"Ovulation Tracking App Premom Will be Barred from Sharing Health Data for Advertising Under Proposed FTC Order", 17 May 2023

The Federal Trade Commission charged that the developer of the fertility app Premom deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule (HBNR).

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Illinois-based Easy Healthcare Corporation, which operates the Premom app, would be barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose, and must tell consumers how their personal data will be used. The proposed order must be approved by the federal court to go into effect.

The Premom app, which is free to download and used by hundreds of thousands of people, helps users track ovulation, periods, and other health information, and also sells ovulation test kits. The app encourages users to provide information about their menstrual cycles, fertility, and pregnancy as well as to import their data from other apps such as Apple Health.

Premom failed to fully disclose its data sharing practices, and also violated direct promises to users, the FTC says. The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.

In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.

As part of the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the Health Breach Notification Rule and will also be:

• Permanently prohibited from sharing user personal health data with third parties for advertising;
• Required to obtain user consent before sharing personal health data with third parties for other purposes;
• Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
• Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBNR notification requirements for any future breach of security;
• Required to seek deletion of data it shared with third parties;
• Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
• Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.