FTC Settles Two Data Privacy Allegations

Written by: Brett Lawrence, Esq.

Last month, the Federal Trade Commission (“FTC”) settled two allegations against two companies surrounding the unfair and deceptive use of facial recognition software and disclosure of health data.

Everalbum, Inc.

The FTC alleged that Everalbum, Inc., a California-based developer of a photo app called “Ever,” deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. In the FTC’s complaint, the FTC alleged that Everalbum was using face recognition by default for all Ever mobile app users without the user’s consent and did not provide those users the chance to turn off face recognition. FTC also alleged that Everalbum never deleted any user photos and/or videos upon account deactivation, contrary to its privacy policy.

As part of the settlement with the FTC, Everalbum must, among other things, obtain user express consent before using facial recognition technology for the Ever app and delete all photos and videos of Ever app user who deactivated their accounts. Everalbum must also delete any facial recognition models or algorithms developed with Ever users’ photos and videos.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, has publicly stated that companies handling biometric data will be a high priority for the FTC, “as companies can turn photos of your loved ones into sensitive biometric data.”

Flo Health, Inc.

The FTC further settled with Flo Health, Inc., a developer of a period and fertility-tracking app, the “Flo Period and Ovulation Tracker” (the “Flo App”). The FTC alleged that Flo Health was sharing the health information of its users without third-party data analytics providers despite promising that the user information would be kept private. According to the FTC’s complaint, Flo Health’s privacy policy provided that Flo Health would only share personal information with third parties for the purposes of operating and servicing the Flo App. However, the FTC alleged Flo Health disclosed health data from millions of users to outside data analytics companies providing marketing and analytics services, including Facebook and Google.

Flo Health’s settlement stipulates that Flo cannot misrepresent how it discloses, maintains, and collects user data and its conformity with any privacy, security, or compliance program. Flo Health must further notify all affected users about the disclosure of their personal information and instruct all third parties who have received Flo Health user data to destroy that data.

Leave a comment