08.28.20

Cantwell, Klobuchar, Moran Urge FTC to Address Privacy Issues Surrounding “Premom” Mobile Fertility App

Letter follows investigation from the International Digital Accountability Council (IDAC) that found Premom may have engaged in deceptive practices by compromising user privacy

WASHINGTON, D.C. – Today, U.S. Senator Maria Cantwell (D-WA), the ranking member of the Senate Committee on Commerce, Science, and Transportation, joined Senators Amy Klobuchar (D-MN) and Jerry Moran (R-KS) in a bipartisan letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application Premom.

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant, relying on personal and private health information. As of November 2019, the app had been downloaded over half a million times, and it is one of the top search results among fertility apps in the Apple App and Google Play stores.

“A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent,” the senators wrote to FTC Chairman Simons.

In their letter the senators asked whether the FTC will investigate the consumer data collection, transmission, and processing conduct described in the IDAC report, and whether the FTC will notify—or require Premom to notify—app users that Premom may still be sharing their personal data without their permission if they have not updated the app. The senators also asked how the FTC can use its authority under Section 5 of the Federal Trade Commission Act to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in.

Senator Cantwell has been one of the fiercest advocates for consumer privacy in the Senate. In June, in the midst of the development of exposure notification technologies to help combat the spread of COVID-19, Cantwell introduced bipartisan legislation to protect consumer privacy and promote public health in the development of these tools. In November, Cantwell introduced comprehensive federal online privacy legislation that would establish privacy rights, outlaw harmful and deceptive practices, and improve data security safeguards for online commerce. Cantwell has repeatedly called for comprehensive privacy protections, leading the fight to protect and restore net neutrality rules to keep a free and open internet. She has also championed the importance of investing in cybersecurity measures throughout the U.S. economy and pushed federal agencies like the FTC to take a more robust role in protecting Americans from privacy threats.

In addition to Senators Cantwell, Klobuchar, and Moran, the letter to FTC Chairman Simons was also signed by Senators Richard Blumenthal (D-CT), Shelley Moore Capito (R-WV), Elizabeth Warren (D-MA), and Mark Warner (D-VA).

The full text of the letter is below and HERE.

Dear Chairman Simons:

We write to express our serious concerns regarding recent reports about the data collection and sharing practices of the mobile application (“app”) Premom and to request information on the steps that the Federal Trade Commission (FTC) plans to take to address this issue.

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the leading app stores. To use Premom, users provide the app extensive personal and private health information.

A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent. IDAC sent a letter to the FTC on August 6, 2020, to describe these undisclosed data transmissions along with other concerning allegations including conflicting privacy policies and questionable representations related to their collection of installed apps for functionality purposes.

While Premom claimed to only share “nonidentifiable” information in its privacy policy, the IDAC report found that Premom collected and shared—with three third-party advertising companies based in China including Jiguang, UMSNS, and Umeng—non-resettable unique user device identifiers that can be used to build profiles of consumer behavior. Additionally, users of the Premom app were not given the option to opt out of sharing their personal data with these advertising companies, and reports also allege that one of the companies that received user data from Premom concealed the data being transferred—which privacy experts say is an uncommon practice for apps that is used primarily to conceal their data collection practices.

While we understand that Premom has taken steps to update its app to halt the sharing of its users’ information with these companies, it is concerning that Premom may have engaged in these deceptive practices and shared users’ personal data without their consent. Additionally, there may still be users who have not yet updated the Premom app, which could still be sharing their personal data—without their knowledge or consent.

In light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:

  1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?
  2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
  3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
  4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
  5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged inThank you for your time and attention to this important matter. We look forward to working with you to improve Americans consumers’ data privacy protections.

Sincerely,

###