Don’t Take Analytics for Granted
Privacy Plus+
Privacy, Technology and Perspective
Don’t Take Analytics for Granted. Last week, we predicted that 2021 will be the Year of Vendor Management – the year when privacy focus will sharpen on what personal information third- and fourth-party vendors may (and may not) collect, and what they may (and especially may not!) do with it.
This week, we see evidence of this already happening.
On Wednesday, January 13th, the FTC announced that it has settled allegations that the developer of a women’s health app (used by 100 million users) shared its users’ health information with outside providers, after promising its users that such information would be kept private.
The proposed Consent Order will require Flo Health, Inc. not to misrepresent (i) the purposes for which it collects, uses, or discloses health and other personal information, (ii) the extent to which it is certified by or complies with (the now-defunct) Privacy Shield or other privacy or security programs, or (iii) the extent to which it protects the availability, confidentiality, or integrity of its users’ information. It will also require the developer to instruct third-party vendors to destroy any such information they have received; to provide notice to its users of what has happened; to give clear disclosures and get clear consent before disclosing any such information to any other third parties; and to undergo detailed compliance review, recordkeeping, reporting, and monitoring.
The FTC’s announcement may be found by clicking the following link:
And a copy of the proposed Consent Order may be found by clicking the following link:
https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf
What is most striking:
· The developer’s Privacy Notice promised such information would be used “only to improve [the developer’s] services” – this type of language is commonly used in privacy notices by a myriad of companies whose sole intent with respect to analytics is to leverage those analytics for the purpose of improving the services; and
· The accused impermissibly shared sensitive health information of users with marketing and analytics providers, such as Facebook analytics, Google analytics, Google Fabric, and mobile analytics groups AppsFlyer and Flurry, despite promising users that such information would be kept private.
The exact issues were that the developer did not limit the analytics providers’ further disclosure or use of the information, and otherwise did not accurately represented how it collects, maintains, uses, discloses, deletes or protects users' personal information in its privacy notice.
Reasonable collection, maintenance, use, disclosure and deletion of personal information along with the representation of the developers’ privacy practices set up a disconnect – a gap – between limitations which the developer was promising its users through its Privacy Notice, and freedoms it was permitting its providers through its contracts with them. The FTC found that this failure to follow-through on the use and purpose limitations into its vendor contracts was a misleading or deceptive act and practice.
In part, the FTC’s special attention to this developer may have been driven by the fact that it would be hard to imagine personal information that is more “personal” than the women’s health information contained in this app. Other issues with the developer’s privacy posture - such as apparently saying it was certified under the Privacy Shield when it was not - may have entered into it as well.
We doubt the wisdom, however, of adopting a strategy that relies on, “well, unlike in Flo Health, the personal information we collect isn’t that sensitive.” Instead, we believe the lesson of this case is to pay special attention to tracking every commitment you are making in your Privacy Notice against every permission you are granting - even indirectly or by omission - in your vendor contracts.
In the Year of Vendor Management, analytics should mean analytics.
And nothing more.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.