UNITED STATES OF AMERICA
`BEFORE THE FEDERAL TRADE COMMISSION
`
`In the Matter of
`
`FILE NO. 1923133
`
`FLO HEALTH, INC., a corporation.
`
`AGREEMENT CONTAINING
`CONSENT ORDER
`
`The Federal Trade Commission ("Commission") has conducted an investigation of
`certain acts and practices of Flo Health, Inc., a corporation ("Proposed Respondent"). The
`Commission's Bureau of Consumer Protection ("BCP") has prepared a draft of an administrative
`Complaint ("draft Complaint"). BCP and Proposed Respondents, individually or through their
`duly authorized officers, enter into this Agreement Containing Consent Order ("Consent
`Agreement") to resolve the allegations in the attached draft Complaint through a proposed
`Decision and Order to present to the Commission, which is also attached and made a part ofthis
`Consent Agreement.
`
`IT IS HEREBY AGREED by and between Proposed Respondent and BCP, that:
`
`The Proposed Respondent is Flo Health, Inc. ("Flo Health"), a Delaware corporation with
`1.
`its principal office or place of business at 1013 Centre Road, Suite 403-B, Wilmington, Delaware
`19805.
`
`Proposed Respondent neither admits nor denies any of the allegations in the Complaint,
`2.
`except as specifically stated in the Decision and Order. Only for purposes ofthis action,
`Proposed Respondent admits the facts necessary to establish jurisdiction.
`
`3.
`
`Proposed Respondent waives:
`
`a.
`
`Any further procedural steps;
`
`The requirement that the Commission's Decision contain a statement of findings
`b.
`of fact and conclusions of law; and
`
`All rights to seek judicial review or otherwise to challenge or contest the validity
`c.
`ofthe Decision and Order issued pursuant to this Consent Agreement.
`
`This Consent Agreement will not become part of the public record of the proceeding
`4.
`unless and until it is accepted by the Commission. If the Commission accepts this Consent
`Agreement, it, together with the draft Complaint, will be placed on the public record for thirty
`(30) days and information about them publicly released. Acceptance does not constitute final
`approval, but it serves as the basis for further actions leading to final disposition of the matter.
`Thereafter, the Commission may either withdraw its acceptance of this Consent Agreement and
`so notify Proposed Respondent, in which event the Commission will take such action as it may
`
`1
`
`

`

`consider appropriate, or issue and serve its Complaint (in such form as the circumstances may
`require) and decision in disposition of the proceeding, which may include an Order. See Section
`2.34 of the Commission's Rules, 16 C.F.R. § 2.34 ("Rule 2.34").
`
`If this agreement is accepted by the Commission, and if such acceptance is not
`5.
`subsequently withdrawn by the Commission pursuant to Rule 2.34, the Commission may,
`without further notice to Proposed Respondent: (1) issue its Complaint corresponding in form
`and substance with the attached draft Complaint and its Decision and Order and (2) make
`information about them public. Proposed Respondent agrees that service of the Order may be
`effected by its publication on the Commission's website (fie.gov), at which time the Order will
`become final. See Rule 2.32( d). Proposed Respondent waives any rights they may have to any
`other manner of service. See Rule 4.4.
`
`When final, the Decision and Order will have the same force and effect and may be
`6.
`altered, modified, or set aside in the same manner and within the same time provided by statute
`for other Commission orders.
`
`The Complaint may be used in construing the terms of the Decision and Order. No
`7.
`agreement, understanding, representation, or interpretation not contained in the Decision and
`Order or in this Consent Agreement may be used to vary or contradict the terms of the Decision
`and Order.
`
`Proposed Respondent agrees to comply with the terms of the proposed Decision and
`8.
`Order from the date that Proposed Respondent signs this Consent Agreement. Proposed
`Respondent understands that it may be liable for civil penalties and other relief for each violation
`of the Decision and Order after it becomes final.
`
`2
`
`

