks and explain how to 
protect their personal information by deleting older versions of 
Java.
---------------------------------------------------------------------------

    Using these guidelines, the Commission has found consumer notice 
appropriate in some privacy and data security cases as well, such as 
when there was a need to inform consumers about ongoing data collection 
and sharing \10\ or to correct a deceptive data breach 
notification.\11\ On the data security front, where it can be critical 
that consumers know sensitive information has been breached or exposed, 
a panoply of state breach notification laws require notice to 
consumers.
---------------------------------------------------------------------------

    \10\ Unrollme Inc., No. C-4692 (Dec. 17, 2019), https://www.ftc.gov/enforcement/cases-proceedings/172-3139/unrollme-inc-matter.
    \11\ Skymed International, Inc., File No. 1923140 (Dec. 16, 
2020), https://www.ftc.gov/enforcement/cases-proceedings/1923140/skymed-international-inc-matter.
---------------------------------------------------------------------------

    When warranted, notice to consumers can be an important tool. But 
neither the Commission, nor any of the 50 states with data breach 
notification laws, have taken the position of requiring consumer notice 
for the mere sake of the notice itself.
    Commissioners Chopra and Slaughter stress that notice is warranted 
especially where redress is not paid to consumers. How consumer notice 
substitutes for redress, an equitable mechanism to return to consumers 
what they have lost, is not clear. Nor is it clear what, if anything, 
limits this approach to notice to data security and privacy cases. To 
the extent notice is intended as a penalty, I disagree. My view is that 
we should target notice as a means to help consumers take action to 
protect themselves. Contacting consumers when there is no remedial 
action that they can take runs the risk of undermining consumer trust 
and needlessly overwhelming consumers.\12\
---------------------------------------------------------------------------

    \12\ I am also concerned about the possibility of notice 
fatigue. For example, in the context of security warnings on mobile 
devices, there is evidence of a decreased neurological response 
after repeated exposure to warnings. See, e.g., Anthony Vance et 
al., Tuning Out Security Warnings: A Longitudinal Examination of 
Habituation Through fMRI, Eye Tracking, and Field Experiments, 42 
MIS Quarterly, No. 2, June 2018, at 1, https://misq.org/skin/frontend/default/misq/pdf/appendices/2018/V42I1Appendices/14124_RA_VanceJenkins.pdf.
---------------------------------------------------------------------------

Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca 
Kelly Slaughter Concurring in Part, Dissenting in Part

    Today, the FTC is ordering Flo Health, Inc. (``Flo'') to notify 
consumers that it has been charged with sharing consumers' menstruation 
and fertility information without their consent. This proposed 
settlement is a change for the FTC, which has never before ordered 
notice of a privacy action. We commend the agency's staff for securing 
this relief and for addressing Flo's concerning practices.
    While we are pleased to see this change, we are disappointed that 
the Commission is not using all of its tools to hold accountable those 
who abuse and misuse personal data. We believe that Flo's conduct 
violated the Health Breach Notification Rule, yet the Commission's 
proposed complaint fails to include this allegation. The rule helps 
ensure that consumers are informed when their data is misused, and 
firms like Flo should not be ignoring it.

Importance of Notice

    Flo Health is the developer of a popular mobile app that collects 
menstruation and fertility information from millions of users 
worldwide. As detailed in the Commission's complaint, Flo promised 
these users that it would not disclose their sensitive information to 
third parties, but did so anyway--sharing it with Facebook, Google, and 
others.\1\ This alleged conduct broke user trust, and it broke the law.
---------------------------------------------------------------------------

    \1\ Compl., In the Matter of Flo Health, Inc., Docket No. 
1923133, ]] 13-24.
---------------------------------------------------------------------------

    In addition to requiring Flo to improve its privacy practices, the 
FTC's proposed order directs Flo to notify its users of this serious 
breach. Notice confers a number of benefits in cases like this one. 
Consumers deserve to know when a company made false privacy promises, 
so they can modify their usage or switch services. Notice also informs 
how consumers review a service, and whether they will recommend it to 
others. Finally, notice accords consumers the dignity of knowing what 
happened. For all these reasons, the Commission should presumptively 
seek notice provisions in privacy and data security matters, especially 
in matters that do not include redress for victims.\2\
---------------------------------------------------------------------------

    \2\ In a separate statement, Commissioner Phillips argues that 
notice should be limited to circumstances under which it can ``help 
consumers take action to protect themselves.'' See Separate 
Statement of Commissioner Noah Joshua Phillips In the Matter of Flo 
Health, Inc. Comm'n File No. 1923133 at 2 (Jan. 13, 2021). In our 
view, the notice requirement here squarely meets that test, as 
consumers can switch to more privacy-protecting services or adjust 
their data-sharing behavior with companies that act unlawfully. 
Commissioner Phillips further suggests that notice is no substitute 
for redress. We agree. But when redress is not ordered, notice at 
least ensures consumers are aware of the FTC's action, which might 
otherwise be achieved through a redress check. Finally, Commissioner 
Phillips argues that consumers may not read all notices. This is a 
valid concern, and notice is no substitute for other remedies, such 
as admissions of liability or substantive limits on the collection, 
use, and abuse of personal data.
---------------------------------------------------------------------------

