The Federal Trade Commission (FTC) recently issued a policy statement confirming that providers of apps and other connected devices that collect personal health information, such as glucose levels, heart rate, or data from fertility or sleep, are subject to the FTC’s health notification rule. . The rule, published in 2009, requires sellers to notify consumers after a breach involving insecure information, including sharing data with third parties without user permission. The FTC and, in some cases, the media must also be made aware of violations.
The rule is intended to ensure accountability for violations suffered by entities that are not covered by HIPAA. Fines for non-compliance can reach $ 43,792 per violation per day.
In a statement, FTC President Lina Khan said, âDigital apps are routinely caught in the act of fast and loose gambling with user data, leaving users’ sensitive health information vulnerable to hacks and attacks. violations. With the increasing prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans. In the FTC press release, she also pointed out that “the commodification of sensitive health information, where companies can use that data to fuel behavioral ads or powerful user analytics,” is a more fundamental issue. . “Given the growing prevalence of surveillance-based advertising, the Commission should consider what data is collected in the first place and whether particular types of business models create incentives that necessarily put users at risk,” he said. she adds.
Health apps are covered by the FTC rule if they have the technical ability to collect and sync health information from multiple sources, including devices like fitness trackers. Devices that cannot share data are not covered by the rule.
Earlier this year, Flo Health, Inc., which markets a period and ovulation tracking app, struck a deal with the FTC to remove accusations that Flo shared consumption data with third parties, including including Facebook and Google. This author correctly predicted at the time that the FTC “will soon take further action against developers of mobile applications who violate consumer privacy or violate health notification laws.”