720-891-1663

FTC Helps App Developers Understand Data Sharing

When I say “help”, I mean that only in the kindest of terms, such as placing the company under a 20 year monitoring program, among other assistance.

In this case, a company called Easy Healthcare has a free ovulation tracking app. As most of you well know, if it is free, you are the product. In this case, that is true.

Part of the problem is that even though no one reads the terms of service, they decided to lie anyway.

The company shared identifiable health data with two China-based mobile analytics companies despite representations otherwise. The China part is interesting. Given that this analytics process is automated so labor cost is not an issue, is there a reason that they could not do the analysis in the U.S.? I don’t think that would have changed the outcome, but it is a bit weird.

They also did not implement reasonable privacy and security measures such as encryption and auditing the practices of the companies they were sharing data with.

They failed to notify customers that identifiable health data had been shared with third parties. This is, the FTC says, a violation of the Health Breach Notification Rule, a 2009 regulation that controls the sharing of identifiable health data not otherwise covered by HIPAA.

This is the second company that the FTC whacked in the last few months.

In addition to paying a small fine ($100k), the order bans the company from sharing data for advertising purposes and also prohibits the sharing of health data with third parties for any purpose without the express consent of the customer.

Consider this. “In exchange for giving you this app for free, we are going to sell your personally identifiable health data so that we can target ads at you (or some other purpose)” Click here if you agree.

How many people would click? Their business model just got flushed down the toilet.

The FTC goes even further; they say:

The requisite consent is defined as “any freely given, specific, informed, and unambiguous indication of an individual’s wishes demonstrating agreement by the individual, such as by a clear affirmative action” following clear and conspicuous disclosure

https://www.davispolk.com/insights/client-update/ftc-brings-enforcement-action-under-health-breach-notification-rule-against

Other things in the consent order, which lasts for 20 years are:

  • Mandatory security and privacy program
  • Independent assessments
  • Executive certifications

This is the second time in four months that the FTC used this 2009 rule to go after data sharing. The FTC also announced a proposed clarification of HBNR to say that the rule applies to healthcare apps and that breach also includes unauthorized disclosure.

This consent order mirrors what the FTC agreed to with GoodRX a couple of months ago.

Lastly, this order shows cooperation between the feds and states in that on the same day this was announced, a separate agreement with the AGs of Connecticut, Oregon and DC with Easy Healthcare was announced.

The FTC is trying really hard to make it clear that selling or sharing health information is a no-no and should they find out that you are doing it, you are going to be in a world of trouble.

If this is concerning to you; if you think you might be covered by HBNR or Section 5 of the FTC act or if you think you might not have your arms wrapped fully around the implications of this, please contact us.

Credit: Davis Polk law firm

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *