The Federal Trade Commission seems to be getting serious about unauthorized disclosures of data collected by health apps. In a Policy Statement issued on September 15, 2021, the FTC says it will enforce its Health Breach Notification Rule, 16 C.F.R. Part 318 (the “Rule”):
This Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.
This past January, I wrote about the FTC’s failure to require Flo Health to provide individuals with notice as required by the Rule:
Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.
The FTC’s Policy Statement clarifies that health app developers are subject to the Rule if they are capable of drawing information from various sources, such as consumer inputs and application programming interfaces (APIs), even if the health information only comes from one source. By way of example, if a consumer inputs her glucose levels or other health-related information into an app that combines that information with non-health-related information retrieved from another source, the Rule applies.
The bottom line is that app developers that collect any health-related data need to be alert to the likely applicability of the Rule and the FTC’s recent enforcement stance.