In the post-Roe era, the federal government and state governments continue to focus on consumer digital health privacy. On May 17, 2023, the Federal Trade Commission (FTC) announced a settlement with Easy Healthcare Corporation (ECH) related to its Premom Ovulation Tracker mobile application. The settlement is reflected in the terms of a proposed stipulated order following the formal complaint against ECH. This is the FTC’s second recent enforcement action under the FTC’s Health Breach Notification Rule (Breach Rule) focusing on the disclosure of sensitive health information to third parties through mobile-tracking technologies.
For companies handling digital health information, the FTC’s action against ECH continues to highlight several risks and issues to address in an effort to avoid monetary fines, processing penalties, government-imposed changes to business practices and increased regulatory oversight.
Key takeaways
Consumer digital health and connected device companies should:
- Be mindful of the continued application of Breach Rule to certain entities that are not regulated by the Health Insurance Portability and Accountability Act (HIPAA).
- Provide accurate and complete privacy notices.
- Know with whom they are sharing personal information (broadly defined and interpreted) and for what purposes.
- Build privacy-by-design practices into product and service development.
- Implement and maintain reasonable privacy and data security measures designed to protect personal information.
Background
The Premom app allows users to input and track various types of personal information – including sensitive health information, such as period and fertility data, pictures of ovulation test strips and imported health information from other devices and apps. According to the FTC’s complaint, the Premom app privacy policy falsely stated that ECH:
- Would not share health information with third parties without users’ knowledge or consent.
- Only collected and shared nonidentifiable data.
- Used the information only for its own service provision, analytics and advertising purposes.
The FTC alleged that despite these privacy policy statements, the Premom app shared users’ personal information with – among others – marketing and analytics companies in which the recipient entities had the ability to use the personal information for their own purposes, including for advertising.
In the multicount complaint, the FTC alleged, among other things, that ECH violated the FTC Act by engaging in:
- Deceptive practices by misrepresenting or omitting material information from its privacy policy.
- Unfair practices by failing to maintain reasonable security measures, as well as sharing consumers’ health information with third parties for advertising purposes without users’ knowledge or consent (which constitutes a notifiable breach under the Breach Rule).
Analysis
The Premom action demonstrates the FTC’s continued interest in apps and other connected devices that process consumer health information.
The FTC Health Breach Notification Rule
The Breach Rule, in effect since 2009, requires, among other things, non-HIPAA-regulated “vendors of personal health records” – which the FTC interprets broadly to include a range of apps and connected devices – to provide notice to consumers, the FTC, and, in some instances, the media regarding the unauthorized acquisition of that data. In other words, the Breach Rule is not triggered solely by a third party’s nefarious act that results in the unauthorized acquisition of personal health records. Rather, the FTC deems the unauthorized sharing of consumer health information sufficient to trigger a notifiable data breach under the Breach Rule. Attendant to these broad statutory interpretations, in the years since the Breach Rule went into effect, health apps and other connected devices that collect consumer health data have proliferated and are targets ripe for cyberattacks. This has led to the FTC’s aggressive and somewhat novel theories about potential consumer harms associated with the unauthorized acquisition of health information. In fact, the FTC recently proposed changes to the Breach Rule to clarify its applicability and scope. Failure to comply with the Breach Rule could subject an offending entity to fines of up to $43,792 per violation per day.
Takeaway
- Regulated entities should understand the Breach Rule’s breadth – both in relation to whom it applies and what constitutes a notifiable breach – and address any attendant compliance obligations.
Privacy notices
The FTC’s position is that a company’s failure to provide accurate and complete notices related to its personal information practices constitutes a false or misleading and deceptive practice in violation of Section 5(a) of the FTC Act. As alleged in the complaint, in several instances through its consumer-facing privacy policies, ECH informed consumers that it:
- Would “NEVER SHARE [A CONSUMER’S] EXACT AGE OR ANY DATA RELATED TO [A CONSUMER’S] HEALTH WITH ANY THIRD PARTIES WITHOUT [THE CONSUMER’S] CONSENT OR KNOWLEDGE.”