Health Breach Notification Rule

    The Commission must also ensure it is vigorously enforcing the laws 
on the books. Congress has entrusted the FTC with promulgating and 
enforcing the Health Breach Notification Rule, one of only a handful of 
federal privacy laws protecting consumers. The rule requires vendors of 
unsecured health information, including mobile health apps, to notify 
users and the FTC if there has been an unauthorized disclosure. 
Although the FTC has advised mobile health apps to examine their 
obligations under the rule,\3\ including through the use of an 
interactive tool,\4\ the FTC has never brought an action to enforce 
it.\5\
---------------------------------------------------------------------------

    \3\ Mobile Health App Developers: FTC Best Practices, Fed. Trade 
Comm'n, https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-app-developers-ftc-best-practices (last visited on 
Jul. 31, 2020).
    \4\ Mobile Health Apps Interactive Tool, Fed. Trade Comm'n, 
https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool (last visited on Jul. 31, 2020).
    \5\ Commissioner Phillips suggests that enforcing the rule 
against Flo would be ``novel.'' Phillips Statement, supra note 2, at 
1. But, this could be said of any enforcement action in this 
context, since the Commission has never enforced the Health Breach 
Notification Rule. If there is concern that Flo did not know it was 
violating the rule, that would be relevant to the question of 
whether Flo is liable for civil penalties. See 15 U.S.C. 
45(m)(1)(A). Flo's lack of knowledge about the rule's requirements 
would not be relevant to the question of whether the Commission 
could charge Flo with a violation.
---------------------------------------------------------------------------

    In our view, the FTC should have charged Flo with violating the 
Health Breach Notification Rule. Under the rule, Flo was obligated to 
notify its users after it allegedly shared their health information 
with Facebook, Google, and others without their authorization.\6\ Flo

[[Page 7386]]

did not do so, making the company liable under the rule.\7\
---------------------------------------------------------------------------

    \6\ See Compl., supra note 1, ]] 18-24. The FTC's Health Breach 
Notification Rule covers (a) health care providers that (b) store 
unsecured, personally identifiable health information that (c) can 
be drawn from multiple sources, and the rule is triggered when such 
entities experience a ``breach of security.'' See 16 CFR 318. Under 
the definitions cross-referenced by the Rule, Flo--which markets 
itself as a ``health assistant''--is a ``health care provider,'' in 
that it ``furnish[es] health care services and supplies.'' See 16 
CFR 318.2(e); 42 U.S.C. 1320d(6), d(3). Additionally, Flo stores 
personally identifiable health information that is not secured 
according to an HHS-approved method, and that can be drawn from 
multiple source. See 16 CFR 318.2(i); Fitness Trackers and Apps, Flo 
Health, https://flo.health/faq/fitness-trackers-and-apps (last 
visited on Jan. 6, 2020) (instructing users on how to sync Flo with 
other apps). When Flo, according to the complaint, disclosed 
sensitive health information without users' authorization, this was 
a ``breach of security'' under the rule 16 CFR 318.2(a) (defining 
``breach of security'' as ``acquisition of [PHR identifiable health 
information] without the authorization of the individual.'').
    \7\ See 16 CFR 318.7 (stating that a violation of the rule 
constitutes a violation of a trade regulation rule). Notably, 
California's recent action against a similar fertility-tracking app 
charged with similar privacy violations included a $250,000 civil 
penalty. Press Release, Cal. Att'y Gen., Attorney General Becerra 
Announces Landmark Settlement Against Glow, Inc.--Fertility App 
Risked Exposing Millions of Women's Personal and Medical Information 
(Sep. 17, 2020), https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93.
---------------------------------------------------------------------------

    The Health Breach Notification Rule was first issued more than a 
decade ago, but the explosion in connected health apps make its 
requirements more important than ever. While we would prefer to see 
substantive limits on firms' ability to collect and monetize our 
personal information, the rule at least ensures that services like Flo 
need to come clean when they experience privacy or security breaches. 
Over time, this may induce firms to take greater care in collecting and 
monetizing our most sensitive information.

Conclusion

    We are pleased to see a notice provision in today's proposed order, 
but there is much more the FTC can do to protect consumers' data, and 
hold accountable those who abuse it. Where Congress has given us 
rulemaking authority, we should use it.\8\ And where we have rules 
already on the books, we should enforce them. Here, the Health Breach 
Notification Rule will have its intended effect only if the FTC is 
willing to enforce it.
---------------------------------------------------------------------------

    \8\ We have previously articulated opportunities to make use of 
our existing authorities when it comes to data protection. See 
Statement of Commissioner Rohit Chopra Regarding the Report to 
Congress on the FTC's Use of Its Authorities to Protect Consumer 
Privacy and Security, Comm'n File P065404 (June 18, 2020), https://www.ftc.gov/public-statements/2020/06/statement-commissioner-rohit-chopra-regarding-report-congress-ftcs-use-its; Remarks of 
Commissioner Rebecca Kelly Slaughter at Silicon Flatirons, The Near 
Future of U.S. Privacy Law, University of Colorado Law School (Sep. 
6, 2019), https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf.
---------------------------------------------------------------------------

    We believe enforcing the rule was warranted here, and we 
respectfully dissent from the Commission's failure to do so. 
Particularly as we seek more authority from Congress in the privacy 
space, it is critical we demonstrate we are prepared to use the 
authorities we already have.

[FR Doc. 2021-01697 Filed 1-27-21; 8:45 am]
BILLING CODE 6750-01-P