A recent investigation from the International Digital Accountability Council (IDAC) found that the mobile app Premom may have engaged in deceptive practices by compromising user privacy
WASHINGTON – U.S. Senator Amy Klobuchar (D-MN), a senior Member of Senate Commerce Committee and Ranking Member of the Senate Judiciary Subcommittee on Antitrust, Competition Policy and Consumer Rights and Chairman of the Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection, Senator Jerry Moran (R-KS), sent a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (“app”) Premom.
Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant, relying on personal and private health information. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the Apple App and Google Play stores.
Klobuchar and Moran were joined by Ranking Member of the Senate Commerce Committee, Maria Cantwell (D-WA), Richard Blumenthal (D-CT), Shelley Moore Capito (R-WV), Elizabeth Warren (D-MA), and Mark Warner (D-VA).
“A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent,” Klobuchar and her colleagues wrote.
In her role as a senior Member of the Senate Commerce Committee and Ranking Member of the Senate Judiciary Subcommittee on Antitrust, Competition Policy and Consumer Rights, Klobuchar has championed efforts to protect consumers’ privacy - especially with regard to sensitive health information.
In June 2019, Klobuchar and Senator Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act to protect consumers’ private health data not covered under existing privacy law. Health data tracking apps have given companies access to unprecedented levels of consumer health data, yet current law does not adequately address the emerging privacy concerns presented by these new technologies. The Protecting Personal Health Data Act addresses these health privacy concerns by requiring the Secretary of Health and Human Services to promulgate regulations for new health technologies such as health apps, wearable devices, and direct-to-consumer genetic testing kits that are not regulated by existing laws.
In July 2020, Klobuchar led a letter to the Department of Justice (DOJ) to urge the Antitrust Division to conduct a comprehensive review of Google’s proposed acquisition of Fitbit, which raised concerns about Google’s ability to access activity-monitoring data from Fitbit’s millions of users and employ Fitbit user data to support Google’s advertising and other businesses.
In November 2019, Klobuchar joined Commerce, Science, and Transportation Committee Ranking Member Maria Cantwell (D-WA) and fellow senior members Senators Brian Schatz (D-HI) and Ed Markey (D-MA) in unveiling comprehensive federal online privacy legislation to establish privacy rights, outlaw harmful and deceptive practices, and improve data security safeguards for the record number of American consumers who now shop or conduct business online.
Also in November 2019, Klobuchar released a statement following reports from the Wall Street Journal that Google and Ascension are collaborating to share the personal health information of roughly 50 million Americans—including personally identifiable information, lab results, hospital records, and physician diagnoses—on Google’s cloud system. Klobuchar and Senator Murkowski sent a letter to the Department of Health and Human Services (HHS), urging the agency to examine the collaboration between Google and Ascension health system.
The full text of the letter can be found HERE and below:
Dear Chairman Simons:
We write to express our serious concerns regarding recent reports about the data collection and sharing practices of the mobile application (“app”) Premom and to request information on the steps that the Federal Trade Commission (FTC) plans to take to address this issue.
Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the leading app stores. To use Premom, users provide the app extensive personal and private health information.
A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent. IDAC sent a letter to the FTC on August 6, 2020, to describe these undisclosed data transmissions along with other concerning allegations including conflicting privacy policies and questionable representations related to their collection of installed apps for functionality purposes.
While we understand that Premom has taken steps to update its app to halt the sharing of its users’ information with these companies, it is concerning that Premom may have engaged in these deceptive practices and shared users’ personal data without their consent. Additionally, there may still be users who have not yet updated the Premom app, which could still be sharing their personal data—without their knowledge or consent.
In light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?
2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?
Thank you for your time and attention to this important matter. We look forward to working with you to improve Americans consumers’ data privacy protections.