Seven apps spanning fertility tracking, prescription discounts, anonymous teen messaging, photo storage, and stalkerware have faced Federal Trade Commission enforcement actions for secretly collecting and sharing personal data, from reproductive health details to real-time location coordinates. The agency’s orders against Premom, Flo Health, GoodRx, NGL Labs, SpyFone, and Everalbum collectively imposed millions of dollars in penalties, banned certain data-sharing practices, and required deletion of improperly gathered information. For anyone still running these apps, the practical question is straightforward: uninstall, revoke permissions, and request data deletion before more sensitive records reach third parties.
Health apps drew the sharpest FTC penalties
The pattern across these cases is consistent. Apps that handled health data triggered the most aggressive regulatory response, and the penalties arrived faster than in non-health cases within the same enforcement period. The FTC’s action against GoodRx, filed on February 1, 2023, marked the agency’s first Health Breach Notification Rule enforcement. A stipulated order followed just 16 days later, on February 17, 2023, requiring the digital healthcare platform to pay a $1.5 million civil penalty for unauthorized disclosures of personal health information to advertising platforms, according to the U.S. Department of Justice.
Premom, an ovulation tracking app operated by Easy Healthcare Corporation, faced a separate FTC complaint alleging it shared sensitive reproductive data with third parties including China-based firms, as well as with AppsFlyer and Google. The company allegedly never notified users of these transfers, violating the Health Breach Notification Rule. Under the proposed FTC order, Premom would be barred from sharing health data for advertising purposes and must implement a comprehensive privacy program.
Flo Health, maker of the Flo Period and Ovulation Tracker app, shared sensitive health data with Facebook, Google, and other marketing and analytics firms without user consent. The FTC finalized an order requiring the company to obtain affirmative express consent before sharing health information and to submit to independent privacy reviews, alongside restrictions on how it can use data collected from millions of users.
These three health-data cases share a telling feature. Each involved apps that users trusted with some of the most private information a person can generate, and each company routed that data to advertising networks or analytics firms. The speed of the GoodRx resolution, from complaint to court order in under three weeks, suggests regulators treated health-data violations with particular urgency compared with other privacy cases on their docket. It also signals that the FTC views the Health Breach Notification Rule as a live enforcement tool, not just a dormant regulation.
Stalkerware, photo apps, and teen messaging drew bans and deletion orders
Beyond health apps, the FTC targeted companies whose products recorded users without meaningful consent or exploited younger audiences. Support King, the company behind SpyFone.com, sold software that enabled covert installation on victims’ phones, secretly harvesting location data, phone usage, and online activity. The FTC obtained a ban on Support King’s surveillance business and ordered the company to delete all collected data that had been gathered through the stalkerware service.
Everalbum, which operated the Ever photo storage app, misrepresented how it used facial recognition technology and whether users had given consent. The company also retained photos and videos after users deactivated their accounts. The FTC settlement required Everalbum to delete all facial recognition models and any biometric information derived from users who had not provided explicit permission, as well as to dispose of media content retained in violation of its own policies.
NGL Labs, which ran an anonymous messaging app popular with teenagers, drew a ban from offering its product to anyone under 18. The FTC found that NGL made deceptive claims about its AI content moderation capabilities and engaged in practices that raised COPPA-related concerns. The company and its founders were ordered to pay $4.5 million for consumer redress plus a $500,000 civil penalty to the Los Angeles County District Attorney, and to implement strict age-gating and transparency measures.
What connects these non-health cases to the health-app enforcement actions is the gap between what users believed they were consenting to and what actually happened with their data. SpyFone targets, in many instances, did not even know the software was on their devices. Everalbum users thought deleting their accounts would remove their photos. NGL users, many of them minors, trusted that AI moderation would protect them from harmful content. In each instance, the FTC framed its complaints around deception and unfairness: the apps either failed to disclose critical practices or actively misrepresented their safeguards.
Gaps in post-enforcement accountability
The FTC orders mandate specific remedies: data deletion, advertising bans, consent requirements, age restrictions, and independent audits. But the public record does not yet show whether these companies fully complied after the orders took effect. No primary source in the enforcement dockets confirms that third-party recipients of the shared data, such as the China-based firms that allegedly received Premom data or the advertising platforms that received GoodRx prescription histories, have purged their own copies. The orders generally require the companies to instruct partners to delete data, but they do not guarantee that every downstream recipient has done so.
This gap matters because digital information is easily duplicated and distributed. Even if Premom or Flo Health now follow strict privacy programs, earlier transmissions to analytics providers may persist in backup systems, internal research datasets, or derived advertising profiles. The same concern applies to SpyFone: while Support King must delete its databases and stop operating stalkerware, devices previously compromised by the software may still be leaking information to unknown servers if the apps remain installed.
Another accountability challenge is the opacity of audit and assessment requirements. Orders that mandate independent privacy reviews or security assessments rarely make those reports public. Users cannot see whether auditors flagged deficiencies or whether companies meaningfully improved their practices. Instead, the public must rely on the threat of renewed enforcement if the FTC later discovers violations of the orders.
In addition, enforcement actions typically focus on a snapshot in time: specific conduct, within a defined period, under then-current policies. Companies can change ownership, rebrand, or launch new products after a settlement. Without sustained monitoring, there is a risk that old patterns reappear in slightly different forms. For example, a fertility app might technically stop sharing “health data” for advertising but still funnel adjacent behavioral metrics-such as app session times or engagement with certain features-to the same ad networks, enabling similar inferences.
What users can do now
For people who have used these apps, the immediate steps are practical rather than theoretical. First, uninstall the apps from phones and tablets and check for any companion services or browser extensions linked to the same accounts. Removing the software will not erase historical data already collected, but it cuts off new streams of information.
Second, revoke permissions and access tokens. On mobile devices, that means reviewing location, camera, microphone, health, and notification permissions to ensure that former apps no longer have access. Within linked accounts such as Google or Facebook, users should examine security and privacy dashboards for connected apps and services, and remove any entries tied to these companies.
Third, submit data deletion and access requests where available. Many of the companies subject to FTC orders must provide mechanisms for users to request deletion of stored information. Even when not legally required, most consumer-facing services now offer some form of account deletion. Users should explicitly ask for removal of account data, usage logs, and any shared information held by partners, and retain confirmation emails or reference numbers for their records.
Finally, treat these enforcement cases as a warning about future app choices. Before installing a health tracker, anonymous messaging service, or photo backup tool, users can scan privacy policies for clear statements about data sharing, advertising partners, and retention periods. Vague promises about “improving services” or “sharing with trusted partners” should prompt caution, especially when the app handles reproductive health, location, or communications involving minors.
The FTC’s actions against Premom, Flo Health, GoodRx, NGL Labs, SpyFone, and Everalbum show that regulators are willing to impose bans, fines, and deletion orders when companies cross clear lines. What they cannot do is retroactively restore privacy for data already copied, analyzed, and distributed across complex advertising and analytics ecosystems. Until enforcement includes more visible follow-through on partner deletions and audit results, the burden will remain on users to limit exposure, demand transparency, and exit services that treat sensitive information as just another revenue stream.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
