FTC Consumer Protection Bureau Alerts Businesses for Health Data

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a small business alert on businesses’ dealing with of sensitive details, with a distinct target on locale and health and fitness data. The inform describes the “opaque” market in which consumers’ site and health  data is collected and exchanged among firms and the worries and dangers related with the processing of these types of info. The inform particularly focuses on the “potent combination” of spot data and user-generated health and fitness and biometric facts (e.g., through the use of wellness and physical fitness applications and the sharing of face and other biometric info for app/product authentication functions). According to the notify, the blend of site and wellness details “creates a new frontier of potential harms to individuals.”

The warn highlights the specific challenges posed by reproductive overall health information (e.g., information produced by menstruation, fertility and contraceptive monitoring applications) when mixed with location data. As an instance of the potential misuse of these knowledge, the inform cites an enforcement action brought by the Massachusetts Legal professional Typical in opposition to a promoting corporation for its alleged “geofencing” of abortion clinics to identify people today who have been around the clinics and send qualified ads to the individuals’ telephones with one-way links to sites with information and facts about abortion choices.

The inform also focuses on the position of (1) cell operating devices that obtain delicate data (2) application publishers and software package growth kits (SDKs) that “embed equipment in mobile applications to obtain spot information and provide the details to third parties” and (3) knowledge aggregators and information brokers that (a) collect information and facts from many resources, (b) draw sensitive inferences from such knowledge (e.g., relating to a consumer’s pregnancy position), (c) develop profiles about people working with this kind of knowledge, and (d) provide obtain to such information to entrepreneurs, scientists and govt organizations. The warn portrays the ad tech and info broker ecosystems as “often shadowy,” and states that corporations in these industries “have a gain motive to share information at an unprecedent scale and granularity.”

The notify offers the pursuing advice to organizations with respect to delicate data:

  • Delicate data is guarded by state and federal guidelines, such as all those enforced by the FTC. These contain Part 5 of the FTC Act, which prohibits unfair and misleading trade practices, and the HIPAA Safeguards Rule, the Health Breach Notification Rule, and the COPPA Rule.

  • Statements that info has been “anonymized” or “aggregated” are typically deceptive and can represent a misleading trade observe below the FTC Act when untrue.  The notify states that “anonymized” details can commonly be re-recognized, specially when it consists of area info, and references investigate that recognized 95{3e92bdb61ecc35f2999ee2a63f1e687c788772421b16b0136989bbb6b4e89b73} of people using only 4 place details with timestamps. The notify warns that enterprises generating bogus promises about knowledge anonymization “can hope to listen to from the FTC.” This is of distinct relevance to organizations operating in the ad tech and facts broker space that may possibly make these promises.

  • The FTC “cracks down” on firms that misuse client knowledge. The notify highlights the FTC’s latest enforcement actions from businesses for the alleged misuse of client info, such as from (1) ad exchange OpenX for allegedly gathering area data from consumers who opted out of getting tracked, and from young children in violation of COPPA, which resulted in a $2 million settlement (2) Kurbo/Weight Watchers for alleged COPPA violations and indefinitely retaining sensitive customer information, resulting in civil penalties of $1.5 million, and an get to destroy any designs or algorithms created applying children’s personal facts (3) CafePress, a tailor made goods system, for its alleged failure to put into action realistic security measures (such as the failure to apply acceptable information retention practices) and failure to regard consumers’ deletion requests, which resulted in an buy necessitating the firm to pay back a good and limit its details selection techniques and (4) Flo Health and fitness, a fertility tracking application, for the alleged in excess of-selection, indefinite retention, misuse, and poor sharing of shopper details, together with allegations that the business shared app users’ wellness info with third-social gathering internet marketing and analytics companies regardless of representations that the firm would retain this sort of details non-public.

The warn warns businesses that the FTC is “committed to utilizing the total scope of its legal authorities to guard consumers’ privacy” and that the company will “vigorously implement the legislation if [it] uncover[s] unlawful perform that exploits Americans’ area, health, or other delicate info.”

The inform will come times right after President Biden’s Govt Get that, in portion, directed the FTC to “consider actions, as acceptable and regular with applicable regulation (together with the FTC Act) to defend consumers’ privateness when trying to find facts about and provision of reproductive wellness treatment expert services.”


Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.
Nationwide Legislation Review, Volume XII, Amount 194

Maria Flores

Next Post

Legal Newswire | Traffic Accident Resource Offers 24/7 Help to Consumers & Attorneys

Thu Jul 14 , 2022
Site visitors Accident Useful resource Features 24/7 Assistance to Individuals & Lawyers Jul 13, 2022 12:00 PM ET Lawful Newswire Driven BY Law.COM Introducing TrafficAccidents.com – a internet site that offers details to people who have been injured in a motor vehicle accident and can join them with lawyers ready […]