WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) joined Sen. Amy Klobuchar (D-MN), a senior Member of Senate Commerce Committee and Ranking Member of the Senate Judiciary Subcommittee on Antitrust, Competition Policy and Consumer Rights and Chairman of the Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection, Senator Jerry Moran (R-KS), sent a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (“app”) Premom.
Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant, relying on personal and private health information. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the Apple App and Google Play stores.
In addition to Sen. Warner, Sens. Klobuchar and Moran were joined by Ranking Member of the Senate Commerce Committee, Maria Cantwell (D-WA), Richard Blumenthal (D-CT), Shelley Moore Capito (R-WV), and Elizabeth Warren (D-MA).
“A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent,” Klobuchar and her colleagues wrote.
The full text of the letter can be found HERE and below:
Dear Chairman Simons:
We write to express our serious concerns regarding recent reports about the data collection and sharing practices of the mobile application (“app”) Premom and to request information on the steps that the Federal Trade Commission (FTC) plans to take to address this issue.
Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the leading app stores. To use Premom, users provide the app extensive personal and private health information.
A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent. IDAC sent a letter to the FTC on August 6, 2020, to describe these undisclosed data transmissions along with other concerning allegations including conflicting privacy policies and questionable representations related to their collection of installed apps for functionality purposes.
While we understand that Premom has taken steps to update its app to halt the sharing of its users’ information with these companies, it is concerning that Premom may have engaged in these deceptive practices and shared users’ personal data without their consent. Additionally, there may still be users who have not yet updated the Premom app, which could still be sharing their personal data—without their knowledge or consent.
In light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?
2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?
Thank you for your time and attention to this important matter. We look forward to working with you to improve Americans consumers’ data privacy protections.