`

`FLO HEAL TH, INC.
`
`FEDERAL TRADE COMMISSION
`
`By:
`
`By:
`
`Timofei Savitski
`Chief Legal & Compliance Officer
`
`Elisa Jillson
`Attorney, Bureau of Consumer Protection
`
`Date:
`
`- - - - - - - - - - - - -
`
`By:
`
`Miles Plant
`Attorney, Bureau of Consumer Protection
`
`Brenda Sharton
`DechertLLP
`Attorney for Proposed Respondent
`
`Date:
`- - - - - - - -
`
`APPROVED:
`
`Maneesha Mithal
`Associate Director
`Division of Privacy and
`Identity Protection
`
`Andrew Smith
`Director
`Bureau of Consumer Protection
`
`3
`
`

`

`UNITED STATES OF AMERICA
`BEFORE THE FEDERAL TRADE COMMISSION
`
`1923133
`
`COMMISSIONERS:
`
`Joseph J. Simons, Chairman
`Noah Joshua Phillips
`Rohit Chopra
`Rebecca Kelly Slaughter
`Christine S. Wilson
`
`In the Matter of
`
`DECISION AND ORDER
`
`FLO HEAL TH, INC., a corporation.
`
`DOCKET NO. C-
`
`DECISION
`
`The Federal Trade Commission ("Commission") initiated an investigation of certain acts and
`practices of the Respondent named in the caption. The Commission's Bureau of Consumer
`Protection ("BCP") prepared and furnished to Respondent a draft Complaint. BCP proposed to
`present the draft Complaint to the Commission for its consideration. If issued by the
`Commission, the draft Complaint would charge the Respondent with violations of the Federal
`Trade Commission Act.
`
`Respondent and BCP thereafter executed an Agreement Containing Consent Order ("Consent
`Agreement"). The Consent Agreement includes: 1) statements by Respondent that it neither
`admits nor denies any of the allegations in the Complaint, except as specifically stated in this
`Decision and Order, and that only for purposes of this action, it admits the facts necessary to
`establish jurisdiction; and 2) waivers and other provisions as required by the Commission's
`Rules.
`
`The Commission considered the matter and determined that it had reason to believe that
`Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue
`stating its charges in that respect. The Commission accepted the executed Consent Agreement
`and placed it on the public record for a period of thirty (30) days for the receipt and consideration
`of public comments. The Commission duly considered any comments received from interested
`persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with
`the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the
`following Findings, and issues the following Order:
`
`1
`
`

`

`Findings
`
`1. The Respondent is Flo Health, Inc. ("Flo Health"), a Delaware corporation with its
`principal office or place of business at 1013 Centre Road, Suite 403-B, Wilmington,
`Delaware 19805.
`
`2. The Commission has jurisdiction over the subject matter of this proceeding and over the
`Respondent, and the proceeding is in the public interest.
`
`ORDER
`
`Definitions
`
`For purposes of this Order, the following definitions apply:
`
`A. "Clearly and Conspicuously" means that a required disclosure is difficult to miss (i.e., easily
`noticeable) and easily understandable by ordinary consumers, including in all of the
`following ways:
`
`1. In any communication that is solely visual or solely audible, the disclosure must be
`made through the same means through which the communication is presented. In any
`communication made through both visual and audible means, such as a television
`advertisement, the disclosure must be presented simultaneously in both the visual and
`audible portions of the communication even if the representation requiring the
`disclosure ("triggering representation") is made through only one means.
`
`2. A visual disclosure, by its size, contrast, location, the length of time it appears, and
`other characteristics, must stand out from any accompanying text or other visual
`elements so that it is easily noticed, read, and understood.
`
`3. An audible disclosure, including by telephone or streaming video, must be delivered
`in a volume, speed, and cadence sufficient for ordinary consumers to hear it easily
`and understand it.
`
`4. In any communication using an interactive electronic medium, such as the Internet or
`software, the disclosure must be unavoidable.
`
`5. The disclosure must use diction and syntax understandable to ordinary consumers and
`must appear in each language in which the triggering representation appears.
`
`6. The disclosure must comply with these requirements in each medium through which
`it is received, including all electronic devices and face-to-face communications.
`
`7. The disclosure must not be contradicted or mitigated by, or inconsistent with,
`anything else in the communication.
`
`2
`
`

