The FTC reminds app providers to notify consumers of any data breaches, but lacks power to intervene in a more meaningful way
A reminder for health app providers: Last week, the FTC issued a policy statement directed at health apps and devices, which collect sensitive personal information from consumers. The statement was a reminder to these providers that they must secure health data from unauthorised access, and need to notify consumers and the FTC of any data breach. These services are subject to rules passed in 2009, which require them to notify when data is disclosed or acquired without consumers’ authorisation. More than a decade later, these services have become mainstream and the FTC sees them as ripe targets for scammers and hackers – even more so during COVID-19.
It’s time for the FTC to look more thoroughly into this issue: Reading between the lines, the FTC looks minded to do further work in this area in the future. The FTC’s Chair noted that the fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral advertising or user analytics. She suggested that the Commission could scrutinise what data is being collected and whether particular types of business models create incentives that place users at risk. It wouldn’t be the first time the FTC engaged in this exercise. In 2014, it studied 12 health and fitness apps and found that data was shared with 76 third parties – where in many cases this data was potentially traceable to the end user.
US law is an empty shell: Despite the FTC’s recent intervention, not much is likely to change without an overhaul of current legislation. Health apps and devices are not subject to the Health Insurance Portability and Accountability Act (HIPAA) which only covers hospitals and insurers, and is a blunt instrument in that users have no power over how their data is used as long as they are notified about it. For the time being this is a completely unregulated space, and would require significant work from legislators to come up with an up-to-date privacy framework. It remains to be seen whether there is a real appetite for that in the US, which is still far from adopting rules similar to Europe’s GDPR.