The Federal Trade Commission (FTC) recently issued a policy statement confirming that vendors of apps and other connected devices that collect personal health information, such as glucose levels, heart rate, or fertility or sleep data, are subject to the FTC’s Health Breach Notification Rule. The rule, issued in 2009, requires vendors to notify consumers following a breach involving unsecured information, including sharing data with third parties without the user’s authorization. The FTC and, in some cases, the media must also be notified of breaches.
The rule is intended to ensure accountability for breaches suffered by entities that are not covered by HIPAA. Fines for noncompliance can be as much as $43,792 per violation per day.
In a statement, FTC Chair Lina Khan said, “Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches. Given the rising prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans.” In the FTC’s press release, she also pointed out that “the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” is a more fundamental problem. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she added.
Health apps are covered under the FTC’s rule if they have the technical capacity to collect and sync health information from multiple sources, including devices like fitness trackers. Devices that cannot share data are not covered by the rule.
Earlier this year, Flo Health, Inc., which markets a menstrual and ovulation tracking app, entered into a settlement with the FTC to dispose of charges that Flo improperly shared consumer data with third parties, including Facebook and Google. This author correctly predicted at that time that the FTC “will soon take further action against mobile app developers that violate consumers’ privacy or fail to comply with health breach notification laws.”