`

`8. When the representation or sales practice targets a specific audience, such as children,
`the elderly, or the terminally ill, "ordinary consumers" includes reasonable members
`of that group.
`
`B. "Covered App User" means any individual who downloaded and used Respondent's mobile
`application Flo Period & Ovulation Tracker between June 30, 2016 and February 23, 2019.
`
`C. "Covered Incident" means any instance in which Respondent discloses Health Information to
`a Third Party without first receiving that consumer's affirmative express consent.
`
`D. "Covered Information" means information from or about an individual consumer, including
`but not limited to: (a) a first and last name; (b) a physical address; (c) an email address or
`other online contact information, such as a user identifier or a screen name; ( d) a telephone
`number; (e) a Social Security number; (f) a driver's license or other government-issued
`identification number; (g) a financial institution account number; (h) credit or debit card
`information; (i) a persistent identifier, such as a customer number held in a "cookie," a static
`Internet Protocol ("IP") address, a mobile device ID, or processor serial number; G) Health
`Information; or (k) any information combined with any of (a) through G) above.
`
`E. "Health Information" means individually identifiable information from or about an individual
`consumer relating to health, including but not limited to information concerning fertility,
`menstruation, sexual activity, pregnancy, and childbirth.
`
`F. "Respondent" means Flo Health, a corporation, and its successors and assigns.
`
`G. "Third Party" means any individual or entity other than: (1) Respondent; (2) a service
`provider of Respondent that: (i) uses or receives Covered Information collected by or on
`behalf of Respondent for and at the direction of the Respondent and no other individual or
`entity, (ii) does not disclose the data, or any individually identifiable information derived
`from such data, to any individual or entity other than Respondent or a subcontractor to such
`service provider bound to data processing terms no less restrictive than terms to which the
`service provider is bound, and (iii) does not use the data for any other purpose; or (3) any
`entity that uses Covered Information only as reasonably necessary: (i) to comply with
`applicable law, regulation, or legal process, (ii) to enforce Respondent's terms of use, or (iii)
`to detect, prevent, or mitigate fraud or security vulnerabilities.
`
`Provisions
`
`I. Prohibition against Misrepresentations about Information Privacy
`
`IT IS ORDERED that Respondent, Respondent's officers, agents, employees, and attorneys,
`and all other persons in active concert or participation with either of them, who receive actual
`notice of this Order, whether acting directly or indirectly, in connection with any product or
`service must not misrepresent in any manner, expressly or by implication:
`
`A. the purposes for which Respondent or any entity to whom it discloses Covered Information
`collects, maintains, uses, or discloses Covered Information;
`
`3
`
`

