The FTC, Fertility App Premom, and Sharing Consumer Health Data
The Federal Trade Commission (FTC) just charged that Premom, the fertility tracking app, shared hundreds of thousands of users’ information, unencrypted, with third parties. These include the marketing analytics company AppsFlyer, tech giant Google, and two companies based in China, including one owned by the Chinese tech conglomerate Alibaba. Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated that “companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
For the second time ever, the FTC is enforcing its Health Breach Notification Rule (16 C.F.R. Part 318), a regulation that requires personal health record vendors to notify consumers of a “breach involving unsecured information.” The FTC’s proposed order, filed on its behalf by the Department of Justice, would bar Easy Healthcare Corporation—the Illinois-based company that operates Premom—from sharing users’ health data with third parties for advertising. It would also require Easy Healthcare to inform consumers of this activity and first obtain their consent to share any data for non-advertising purposes in the future. Under the proposed order, the company would pay a $100,000 penalty—on top of another $100,000 it has agreed to pay in total to the District of Columbia, Connecticut, and Oregon for violating their laws.
This action follows the FTC’s February 2023 enforcement action against telehealth company and prescription drug provider GoodRx and its March 2023 proposed order against online counseling service BetterHelp. Both of those companies allegedly shared consumers’ health data with third parties. (Among other things, GoodRx also falsely claimed to be regulated by the Health Insurance Portability and Accountability Act, or HIPAA, to consumers.) These cases collectively underscore the prevalence of companies gathering Americans’ health data, outside the scope of HIPAA, and selling or sharing it. In Premom’s case, that includes sharing the precise geolocation data from users’ devices, in weakly encrypted form, with companies in China.
While the FTC continues to drive important privacy and consumer-protective action in this area, considerable privacy law gaps remain that only Congress can comprehensively address. This includes potential risks to U.S. national security associated with the transfer of U.S. persons’ data, in weakly encrypted and identifiable form, to companies in China.
The FTC’s Complaint
The FTC acted to enforce its Health Breach Notification Rule, which it first invoked against the telehealth and prescription drug provider GoodRx in February 2023. Because GoodRx was not covered by HIPAA, it was the FTC, rather than the Department of Health and Human Services, that led the enforcement. The same applies in Premom’s case: Because the app was not prohibited under any health privacy law in the United States from gathering and then quietly sharing consumers’ identifiable health data, the FTC acted under its authority to enforce against unfair or deceptive acts or practices (under Section 5 of the FTC Act). It also charged that Premom “failed to fully disclose its data sharing practices” and “violated direct promises to consumers.”
According to the FTC’s complaint, Premom told users that it would not share their health data with third parties, that it collected and shared only “non-identifiable data,” and that collected data was used only for the company’s own analytics or advertising. But this was not true. The Premom app allegedly integrated software development kits (SDKs), or prepackaged code used to build apps, from Google and AppsFlyer. In doing so, Premom would transfer data from app users to both Google and AppsFlyer. The FTC gives a disturbing example: "[W]hen a user uploads a picture of an ovulation test, Defendant records the user’s interaction with that feature as a Custom App Event that is shared with Google and AppsFlyer."
Premom also shared health information about users through “Custom App Events” that effectively disclosed health data through their titles. For instance, if a user signed up for a pregnancy guarantee—where Premom refunded their ovulation and pregnancy test kits if they didn’t successfully conceive within nine months of app use—Premom would log that as “Guarantee/signup” and share that event with third parties. A company could then learn that a Premom user was attempting to conceive.
Over years, the FTC said, Premom shared hundreds of thousands of consumers’ health data with Google and AppFlyers through their SDKs. Again, however, Premom made such statements as “third party services do not have access to your health information through the Services unless you share that information directly with them,” in direct contradiction to its own practices. Making matters worse, these “Custom App Events” were unencrypted. This increases the likelihood of the information being intercepted in transit and immediately read by a bad actor.
Premom also shared U.S. consumers’ health data with two companies located in China. The first company, Umeng, is a Chinese mobile analytics company owned by Alibaba, the Chinese technology giant; it makes an SDK called U-Share. The second company, Jiguang, is a Chinese mobile developer and analytics provider that makes an SDK called JPush. Premom used both SDKs in its mobile app. By integrating the SDK from Umeng (owned by Alibaba), the Premom app shared users’ social media account information with the company. In addition, both SDKs collected “extensive amounts of other identifiable data on Premom’s users and transmitted it to Umeng and Jiguang,” including precise geolocation information, Wi-Fi media access control (MAC) addresses for devices, Android ID and Android Advertising ID (used for targeted advertising), and numerous identifiers that cannot be changed (such as Hardware Identification and International Mobile Equipment Identity numbers, router addresses, and router Service Set Identifiers, or SSIDs, that name wireless networks). This is all information that could easily be used to identify devices. While many companies might claim that data without a name or Social Security number is “anonymized,” the reality is that some of these single data points alone, such as a MAC address, can identify a device and therefore its user. Combining these data points together would make it even easier to identify the individual on the other side of the app screen.
