FTC Gives Fertility App $200k Wrist Slap For Sharing Sensitive Medical Info

from the going-great,-thanks-for-asking dept

We’ve mentioned for years how there’s now an absolute ocean of telecoms, services, apps, and other companies that are busy collecting all manner of sensitive location, health, mental health, browsing, and sexual preference data, then selling access to it to a massive array of dodgy and poorly regulated data brokers. Despite this, we consistently refuse to pass any sort of competent internet privacy law or competently regulate said brokers.

When the obvious happens, policy leaders, politicians, and others then stand around with a dumb look on their faces wondering what went wrong. The best that usually happens is the FTC, an underfunded, understaffed agency whose authority is constantly eroded by heavily lobbied politicians, then steps in to issue a few wrist slap fines that are a tiny fraction of the money made from the behavior.

Case in point: the FTC last week dinged pregnancy app Premom (and its owner Easy Healthcare Corporation) $200,000 because the app was sharing sensitive medical and pregnancy data with Google and “China-based marketing and analytics firms.” Not only was it sharing this data and doing a poor job tracking how it was being used, the app bullshitting users into thinking the data was secure:

In a complaint also filed by the Department of Justice, the FTC says that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising. Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent, according to the FTC.

While the FTC also recently fined GoodRX for the unauthorized sharing of consumer health data, the agency lacks the staff or funding to go after bad actors at the scale these companies and data brokers are now operating. As a result, countless thousands of these companies are engaging in the same sort of behavior, but only a few see tiny penalties for it years after the fact.

These efforts aren’t exactly useless; changing the behavior of a few companies still matters, and follow up enforcement efforts on these same companies could prove significant and motivating.

At the same time, these efforts tend to be a drop in the bucket, thanks to our longstanding and corrupt refusal to pass even a semi-competent and meaningful consumer privacy law in the internet era (or fund our regulators). All of these same companies across countless industries are spending significantly more money than they’ll ever pay in fines, to lobby federal policymakers into apathetic dysfunction.

Generally, the broader press likes to pretend this broader corruption-fueled dysfunction isn’t happening. And with so much going on in the world of late, the public generally lacks the attention span to generate consistent pressure on government. Even in the wake of Roe’s overturn, and the resulting concerns about the dangers of this data being abused by authoritarians and vigilantes, reform has been hard to come by.

Especially among the performative politicians who’ll hyperventilate about a single app like TikTok as they distract from, downplay, or outright ignore their consistent and much broader failures on consumer and privacy protections. It’s going to take a privacy scandal at a scale we’ve never considered to finally drive action and reform in this space, and I’d hate to imagine precisely what that mess will look like.

Filed Under: data brokers, ftc, location data, mental health data, pregnancy data, premom, privacy, privacy law, security

Companies: easy healthcare corporation