Flo Case Shows Inadequate Data Privacy Protection in the USA

Flo Case Shows Inadequate Data Privacy Protection in the USA January 22, 2021

Flo is an app for tracking women’s menstrual cycles. Thus, it holds pretty private information. It promised to keep that private but was selling it to other companies. And as a result, it got no financial penalty. The penalty amounts to a warning not to do this again. Even though I am obviously not affected, I think we need to stand up. Menstruation cycle information is particularly private information for a corporation to have. If they don’t respect privacy here, they won’t respect our privacy in other matters.

I will quote a news story then offer some analysis.

Flo Gets Less Than a Slap on the Wrist

Menstrual Calendar Chain
Menstrual Calendar Chain (CC BY-SA 3.0 Dellex)

TechCrunch posted about this case:

The FTC has reached a settlement with Flo, a period and fertility tracking app with 100 million+ users, over allegations it shared users’ health data with third-party app analytics and marketing services like Facebook despite promising to keep users’ sensitive health data private.

Flo must obtain an independent review of its privacy practices and obtain app users’ consent before sharing their health information under the terms of the proposed settlement.

The action follows a 2019 reports in the Wall Street Journal that conducted an analysis of a number of apps’ data sharing activity.

It found the fertility tracking app had informed Facebook of in-app activity — such as when a user was having their period or had informed it of an intention to get pregnant. It did not find any way for Flo users to prevent their health information from being sent to Facebook. […]No financial penalty is being levied but the FTC’s proposed settlement is noteworthy as it’s the first time the U.S. regulator has ordered notice of a privacy action.

“Apps that collect, use and share sensitive health information can provide valuable services but consumers need to be able to trust these apps. We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a statement.

Secular Analysis

Rohit Chopra and Rebecca Kelly Slaughter, two FTC commissioners, wrote:

While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Breach Notification Rule, yet the Commission’s proposed complaint fails to include this allegation. The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it.

Menstrual cycle data is private health data and should be protected like that.

Dan Price (the CEO who raised every employee’s salary to $70,000) was the one who made me aware of this:

Catholic Analysis

Data Privacy

Fratelli Tutti 42, the first formal magisterial acknowledgment of the right to privacy, talks about the denial of this right:

While closed and intolerant attitudes towards others are on the rise, distances are otherwise shrinking or disappearing to the point that the right to privacy scarcely exists. Everything has become a kind of spectacle to be examined and inspected, and people’s lives are now under constant surveillance. Digital communication wants to bring everything out into the open; people’s lives are combed over, laid bare and bandied about, often anonymously. Respect for others disintegrates, and even as we dismiss, ignore or keep others distant, we can shamelessly peer into every detail of their lives.

Although this was sold so as to target ads better, not for public spectacle this number speaks of, similar principles apply. When data is so personal, there is a right to keep it private. If it will not be private, there is a right to information about the use of the data beforehand.

A person can freely choose to give up data privacy in exchange for not paying for a menstrual cycle tracking app. However, that should be a clear choice the consumer is knowingly making. Complex terms of service often obscure this. Nobody reads these and they deceptively push people to accept less privacy than they really want. It is in companies’ interest to set the defaults as low privacy and share information. It is generally in consumers’ interest to seek higher privacy. The FTC should protect consumers, not companies. Yet here, the FTC has told companies not to worry about lying to consumers and using their data after promising not to: all you get is a slap on the wrist. This is problematic.

Health Privacy

Privacy is obviously not an absolute right: it is a secondary right. As such, we have different degrees of privacy for different things. Those that are more personal deserve more privacy protection. Health information, especially something like menstrual tracking is among the most private types of information. Thus, this should have a higher priority for being private.


Flo was wrong to release women’s information after promising not to. This is a serious breach of privacy and we must treat it as such. Giving them a slap on the wrist and telling them not to do it again is insufficient. This is all the more true as it was health information. The government must protect consumers who are in a vulnerable spot when dealing with companies who make money off data.

Note: Please support me on Patreon so I can write more on privacy in Catholic theology.

Browse Our Archives