The privacy abuses do not end there. When Premom used the SDKs from Umeng and Jiguang, the FTC said, it agreed to their privacy policies. Jiguang said in its policy that it collected Wi-Fi MAC addresses, even though Apple prohibits developers from collecting non-resettable device identifiers and Google restricts access to MAC addresses. Sharing this data with a third party thus violated Apple and Google app store policies. In fact, in a move that might shock many policymakers, Jiguang’s JPush SDK “circumvented Android’s privacy controls and exploited a known bug in order to acquire Premom users’ Wi-Fi MAC addresses” anyway. Further, both Umeng and Jiguang said in their privacy policies that they were free to use the data for their own purposes, including advertising, and to share the data with third parties. The Premom developers allegedly never disclosed any of this to their users. The developers “only made such a disclosure” once Google alerted Premom that using Umeng’s U-Share SDK violated Google app store policies.
Premom’s failure to use strong encryption created further cybersecurity risks around users’ data. The FTC’s complaint puts it simply:
When JPush transferred users’ information to Jiguang’s servers outside the United States, JPush both utilized a non-standard encryption method and included the decryption key in the transfer. As a result of these practices, any third party who acquired this data, including foreign governments or bad actors, could decrypt and access Premom users’ sensitive data, including precise geolocation information and non-resettable identifiers described above.
Other claims abound. The FTC says that Premom failed to implement reasonable privacy and data security measures, such as failing to monitor changes in the SDKs’ privacy policies and practices. Premom also allegedly failed to audit any of the SDKs it used and failed to “establish or enforce any internal privacy compliance programs, protocols, or policies.”
What Happens Now?
The FTC’s proposed order, separate from the complaint described above, is just that: proposed. If the U.S. District Court for the Northern District of Illinois approves the order, it would penalize Easy Healthcare Corporation (which owns Premom) $100,000 for violating the FTC’s Health Breach Notification Rule. (That would be on top of the aforementioned $100,000 that Premom has already agreed to pay in D.C., Connecticut, and Oregon.) It would additionally, as summarized in the FTC press release, permanently bar Easy Healthcare from sharing users’ personal health data with third parties for advertising purposes; require it to obtain users’ consent before sharing their personal health data with third parties for other purposes; require it to store users’ personal information no longer than as necessary to “fulfill the purpose for which it was collected”; require it to ask the third parties to delete the data it shared about users; and require it to implement privacy and security programs with compliance checks, among others.
Some of these measures are relatively strong. For example, placing strict controls around retention of users’ health data, imposing requirements to disclose uses of health data, and barring the company from sharing users’ health data with third parties for advertising would provide more protections for Premom users’ privacy than currently exist. Yet at least two points stand out. The $100,000 fine is considerably small. Even alongside the possibility of injunctive measures to impose privacy requirements and data-sharing restrictions on Premom, the company quietly shared consumers’ highly sensitive health data and precise geolocation with third parties, in unencrypted or weakly encrypted form, while essentially lying to consumers that it was not doing anything of the sort. A higher fine would send a stronger signal to companies seeking to profit from the collection and exploitation of consumers’ health data, such as data concerning menstruation and pregnancy.
The FTC is, however, doing important work in this area, long supported by both Democratic and Republican commissioners, to enforce against unfair or deceptive uses of consumers’ data. Its enforcement of the Health Breach Notification Rule, for the second time ever, also marks a commission focused on protecting consumers’ physical and mental health data. But major gaps remain in U.S. privacy law and regulation. Akin to GoodRx, Premom is not regulated by HIPAA, often referred to as the United States’ health privacy law, and is therefore not prohibited from collecting, selling, and sharing Americans’ identified health data per se. Instead, the FTC was able to take action against Premom primarily because the company was engaged in deceptive practices.
Looking ahead, a systemic approach to regulating the selling and sharing of Americans’ health information will require a concerted legislative response. This means new laws alongside increased funding for the FTC, so that it can continue to expand its privacy enforcement activities. Congress must evaluate how HIPAA, passed nearly 30 years ago, no longer holds up in an age of mobile apps, websites, social media, advertising technology companies, and data brokers. Regulatory enforcement is absolutely vital. But it should not be the only health privacy tool in the U.S. government’s privacy toolbox.