On May 17, 2023, the FTC issued a press release announcing a proposed settlement that bans Premom Ovulation Tracker mobile app developer, Easy Healthcare Corporation, from sharing users' personal health data with third parties for advertising purposes and requires it to instruct third parties to delete any Premom app health data obtained without users' prior express consent. The order settles allegations that Easy Healthcare violated the FTC Act and the Health Breach Notification Rule (HBNR) (16 C.F.R. §§ 318.1 to 318.9).

Easy Healthcare's Premom app allows users to manage their reproductive health, including by tracking changes in weight, body temperature, and menstrual cycles. Users can directly enter their health information into the app, upload photos of ovulation tests, or import other health data by connecting Premom to third-party apps or services. To enable certain features and engage third-party marketing and analytics services, Easy Healthcare integrated software development kits (SDKs) from Google, LLC, AppFlyer, Inc., and two Chinese firms (collectively SDK Developers) into the Premom app.

According to the FTC's complaint, Easy Healthcare's third-party SDK integrations caused the Premom app to disclose users' sensitive personal information to the SDK Developers, including health information, geolocation data, and non-resettable device identifiers like IMEI numbers and MAC addresses. Notably, this action represents the first time that an FTC complaint clearly classified non-resettable device identifiers as highly sensitive personal information. The FTC claimed that Easy Healthcare's decision to use descriptive instead of anonymous titles for the SDKs' custom user interactions, for example by selecting "Logperiod-save" as the custom event name when a user records their menstruation date, also led to improper health information disclosures.

The FTC alleged that the Premom app's ongoing disclosure of identifiable, unencrypted, and unsecured user health information to third parties through the SDKs was a security breach that the HBNR required Easy Healthcare to report. However, Easy Healthcare never provided the required agency and individual notices.

The complaint also alleged that Easy Healthcare broke promises made to users in its in-app and website privacy policies, including commitments to never share health information with third parties without users' knowledge and consent and that its SDKs and third-party analytics software only identified users by IP addresses.

The complaint further claims that Easy Healthcare did not implement reasonable privacy and security measures, including by failing to:

Among other actions, the proposed settlement requires Easy Healthcare to:

Easy Healthcare also agreed to pay additional fines totaling $100,000 to Connecticut, the District of Columbia, and Oregon for state and local law violations arising from the same conduct.

The draft order is subject to public comment for 30 days after the FTC publishes the full settlement package in the Federal Register. The FTC will decide whether to finalize the proposed consent order after the public comment period closes. The settlement builds on several recent health data enforcement actions against GoodRX Holdings Inc. and BetterHelp, Inc., initiated after the FTC's 2021 policy statement reminding health apps to comply with the HBNR. For more on these prior actions, see Legal Updates:

The FTC's action serves as clear reminder that businesses should carefully review technology integrations to ensure they fully understand how data flows from their mobile apps and websites to third parties, and what personal information those data flows may reveal.