On July 21, 2020 the FTC hosted its Fifth PrivacyCon-an event where researchers convene with FTC officials to discuss cutting-edge issues related to consumer privacy and security. Because PrivacyCon can be a harbinger of FTC activity, CPW attended PrivacyCon and reported on various developments of interest. Much of the focus this year was on healthcare data privacy—a particularly pertinent topic in light of the COVID outbreak.
Andrew Smith, the Director of the FTC Bureau of Consumer Protection, opened PrivacyCon with remarks on FTC’s enforcement activity this past year. He also touched upon what might lie ahead in the future, with particular emphasis on FTC action in the healthcare arena. [As you all at CPW probably know already, while the Department of Health and Human Services (“HHS”) Office for Civil Rights is responsible for enforcing the Health Insurance Portability and Accountability Act, the FTC has general oversight over deceptive and unfair practices.] This past year, Smith observed, FTC has taken various enforcement actions directed at protecting consumer privacy. This included what Smith described as “record-shattering” settlements reached against companies for privacy and security protections under various regulatory regimes, including the Fair Credit Reporting Act, the Gramm-Leach Bliley Act and the FTC Act. Smith noted that many of these settlements included structural changes to how consumers’ and children’s data was treated.
Looking forward, Smith said the FTC would be paying increased attention to mobile health apps as consumers are increasingly relying on these tools in a variety of contexts (health trackers, sleep monitors, smoking cessation apps, diet guides, etc.). Contract tracing brought on with the COVID outbreak has added additional complexity to this area. Smith noted that HHS had issued rules that made it easier for consumers to access their medical records on various apps, but cautioned that “whenever data flow increases the opportunities for data compromise increase.” Smith reiterated that the FTC would not hesitate to take action against entities that misrepresent what they are doing with consumers’ health data or put consumers’ health data at undue risk.
Smith said that the FTC’s call for papers to present at PrivacyCon this year included matters related to mobile health, interconnected devices, online ad delivery assistance, technological developments that could be a boon to consumers but also pose risks to privacy, security and equal opportunity. Consistent with this approach, the first panel, consisting of researchers from Harvard Medical School, the University of Toronto and Elektra Labs, discussed various technology related concerns pertaining to the development of healthcare apps. Based on the panelists’ comments, it is possible that areas of focus regarding healthcare apps could include evaluating and securing the connected sensor technologies that power health apps, as well as broader concerns related to cybersecurity, data aggregation, de-identification and informed consent.
This a fast-growing area that, in light of Director Smith’s comments, is anticipated to evolve in the near future.