`

`B. the extent to which consumers may exercise control over Respondent's collection,
`maintenance, use, disclosure, or deletion of Covered Information, and the steps a consumer
`must take to implement such controls;
`
`C. the extent to which Respondent is a member of, adheres to, complies with, is certified by, is
`endorsed by, or otherwise participates in any privacy, security, or any other compliance
`program sponsored by a government or any self-regulatory or standard-setting organization,
`including the EU-U.S. Privacy Shield and the U.S.-Swiss Privacy Shield framework; and
`
`D. the extent to which Respondent collects, maintains, uses, discloses, deletes, or permits or
`denies access to any Covered Information, or the extent to which Respondent protects the
`availability, confidentiality, or integrity of any Covered Information.
`
`II. Data Deletion
`
`IT IS FURTHER ORDERED that, on or before thirty (30) days after the date of the filing
`of this Order, Respondent and Respondent's officers, agents, employees, and attorneys, and all
`other persons in active concert or participation with any of them, who receive actual notice of
`this Order, must instruct any Third Party that has received Health Information from Respondent
`belonging to any Covered App User to destroy such information.
`
`III. Notice to Users
`
`IT IS FURTHER ORDERED that on or before fourteen (14) days after the date of the
`filing of this Order, Respondent must post Clearly and Conspicuously on Respondent's website,
`https://flo.health/, an exact copy of the notice attached hereto as Exhibit A ("Notice") and email
`the Notice to all Covered App Users,provided however, that if Respondent does not have email
`information for any Covered App User, Respondent must send the Notice to that Covered App
`User through Respondent's primary means of communicating with that user (such as a
`notification within Respondent's mobile application). Respondent shall not include with the
`Notice any other information, documents, or attachments.
`
`IV. Notice and Affirmative Express Consent
`
`IT IS FURTHER ORDERED that Respondent and Respondent's officers, agents,
`employees, and attorneys, and all other persons in active concert or participation with any of
`them, who receive actual notice of this Order, in connection with any product or service, prior to
`disclosing any consumer's Health Information to any Third Party, must:
`
`A. Clearly and Conspicuously disclose to the consumer, separate and apart from any ''privacy
`policy," "terms of use" page, or other similar document: (1) the categories of Health
`Information that will be disclosed to such Third Parties, (2) the identities of such Third
`Parties, and (3) all purposes for Respondent's disclosure of such Health Information,
`including how it may be used by each Third Party; and
`
`B. obtain the consumer's affirmative express consent.
`
`4
`
`

`

`V. Compliance Review
`
`IT IS FURTHER ORDERED that, within 180 days after the issuance date of this Order,
`Respondent must obtain an outside review of certain of its practices (the "Compliance Review"):
`
`A. The Compliance Review must be completed by a qualified, objective, independent third­
`party professional, who: (1) uses procedures and standards generally accepted in the
`profession; (2) conducts an independent review of compliance with the EU-U.S. Privacy
`Shield Framework Principles (the "Principles"), attached hereto as Exhibit B; and (3) retains
`all documents relevant to the Compliance Review for five (5) years after completion and will
`provide such documents to the Commission within ten (10) days of receipt of a written
`request from a representative of the Commission. No documents may be withheld on the
`basis of a claim of confidentiality, proprietary or trade secrets, work product protection,
`attorney-client privilege, statutory exemption, or any similar claim.
`
`B. Respondent shall provide the Associate Director of Enforcement for the Bureau of Consumer
`Protection at the Commission with the name, affiliation, and resume of each person selected
`to conduct the Compliance Review, which the Associate Director shall have the authority to
`approve in his sole discretion.
`
`C. The reporting period for the Compliance Review must cover the first 180 days after the
`issuance date of the Order.
`
`D. The Compliance Review must (1) determine whether Respondent has maintained compliance
`with the Principles attached hereto as Exhibit B; (2) determine whether Respondent's privacy
`practices are consistent with its privacy policy; (3) determine whether Respondent adequately
`informs individuals about the mechanisms through which they may pursue complaints
`regarding Respondent's privacy practices; (4) identify any gaps or weaknesses in the privacy
`practices assessed; and (5) identify specific evidence (including, but not limited to,
`documents reviewed, sampling and technical testing performed, and interviews conducted)
`examined to make such determinations and identifications, and explain why the evidence
`examined is sufficient to justify the findings. No finding of the Compliance Review shall
`rely solely on assertions or attestations by Respondent's management. The Compliance
`Review shall be signed by the lead professional who performs the review and shall state that
`he or she conducted an independent review ofRespondent's privacy practices, and did not
`rely solely on assertions or attestations by Respondent's management.
`
`E. Unless otherwise directed by a Commission representative in writing, Respondent must
`submit the Compliance Review to the Commission within ten (10) days after the Compliance
`Review has been completed via email to DEbrief@ftc.gov or by overnight courier (not the
`U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer
`Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC
`20580. The subject line must begin: "In re Flo Health, Inc., LLC, FTC File No. 1923133."
`
`VI. Cooperation with Compliance Reviewer
`
`IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in
`connection with the Compliance Review required by Provision V of this Order, must disclose all
`
`5
`
`