- Shared only “non-health [p]ersonal [d]ata” or “nonidentifiable information” with service providers.
- Used users’ data only for its own service provision, analytics and advertising purposes.
Based upon the complaint’s allegations, each of these statements was false or misleading. Specifically, ECH shared consumer health information through third-party marketing and analytics firms’ software development kits (SDKs) integrated into the app, and some of these firms could use the information for their own purposes.
Takeaways
- Regulated entities should be mindful that inaccurate or incomplete statements in consumer-facing privacy policies can give rise to regulatory action.
- Privacy policies should address the use of tracking technologies.
- Regulated entities should revisit their interpretation of what constitutes truly “nonidentifiable information.”
Consumer health information-sharing
According to the complaint, ECH incorporated SDKs of, among others, two foreign mobile app analytics providers. These SDKs allegedly transmitted:
- User social media account information.
- Resettable identifiers (including mobile device advertising identification numbers) that could be used for targeted advertising.
- Nonresettable identifiers that are unique to a device.
- Precise geolocation information.
The FTC views the sharing of nonresettable device identifiers as particularly problematic, because consumers concerned about tracking through such information cannot easily disassociate themselves from such information – in other words, they would have to purchase a new device. ECH agreed to each of the providers’ standard terms of service that allowed the providers to use and share Premom users’ information for any of their own respective business purposes, including advertising. The FTC alleged that ECH’s disclosure of users’ personal information to third parties – that then could use it for their own purposes – violated the FTC Act’s prohibition on deceptive practices. The FTC further alleged that ECH’s transfer of users’ health information to third parties without users’ knowledge, and without providing users notice or obtaining their affirmative express consent, constituted an unfair practice under the FTC Act.
Takeaways
- Regulated entities should understand what personal information they are collecting, for what purposes they are collecting it, to whom they are disclosing it and for what purposes they are disclosing it. To the extent possible and appropriate given the circumstances, regulated entities should contractually limit the manners in which recipient entities can use shared personal information.
- Through the FTC’s recent Breach Rule enforcement actions, it is evident that the FTC is highly concerned with the sharing of consumer health information that could be used for targeted advertising purposes. By invoking the FTC Act’s “unfair” prong (as opposed to solely the “deceptive” prong, which a clear disclosure in a privacy policy may satisfy for compliance purposes), the FTC may be raising the compliance bar for non-HIPAA-regulated vendors of personal health records in relation to their use of online tracking technologies (such as cookies, pixels and SDKs) for targeted advertising purposes.
Privacy-by-design principles
According to the complaint, Premom’s SDK features created custom app events (i.e., records of user-app interactions), through which ECH disclosed personal information to the SDK providers. In leveraging the custom app events, ECH did not use nondescriptive titles; rather, it used descriptive titles that conveyed the user’s health information (e.g., “Calendar/Report/LogFertility”). The FTC faulted ECH for failing to use nondescriptive titles, because the title names themselves conveyed personal information about users’ fertility and pregnancies.
Takeaway
- While not explicitly required under the FTC Act, the FTC’s allegations highlight that personnel involved in product and service design should look for opportunities to incorporate privacy-by-design principles that minimize the potential for disclosure of personal information through seemingly innocuous event titles and similar instances.
Reasonable privacy and security measures
According to the complaint, ECH failed to address privacy risks created by the incorporated third-party SDKs. Specifically, ECH did not:
- Test what data ECH transferred and/or made available to these parties.
- Continue to monitor these providers’ privacy practices and their respective data usage terms.
- Audit the recipients’ privacy practices.
- Maintain policies regarding the secure implementation of third-party SDKs.
- Provide adequate training to its personnel who were responsible for incorporating third-party SDKs.
In addition, according to the FTC’s complaint, at least one of the third-party SDK providers failed to encrypt Premom users’ personal information, which may have resulted in the unauthorized acquisition of the data by other third parties – including foreign governments or bad actors.
Takeaway
- Digital health and connected device companies should continue to be mindful that data security helps to drive data privacy and should maintain appropriate data security measures.