Kat Grilli started using Flo — a popular period- and pregnancy-tracking app — a year ago, when she began her IVF journey to get pregnant with her husband, who is transgender. She logged onto the app to track her periods so she would know when to start IVF drugs, she said, adding that she also responded to prompts about her sexual activity, hunger and exercise.
Now nine months into her pregnancy, Grilli, 33, is one of more than a half-dozen women who told The Lily they are permanently deleting the app after the Federal Trade Commission announced on Wednesday that it filed a complaint against Flo, alleging that it shared millions of users’ data about their menstruation, fertility and pregnancies with the analytics and marketing teams of third-party companies including Google and Facebook — all the while, promising users their data would be kept private.
For Grilli, the news comes as proof of how far companies will go to capitalize off people’s trust around otherwise-stigmatized topics like periods.
“There’s this attitude that periods are disgusting and shameful, yet there’s also this attitude that that information can be sold, used and profited from,” said Grilli, who lives in Atlanta and works as a screenwriter. “I find that really gross, and am very resentful that I was [possibly] part of it without my knowledge or consent.”
A Flo spokesperson has not responded to a request for comment.
Flo was founded by a pair of Belarusian men, Dmitry and Yuri Gurski, in 2015, and claims to have 150 million users. When users first sign up for the app, it asks them whether they want to track their periods, pregnancies or fertility, and then requests their age, mood and symptoms and what they want to improve about their sleep, mental health, sex lives and relationships, among other topics. Users can then go on to use a free version of Flo, or pay for an annual subscription to gain access to more features, including customer support, daily health tips and content from what the company claims are more than 80 “health and medical experts.”
Between 2017 and 2019, the app’s privacy policies noted that it would not share users’ “information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share” with third parties, according to the federal complaint. But in 2016, the company began sharing users’ information with firms who it allowed to use the data for their own purposes — even though sharing the data violated many of those third parties’ own terms of service, including Facebook’s, the complaint reads. It was only after the Wall Street Journal reported on the practice in February 2019, after having intercepted unencrypted identifying health information transmitted by Flo to Facebook — about a user’s intention to get pregnant and when she had her period — that the company stopped making the users’ data available to the firms, the complaint notes.
When the FTC made public its complaint on Wednesday, it also announced a proposed settlement with Flo, which would require the company to notify affected users about the disclosures of their data; instruct the third parties that received the data to destroy it; obtain users’ consent before sharing their health data in the future; and undergo an independent review of its privacy practices by experts approved by the agency’s Bureau of Consumer Protection, among other measures. By agreeing to the proposed settlement, Flo did not admit to or deny any of the allegations contained in the complaint.
The public will have a month to comment on the proposed settlement after it’s published online in the Federal Register — the official daily journal of the federal government — in the coming days. FTC officials will then review the public’s comments and decide whether to amend or finalize the settlement, according to an agency spokesperson.
The spokesperson noted that the FTC “did not have the authority to obtain damages” for the breach, but added that it could seek payment from Flo if the company went on to violate the terms of the finalized order.
In other words, the company — which was valued at $200 million after its initial stage of funding in 2018 — is not likely to be hit with any fines for the breach, and users whose data was shared with third parties are not likely to receive any compensation.
This ruling does not go far enough, argued Marielle Gross, an assistant professor at Johns Hopkins’ Berman Institute of Bioethics and the University of Pittsburgh’s Center for Bioethics and Health Law. She called the FTC’s proposed settlement with Flo “a slap on the wrist.”
In a forthcoming paper Gross co-authored on the ethics of the monetization of menstruation app data, she argues that health data must be understood as a form of labor rather than property so that menstruation apps become subject to regulation.
“Women’s labor has historically been marginalized and largely uncompensated, and this is yet another example of that, where people are entering their data that was previously only known to the people in their lives that they chose to share it with, and being sold as a valuable product that’s creating revenue,” Gross said. “This is capitalizing on all of the personal insecurities and all of the deeply intimate nature of this stuff. It’s a totally exploitative relationship, and it doesn’t have to be.”
Gross, who is also a practicing OB/GYN, said that such tech companies are “not held to any standards that I’m held to as a professional.”
As Gross put it: “It was not an accidental breach — it is their business model. They are selling our data.”
Madeline Kiss, a former Flo user who deleted the app once she found out the news, agreed that the company should be held responsible for compensating users affected by the breach.
“If anybody paid to use their service, I think they definitely should give out a refund, because it just seems like they were operating under a false pretense,” said Kiss, a 25-year-old social media manager based in New York City. “They should have to face a pretty substantial financial settlement, because I can’t really imagine at this point what else is going to stop another company from saying, ‘They barely got a slap on the wrist, we can keep doing the same thing and just apologize after the fact.’”
Jenny Grinblo, a 33-year-old user experience designer who lives in London, reached out to the company asking for a refund for her subscription on Wednesday night. But a Flo representative said the decision would be subject to Apple, because it controls billing for the app. Grinblo said the situation frustrates her both as a user and a tech professional, given that she assesses potential ethical risks that could arise from apps as part of her job on a daily basis.
“This whole thing is a double whammy for me — as a woman and customer, and as someone who works in tech, because ethics are part of a conversation in the field that’s being had,” Grinblo said.
The news also came as a betrayal to Jateria Pittman, a 27-year-old financial coach from Atlanta, who said she specifically turned to Flo — and recommended it to her friends — to track her periods because she thought it would respect the private nature of her data.
“We get targeted ads enough — I thought it would be a safe space,” Pittman said. “The majority of my friends have this app because of me, so now I have them in a situation where their private data was [possibly] being shared.”
After learning how her information may have been used, Pittman is considering other period-tracking apps — but after this breach, she’s ambivalent about relying on technology at all to track her menstrual cycle.
“Now I’m also concerned another app will do the same thing,” Pittman said. “It makes me want to go back to pen and paper and tracking it on my calendar.”
Other apps have indeed been found guilty of similar offenses. In September, California reached a settlement — which included a $250,000 fine — with the ovulation- and period-tracking app Glow after Consumer Reports found in 2016 that data users logged on the app was accessible to anyone who knew a user’s email address, leaving open the possibility of others discovering information about whether they’d had abortions and when they’d last had sex. An analysis the consumer watchdog organization published last year also found that five popular period-tracking apps — including Flo — shared app data with advertisers. And since 2019, The Washington Post has reported that the Android edition of Premom, a fertility app, was sharing users’ data with three Chinese companies focused on advertising, and that pregnancy-tracking app Ovia was sharing users’ health data with their employers.
For Grilli, the situation underscores the fact that even data collection is subject to gender-based disparities.
“I think this breach of trust is definitely indicative of the fact that women’s privacy is not treated nearly as sacred as men’s privacy is,” she said. “I would have to move heaven and Earth in order to find out which of my colleagues is taking Viagra, but now Facebook knows when I was on my period and trying to get pregnant?”