We expect most students will be able to complete this assignment in approximatel

We expect most students will be able to complete this assignment in approximately 7-9 pages, but we will accept answers up to 12 pages in total (including citations). The page length requirement is intended to help you write efficiently and to prioritize your strongest arguments.
Students should support their analysis with references to class materials, readings, and discussions; however, students should not conduct any outside/independent research or use AI tools to complete this assignment. Students who have questions about the assignment should post them in the designated Discussion Forum (“Graded Assignment 2: Questions”).
We strongly advise that before you begin writing your answers you (1) read the questions carefully; (2) think about exactly which issues you will address; and (3) outline your answer. Good organization and good analysis go hand-in-hand. Explain your reasoning at every step, even if you do not believe a claim will be wholly successful.
Please submit your answers in Arial 11 point, double spaced with 1 inch margins. Cite any resources used; the specific citation format you choose is up to you (e.g., Bluebook, MLA, APA, etc.), but please ensure your citations are clear, complete, and consistent.
Part 1: Discuss what, if any, Section 5 deception or unfairness violations the FTC might bring against Body Mystique for the conduct described in the attached fact pattern. Explain your reasoning at every step, even if you do not believe a claim will be wholly successful. Note that new information about Body Mystique’s business practices has been included for this assignment, as well as an expanded version of its Privacy Notice.
Part 2: BodyMystique has a substantial number of customers in Washington State, which recently passed the My Health, My Data Act. You have been hired by BodyMystique to write a brief memo identifying and describing the 3 most significant potential compliance issues between BodyMystique’s privacy notice and the attached excerpt of the new law.
BodyMystique is a women’s health app that advertises itself as “using the power of AI” to help users “take control of your health.” The app is used by approximately 500,000 users in the US, and is available for free on both the Apple App Store and the Google Play Store.
BodyMystique allowed users to input a variety of data elements for account management and health and activity tracking such as name, email address, date of birth, place of residence, blood pressure, any medical diagnoses, past and current prescriiptions, any symptoms being experienced, menstrual cycles, the frequency of sexual activities, weight, temperature, and mood. All users must agree to BodyMystique’s privacy notice before using the app.
Like most app developers, BodyMystique records a variety of app events (e.g., records of routine app functions, such as when the app is launched or closed, as well as records of users’ in-app activity unique to the BodyMystique app). For example, some custom app events include: “BM_BODYWEIGHT_LOGGED”, “BM_NEWPRESCRIPTION_LOGGED,” “BM_SEXUALACTIVITY_LOGGED,” “BM_SEEKINGCONCEPTION_Y_LOGGED,” “BM_FITBIT_CONNECTED.”
BodyMystique uses these app events to improve and develop its service. BodyMystique also shares these app events—including users’ in-app activities—along with the users’ unique advertising or device identifiers,* with various third-party partners. For example, Body Mystique allows users to log-in to the app using their Facebook account and, whether or not a user has chosen to log-in to the app through Facebook, all app events are shared automatically with Facebook. Accordingly, third party partners may receive information about users’ health and wellness-related events in non-identifying form.
*Advertising and device identifiers are strings of letters/numbers that uniquely identify a user’s phone, tablet, or other smart device but do not identify the individual user by name. However, these unique identifiers can be used to track activities on that device over time and across websites.
BodyMystique also contracts with dozens of third-party partners to provide various marketing and analytics services in connection with the app. These partners include Facebook, Google’s analytics division, AppsFlyer, and Amplitude, among others.
BodyMystique does not contractually limit how these third parties could use data they received from the app and the separate Terms of Service governing BodyMystique’s partnership agreements permits third parties to use the data for their “own purposes.” BodyMystique’s third-party partners use the combination of app event information and device and advertising identifiers for purposes such as serving targeted advertisements to customers who also use BodyMystique; measuring usage of particular apps or features by BodyMystique’s customers; for product development and improvement; or helping to detect and prevent invalid traffic, fraud, and security incidents.
On BodyMystique’s descriiption of its product in the App Store, it says “Your health data is personal and private to you, so it is important to us. Privacy is our priority. We will not sell or publish your personal information to any third party. We use world-class security practices to protect your health information.” On BodyMystique’s homepage, it says “The most personal information must also be the most private. BodyMystique was founded on the principle of empowering you to use your health information while ensuring its protection. To support that mission, we design innovative ways to protect your data and build powerful safeguards into our platform to ensure the safety of your personal information.”
Recently, an investigative journalist wrote an article about serious security vulnerabilities they discovered when using BodyMystique (these security vulnerabilities were subsequently verified by other news organizations following the initial report). BodyMystique allows a user to share information with another person’s account (“Partner Connect”). This feature allows two users to link to each other and share information. The investigative journalist reported that the app automatically grants linking requests without any authorization or confirmation from the user who was about to have their information shared. The investigative journalist also found that when a user changed their password BodyMystique did not verify that the old password matched what was stored on BodyMystique’s servers, and thus, anyone could exploit this vulnerability by simply changing to a new password and accessing all of the user’s account information.