`

`material facts to the individual(s) conducting the Compliance Review (the "Reviewer"), and
`must not misrepresent in any manner, expressly or by implication, any fact material to the
`Reviewer's determination whether Respondent (1) has maintained compliance with the
`Principles attached hereto as Exhibit B; (2) has engaged in privacy practices consistent with its
`privacy policy; (3) adequately informs individuals about the mechanisms through which they
`may pursue complaints regarding Respondent's privacy practices; or (4) has any gaps or
`weaknesses in its privacy practices.
`
`VII. Certification
`
`IT IS FURTHER ORDERED that, in connection with Provisions I through VI of this
`Order, Respondent must:
`
`A. Within 180 days after the issuance date of this Order, provide the Commission with a
`certification from a senior corporate manager, or, if no such senior corporate manager exists,
`a senior officer of Respondent responsible for Respondent's privacy practices that
`Resondent: (1) has established, implemented, and maintained the requirements of this Order;
`and (2) is not aware of any material noncompliance that has not been (a) corrected or (b)
`disclosed to the Commission. The certification must be based on the personal knowledge of
`the senior corporate manager, senior officer, or subject matter experts upon whom the senior
`corporate manager or senior officer reasonably relies in making the certification.
`
`B. Unless otherwise directed by a Commission representative in writing, submit the certification
`to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight
`courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of
`Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
`Washington, DC 20580. The subject line must begin: "In re Flo Health, Inc., LLC, FTC File
`No. 1923133."
`
`VIII. Covered Incident Reports
`
`IT IS FURTHER ORDERED that Respondent, within thirty (30) days after that
`Respondent's discovery of a Covered Incident, must submit a report to the Commission. The
`report must include, to the extent possible:
`
`A. The date, estimated date, or estimated date range when the Covered Incident occurred;
`
`B. A description of the facts relating to the Covered Incident, including the causes and scope of
`the Covered Incident, if known;
`
`C. The number of consumers whose information was affected;
`
`D. The acts that Respondent has taken to date to remediate the Covered Incident and protect
`Health Information from further disclosure, exposure or access, and protect affected
`individuals from identity theft or other harm that may result from the Covered Incident; and
`
`E. A representative copy of any materially different notice sent by Respondent to consumers or
`to any U.S. federal, state, or local government entity.
`
`6
`
`

`

`Unless otherwise directed by a Commission representative in writing, all Covered Incident
`reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by
`overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau
`of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
`Washington, DC 20580. The subject line must begin: "In re Flo Health, Inc., LLC, FTC File
`No. 1923133."
`
`IX. Acknowledgments of the Order
`
`IT IS FURTHER ORDERED that Respondent obtain acknowledgments of receipt of this
`Order:
`
`A. Respondent, within ten (10) days after the effective date of this Order, must submit to the
`Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
`
`B. For five (5) years after the issuance date of this Order, Respondent, must deliver a copy of
`this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all
`employees having managerial responsibilities for conduct related to the subject matter of the
`Order, and all agents and representatives who participate in conduct related to the subject
`matter of the Order; and (3) any business entity resulting from any change in structure as set
`forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten
`(10) days after the effective date of this Order for current personnel. For all others, delivery
`must occur before they assume their responsibilities.
`
`C. From each individual or entity to which Respondent delivered a copy of this Order,
`Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of
`receipt of this Order.
`
`X. Compliance Reports and Notices
`
`IT IS FURTHER ORDERED that Respondent makes timely submissions to the
`Commission:
`
`A. Sixty (60) days after the issuance date of this Order, and annually thereafter for five (5) more
`years, Respondent must submit a compliance report, sworn under penalty of perjury, in
`which Respondent must: (a) identify the primary physical, postal, and email address and
`telephone number, as designated points of contact, which representatives of the Commission,
`may use to communicate with Respondent; (b) identify all of Respondent's businesses by all
`of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c)
`describe the activities of each business, including the services offered, what Covered
`Information is collected, and how Covered Information is used and disclosed to third parties;
`(d) describe in detail whether and how Respondent is in compliance with each Provision of
`this Order, including a discussion of all of the changes Respondent made to comply with the
`Order; and ( e) provide a copy of each Acknowledgment of the Order obtained pursuant to
`this Order, unless previously submitted to the Commission.
`
`B. Respondent must submit a compliance notice, sworn under penalty of perjury, within
`fourteen (14) days of any change in: (a) any designated point of contact or (b) the structure
`
`7
`
`

