Application security, Privacy, Supply chain

Ban on sale of health data by brokers introduced in Senate ahead of abortion ruling

Newly proposed legislation from Sen. Elizabeth Warren takes aim at the dubious practice of data brokers selling health data via consumer health apps (Photo credit: “ND0_4285 – Caledos Runner on Lumia 820” by Nicola since 1972 is licensed under CC BY 2.0.).

Sen. Elizabeth Warren, D-Mass., introduced legislation this week that would ban data brokers from selling consumer data, including health and location data.

According to Warren, the bill comes in response to the likely repeal of Roe v. Wade by the Supreme Court and state efforts to “criminalize essential healthcare.”

“It’s more crucial than ever for Congress to protect consumers’ sensitive data,” Warren explained in a statement. “The Health and Location Data Protection Act will ban brokers from selling Americans’ location and health data, rein in giant data brokers, and set some long overdue rules of the road for this $200 billion industry.”

The bill is co-sponsored by Sens. Ron Wyden, D-Ore., Patty Murray, D-Wash., Sheldon Whitehouse, D-R.I., and Bernie Sanders, I-Vt.

“Americans ought to feel confident that their highly sensitive data isn’t hocked to the highest bidder without their consent,” Whitehouse said in a statement. “We need sensible rules for the handling of personal health and location data, especially in light of recent efforts to ban or even criminalize abortion care and other important healthcare."

The Federal Trade Commission and state regulators have been actively working to combat these app challenges over the last year, with a keen focus on fertility and health apps.

Health apps are notoriously lax with security practices, particularly around transparency about data-sharing practices. With repeated reports finding the vast majority of health and mental health apps routinely share sensitive consumer data with third-party vendors and fail to give transparency to users about the practice.

In one of the most notable cases, the FTC settled with Flo Health in 2019 to resolve allegations that the women’s health app developer misled more than 100 million users about its health disclosure practices. Although its privacy practices promised health data would remain private, the app routinely shared data with third parties for marketing and analytics services.

The newly proposed legislation would tackle this precise and longstanding health app data privacy and security issue, by banning data brokers from selling “some of the most sensitive data available” from consumers.

The practice occurs often without the consent of users and is largely unregulated by federal law, with the data gathered by brokers being used to “circumvent the Fourth Amendment, out LGBTQ+ people, stalk and harass individuals, and jeopardize the safety of people who visit abortion clinics for healthcare.”

“Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” Warren said in a statement. 

“When abortion is illegal, researching reproductive health care online, updating a period-tracking app, or bringing a phone to the doctor’s office all could be used to track and prosecute women across the U.S. It amounts to uterus surveillance,” she added.

Ban proposed for the sale of location, health data by brokers

The proposed bill would ban, outright, the sale or transfer of location and health data by data brokers and require the FTC to enact rules to implement the law within 180 days. The FTC rules would carve out exceptions for activities that comply with the Health Insurance Portability and Accountability Act, first-amendment speech, and validated, authorized disclosures.

If passed, the bill would empower the FTC, state attorneys general, and injured persons to sue, thus ensuring robust enforcement, while proving $1 billion in FTC funding over the next 10 years to accomplish the legislation’s goals.

The bill has been endorsed by a long list of data and sexual privacy experts from Duke University and the University of Virginia. The bill is also endorsed by Neil Richards, Koch Distinguished Professor in Law and Director of the Cordell Institute, Washington University in St. Louis.

Duke University Sanford School of Public Policy Fellow and Research Lead of the data brokerage project, Justin Sherman, warned that without a comprehensive bill the information sold by data brokers could be used for a range of harms, including consumers spying on other individuals in the wake of several state laws enabling the practice.

As it stands, companies are essentially allowed to freely buy and sell health and location data on the open market “with virtually no restrictions,” he explained. “Imposing strong legal and regulatory controls on this dangerous practice is vital to protecting the privacy of every American.”

“For far too long, shadowy networks of data brokers have engaged in an unregulated and unethical trade in our sensitive data for their own profit,” Richards said in a statement. “This bill would offer significant protections for everyone … at a time when the privacy of our health and our location data is becoming ever-more important to our ability to live our lives without fear.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.