This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law. In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.
The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed sensors in clients’ New York City-area retail stores to automatically collect certain data from consumers’ mobile devices as they passed by or entered the stores. Nomi’s business model was publicized in a July 2013 New York Times article. The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.
The FTC voted 3-2 to accept a consent order (published for public comment on May 1, 2015) from Nomi under which Nomi shall not:
[M]isrepresent in any manner, expressly or by implication: (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”
The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified. The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, creating a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself. As dissenting Commissioner Maureen Ohlhausen points out, Nomi, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.” The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.
So while many HIPAA covered entities and other businesses may want to give consumers as much information as possible about data collection, the lesson here is twofold: first, make sure the notice is required under applicable law (and, if it’s not, be sure the benefits of notice outweigh potential risks); and, second, make sure the notice is 100% accurate to avoid FTC deceptive practices claims.