`

`of Respondent or any entity Respondent has any ownership interest in or control directly or
`indirectly that may affect compliance obligations arising under this Order, including:
`creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that
`engages in any acts or practices subject to this Order.
`
`C. Respondent must submit notice of the filing of any bankruptcy petition, insolvency
`proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its
`filing.
`
`D. Any submission to the Commission required by this Order to be sworn under penalty of
`perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding:
`"I declare under penalty of perjury under the laws of the United States of America that the
`foregoing is true and correct. Executed on: _____" and supplying the date,
`signatory's full name, title (if applicable), and signature.
`
`E. Unless otherwise directed by a Commission representative in writing, all submissions to the
`Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight
`courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of
`Consumer Protection, Federal Trade Commission, 600 Pennsylvania A venue NW,
`Washington, DC 20580. The subject line must begin: In re Flo Health, Inc., a corporation.
`
`XI. Recordkeeping
`
`IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20)
`years after the issuance date of the Order, and retain each such records for five (5) years, unless
`otherwise specified below. Specifically, Respondent must create and retain the following
`records:
`
`A. accounting records showing the revenues from all goods or services sold, the costs incurred
`in generating those revenues, and resulting net profit or loss;
`
`B. personnel records showing, for each person providing services in relation to any aspect of the
`Order, whether as an employee or otherwise, that person's: name, addresses, telephone
`numbers, job title or position, dates of service, and (if applicable) the reason for termination;
`
`C. copies or records of all consumer complaints and refund requests sent to Respondent, and
`any response;
`
`D. all records necessary to demonstrate full compliance with each provision of this Order,
`including all submissions to the Commission;
`
`E. a copy of each unique advertisement or other marketing material making a representation
`subject to this Order;
`
`F. a copy of each widely disseminated representation by Respondent that describes the extent to
`which Respondent maintains or protects the privacy, security and confidentiality of any
`Covered Information, including any representation concerning a change in any website or
`
`8
`
`

