Flo on Priv: Data Privacy Challenges in Women’s Health Apps

December 14, 2022

Flo on Priv - Women's Health Apps


Every day, we count steps with fitness trackers, log weight and diet information into apps, and share personal health information on platforms not covered by the Health Insurance Portability and Accountability Act (HIPAA). When we do so, how is that information we input collected, safeguarded, and shared online, and who carries the burden of privacy protection?

In this week’s episode of Privacy Abbreviated, host Dona Fraser and new host Arlo Gilbert, CEO of Osano, are joined by Tsimafei Savitski, Chief Legal Compliance Officer, and Roman Bugaev, Chief Technology Officer of Flo, an app designed to track ovulation cycles. Due to the nature of the app, users are asked to share detailed information about their health and wellness, and Flo is well aware of this sensitivity. Listen now to hear how the Flo team is raising the bar for privacy by upholding anonymity on their platform.



Related Resources

The Good, the Bad, and the Grey of Targeted Advertising

Shifting Global Privacy Demands for Business

Global CBPR and the EU-U.S. Data Privacy Framework



Show Notes

00:00 – In episode five of Privacy Abbreviated, hosts Dona Fraser, Senior Vice President of Privacy Initiatives at BBB National Programs (BBB NP), and Arlo Gilbert, the CEO and founder of Osano, sit down to discuss data privacy measures among health apps. They’re joined by Tsimafei Savitski, Chief Legal Compliance Officer of the female health and wellness app Flo and Roman Bugaev, Chief Technology Officer of the app. 

00:50 – The hosts open this episode by discussing the connection between HIPAA law and wellness apps. There are now a plethora of apps available that track everything from steps taken to calories burned to hours slept. While these apps can be extremely helpful in maintaining one’s health, the data collected by these apps are not covered by HIPAA law. This means personal information is not protected from being accessed and used without the user’s consent. This is a major concern for privacy advocates, who worry that the data could be used to discriminate against users or deny them insurance coverage. Even if the data is anonymized, there is still a risk that it could be used to identify individuals. For now, it is best to use caution when sharing health data through apps. Arlo then discusses the American Data Privacy and Protection Act (ADPPA) in the conversation, noting that the act may resurrect in 2023. The ADPPA is a bill that would create national standards and safeguards for personal information collected by companies, including protections intended to address potentially discriminatory impacts of algorithms. Although Congress is unlikely to enact the bill between now and the end of the year, the ADPPA represents progress toward a comprehensive data privacy law in the United States.  

01:33 – The Federal Trade Commission (FTC) has stated its intention to broadly interpret the HIPAA Breach Notification Rule. HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.The growing necessity of revisiting the HIPAA Breach Notification Rule and the ADPPA  is brought on by resurfacing conversations regarding consumers having more control over their personal data when using apps. In this episode, our hosts and guests discuss the relevance of these two mandates in pertinence to how sensitive personal health data is stored and maintained.  

02:10 – After a brief discussion of these mandates, Roman shares some information about the female health and wellness app Flo. What started in 2015 as an app that allows women to track their ovulation cycles, has evolved into a thriving platform with personalized health insights, virtual dialogs, and dozens of courses to learn how your cycle affects your body and well being. The FTC had investigated Flo regarding claims that Flo was not upholding its stated data collection and sharing promises. A recent independent audit found that Flo’s policies and handling of personal data are consistent with its publicly stated privacy policy

09:09 – Dona then proposes a question about the process of deleting  personal data – can users request to have their data deleted? According to Roman, Flo maintains the highest possible standards with respect to all the data that they process, and users are able to simply request the deletion of their personal data if they wish. Roman also adds that Flo contains the users’ data worldwide, even though their infrastructure is located within the United States. As such, the company relies on cloud providers to store its data. Cloud providers are able to store data in multiple locations, making it easier for app developers to comply with data privacy regulations. In addition, cloud providers typically have sophisticated security systems in place to protect user data. As a result, outsourcing data storage to a cloud provider can be an effective way to collect and store data from users internationally. 

25:26 – Roman explains that going forward, Flo will continue to carry out innovative privacy practices by encrypting data and performing regular third-party audits. Tsimafei agrees, saying that their goal is to be an example to other businesses in the industry. Flo made waves in the summer when it announced “anonymous mode,” an option for users who don’t want their data connected to their person. By stripping anonymous users of identifiers like IP address, email, or username, the accounts become unidentifiable by Flo and any third parties. At the moment, the setting is not default because it does have downsides that affect personal usability. Users in anonymous mode can’t track their data across multiple devices, and if their device is lost or stolen, the information can’t be recovered. However, Roman hopes to one day be able to make anonymity the default as the Flo team continues working to make their app more secure. 

Subscribe to receive email notifications of new Privacy Abbreviated episodes. 

Latest Podcasts


Cross Border Privacy Rules Goes Global: A Deep Dive on CBPRs

Privacy professionals are faced with what seems like a never-ending, sometimes overwhelming stream of new privacy laws and regulations, both here in the U.S. and abroad. In this episode of Priv, host Dona Fraser is joined by Victoria Akosile, Deputy Director of BBB National Programs Privacy Initiatives to take you from APEC to global CBPRs, explaining all of the acronyms in...

Listen to the Podcast

The Evolution of Advertising in the Children’s Space

In 1974 the Children’s Advertising Review Unit (CARU) was established to protect children under age 13 from deceptive or inappropriate advertising. Over the years, CARU expanded to address new media platforms, new advertising techniques, and to ensure that children’s data is collected and handled responsibly online. Join us to discuss how advertising has changed, identify CARU’s...

Listen to the Podcast

Revisiting Consumer Reviews: Incentivized, Inflated, or Authentic?

In this episode of Ad Watchers, our hosts address an issue that is on the FTC’s radar this year: the power of consumer reviews in influencing consumer purchasing decisions, including recent NAD cases reflecting updates to the FTC’s Endorsement Guides as well as the good, the bad, and the gray in advertising using consumer reviews.

Listen to the Podcast

Consumer Privacy in Telehealth: An Interview with the ATA

In this episode of Priv, Dona Fraser is joined by Kyle Zebley from the American Telemedicine Association (ATA) to get a check-up on consumer health data privacy in the telehealth industry. From HIPAA to the pandemic to Dobbs to a hodge podge of new state-level privacy laws, Dona and Kyle discuss the companies navigating this complex terrain, how the world of telehealth has changed,...

Listen to the Podcast