1645981766710
Director of the FTC Bureau of Consumer Protection Samuel Levine | Samuel Levine/LinkedIn

Levine: 'Premom broke its promises and compromised consumers’ privacy'

The Federal Trade Commission recently charged Premom, the developer of a fertility app, for deceptive practices and the sharing of users' personal information with third parties illegally.

The FTC alleged Prenom disclosed personal and health data to companies in China, AppsFlyer and Google, without user consent or notification, according to a May 17 news release. The actions by Premom violate the Health Breach Notification Rule, and the FTC said it would protect consumers' health data and warned companies against health privacy abuses.

“Premom broke its promises and compromised consumers’ privacy,” Samuel Levine, director of the FTC Bureau of Consumer Protection, said in the release. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”

The Premom app, operated by Easy Healthcare Corporation, is widely used and has features for tracking ovulation and menstrual cycles, but it was found to collect and share user data without disclosure or consent, the release reported. 

The FTC said Premom made deceptive promises in its privacy policies, claiming it didn't share data without consent, but it shared sensitive and personally identifiable health details, the release said. The app used automated tracking tools, including SDKs from AppsFlyer, Google, Umeng and Jiguang, and Premom failed to adequately encrypt the shared data, which put it at risk of interception.

Under the proposed order, Easy Healthcare would pay a $100,000 penalty for violating the Health Breach Notification Rule and would be permanently prohibited from sharing user personal health data for advertising purposes, according to the release. It would also be required to obtain user consent before sharing such data and would have to implement comprehensive security and privacy programs, retain personal information only as long as necessary, seek deletion of shared data and comply with notification requirements if future breaches occur.

More News