`

`other service controlled by Respondent that relates to the privacy, security, and
`confidentiality ofCovered Infonnation;
`
`G. for five ( 5) years after the date of preparation of the Compliance Review required by this
`Order, all materials relied upon to prepare the Compliance Review, whether prepared by or
`on behalfof Respondent, including all plans, reports, studies, reviews, audits, audit trails,
`policies, training materials, assessments, and any other materials concerning Respondent's
`compliance with related Provisions of this Order, for the compliance period covered by the
`Compliance Review.
`
`XII. Compliance Monitoring
`
`IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent's compliance
`with this Order:
`
`A Within ten (10) days of receipt ofa written request from a representative of the Commission,
`Respondent must: submit additional compliance reports or other requested information,
`which must be sworn under penalty of perjury, and produce records for inspection and
`copying.
`
`B. For matters concerning this Order, representatives of the Commission are authorized to
`communicate directly with Respondent. Respondent must permit representatives of the
`Commission to interview anyone affiliated with Respondent who has agreed to such an
`interview. The interviewee may have counsel present.
`
`C. The Commission may use all other lawful means, including posing through its
`representatives as consumers, suppliers, or other individuals or entities, to Respondent or any
`individual or entity affiliated with Respondent, without the necessity of identification or prior
`notice. Nothing in this Order limits the Commission's lawful use ofcompulsory process,
`pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-l.
`
`XIII. Order Effective Dates
`
`IT IS FURTHER ORDERED that this Order is final and effective upon the date of its
`publication on the Commission's website (fie.gov) as a final order. This Order will terminate
`twenty (20) years from the date of its issuance ( which date may be stated at the end of this Order,
`near the Commission's seal), or twenty (20) years from the most recent date that the United
`States or the Commission files a complaint (with or without an accompanying settlement) in
`federal court alleging any violation of this Order, whichever comes later; provided, however, that
`the filing ofsuch a complaint will not affect the duration of:
`
`A Any Provision in this Order that terminates in less than twenty (20) years;
`
`B. This Order ifsuch complaint is filed after the Order has terminated pursuant to this
`Provision.
`
`Provided, farther, that ifsuch complaint is dismissed or a federal coun rules that Respondent did
`not violate any provision of the Order, and the dismissal or ruling is either not appealed or
`
`9
`
`

`

`upheld on appeal, then the Order will terminate according to this Provision as though the
`complaint had never been filed, except that the Order will not terminate between the date such
`complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date
`such dismissal or ruling is upheld on appeal.
`
`By the Commission.
`
`Secretary
`
`SEAL:
`ISSUED:
`
`10
`
`

`

`Exhibit A
`
`
`Dear [Customer]:
`
`
`Between June 1, 2016 and February 23, 2019, the company that makes the Flo Period &
`
`Ovulation Tracker app sent an identifying number related to you and information about your
`
`period and pregnancy to companies that help us measure and analyze trends, usage, and activities
`
`
`on the app, including the analytics divisions of Facebook, Flurry, Fabric, and Google. No
`
`
`information was shared with the social media divisions of these companies. We did not share
`
`
`
`your name, address, or birthday with anyone at any time.
`
`
`We do not currently, and will not, share any information about your health with any company
`
`unless we get your permission. We recently entered into a settlement with the Federal Trade
`
`Commission, the nation’s consumer protection agency, to resolve allegations that sharing this
`
`
`
`information was inconsistent with the promises we made to you. Learn more about the settlement
`
`
`at [to be determined]. This page also includes links to resources for consumers to help them
`
`
`evaluate the risks and benefits of sharing information with health apps.
`
`
`If you have any questions or concerns, please contact us at privacy@flo.health.
`
`
`

`

`Exhibit B
`
`Exhibit B
`
`

`

` EU-U.S. PRIVACY SHIELD FRAMEWORK PRINCIPLES
`
`ISSUED BY THE U.S. DEPARTMENT OF COMMERCE
`
`
`I.
`
`
`
` OVERVIEW
`
`
`1.
`
`
`2.
`
`While the United States and the European Union share the goal of enhancing
`
`
`
` privacy protection, the United States takes a different approach to privacy from that
`
` taken by the European Union. The United States uses a sectoral approach that relies
`
`
`
` on a mix of legislation, regulation, and self-regulation. Given those differences and
`
` to provide organizations in the United States with a reliable mechanism for personal
`
`
` data transfers to the United States from the European Union while ensuring that EU
`
`
` data subjects continue to benefit from effective safeguards and protection as
`
`
` required by European legislation with respect to the processing of their personal
`
`data when they have been transferred to non-EU countries, the Department of
`Commerce is issuing these Privacy Shield Principles, including the Supplemental
`
`Principles (collectively “the Principles”) under its statutory authority to foster,
`
`
`promote, and develop international commerce (15 U.S.C. § 1512). The Principles
`were developed in consultation with the European Commission, and with industry
`and other stakeholders, to facilitate trade and commerce between the United States
`
`and European Union. They are intended for use solely by organizations in the
`