In response to the Supreme Court’s abortion ruling, the FTC is warning entities that it intends to “crack down” on companies misusing consumer data and “does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data,” according to a new FTC blog post.
Written by Kristin Cohen, acting associate director of the FTC’s Privacy and Identity Protection Division, the post shows the FTC is reaffirming it will “fully enforce” the law when it uncovers any illegal misuse of consumer data, including location and health information.
“Companies that make false claims about anonymization can expect to hear from the FTC,” Cohen added.
The FTC will use its authority to protect data privacy. Its previous enforcement actions against Flo Health and tech giants for dubious data-sharing processes spotlights its focus on consumer protections. The enforcement actions stemmed from improperly collected and stored user data and failing to delete information upon request, among other questionable actions.
The Department of Health and Human Services has previously explained that data generated by health apps is not subjected to The Health Insurance Portability and Accountability Act regulation, unless generated or recommended by covered entities. The regulatory gap has prompted numerous congressional proposals.
But without a federal privacy standard, many of these app developers continue to routinely share sensitive data with data brokers and other third parties — some without transparency into the practice.
Patient privacy protections underscored after Roe vs. Wade struck down
With the current abortion and reproductive issues, this type of data sharing is increasingly putting patient privacy and safety at risk. Biden’s recent executive order and multiple congressional investigations into health app developers target these risks, joined by the FTC’s own effort to protect patient privacy.
The FTC is focused on the possible misuse of mobile location and health information, which “exposes consumers to significant harm. Criminals can use location or health data to facilitate phishing scams or commit identity theft.” The data could also be used to inflict physical and emotional injuries.
“The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms,” explained Cohen. These harms “are exacerbated by the exploitation of information gleaned through commercial surveillance.”
“Consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now,” she added.
In light of the ongoing risks, the FTC is primarily concerned with the intersection of location and health information tied to reproductive health, such as apps that track women’s periods, monitor fertility and contraceptive use, or target women considering abortion.
There are also a number of security risks and reliance on connected devices, which may be “regularly pinging cell towers,” using public WiFi networks, and capturing location data that could reveal where patients receive medical care. And the consumer may be unaware of how their sensitive information is being shared.
Consumer-generated health data is another area of concern, pulled from health apps to monitor fitness, menstrual, and sleep patterns. For the FTC, “the potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers.”
The issue stems from a lack of awareness of what happens to consumer data once it’s collected by an app. Multiple studies have confirmed the majority of health apps routinely share data with brokers or other third parties without transparency into the process.
The FTC is reminding all app developers and related companies to review ongoing collection of sensitive consumer data, including health information, which is protected by a range of federal and state laws — many of which govern the collection, use and sharing of consumer data.
The agency has previously enforced hundreds of cases aimed at protecting the privacy and security of consumer data, some of which came with “substantial civil penalties.”
All companies are being reminded that Section 5 of the FTC Act “broadly prohibits unfair and deceptive trade practices”, and the agency also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.
HHS has previously issued guidance to address these concerns and ensure covered entities are aware of the required mechanisms to protect patient privacy and when data sharing is, or isn’t, permissible.