September 19, 2021

Volume XI, Number 262

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

Recent FTC Settlement Serves as Reminder For Digital Health Developers

Many digital health app developers offering health and wellness solutions directly to consumers may find themselves in a space unregulated by the Health Insurance Portability and Accountability Act (“HIPAA”). While potentially outside the scope of HIPAA, developers in this space are reminded of the risks stemming from other federal and state privacy and security laws, including unfair or deceptive abuse acts and practices (UDAAP) laws. A recent Federal Trade Commission (“FTC”) settlement sheds light on the importance of accurately describing how information is collected, used, and shared.

Specifically, the FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared.  In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies providing marketing and analytics services to the app.

Like many app developers, Flo tracked both standard app events such as launching or closing the app, as well as “custom” app events. Custom app events record user-interactions unique to those using the Flo app. For example, if a user enters a menstruation date, that interaction is logged as a custom app event. Flo used those custom app events to improve app functionality and identify features that might be of interest to the user. Flo also gave each custom app event a descriptive title, such as “R_PREGNANCY_WEEK_CHOSEN.” These custom app events, with that descriptive title, thus conveyed information about users’ menstruation, fertility, or pregnancies.

In its app, Flo integrated various third-party tools (software development kits or SDKs) that gathered advertising or other unique device identifiers. When doing this, the SDKs also gathered the custom app events revealing certain health information about users. The FTC alleged that this was sharing health information with third parties and directly contradicted statements in Flo’s privacy policy claiming to never share health data (e.g., “We may share certain non-identifiable information about you and some Personal Data (but never any data related to health).”). In addition, Flo did not limit what these companies could do with the users’ information, agreeing to each company’s standard terms of service. Besides allegedly violating its privacy policy, the FTC also pointed that out that this kind of sharing violated several of the third parties’ own terms of service/use. Those terms prohibited the sharing of health or sensitive information.

As part of the settlement, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data. In addition, separate from any privacy policy or terms of use, before sharing any health information with a third party in the future, Flo must disclose the categories of health information that will be shared, the identifies of the third parties, the purpose of such disclosure and how information will be used, and obtain the users affirmative express consent. The FTC did not impose any financial penalty as part of the settlement.

Our sister blog discusses more details of this case, including the allegations that Flo violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.

Practical Considerations

Apps collecting sensitive or health information should be aware that descriptive custom app event titles could inadvertently convey information not intended to be shared with third parties. This information could be viewed as sharing of personal information, and thus the FTC (and others) will expect that it be correctly described in the company’s privacy policy and elsewhere that representations about data use and sharing are made. Companies who have not done so already will want to think through app event titles and information that gets shared as part of SDK integrations and align that with their privacy disclosures. This case is also a reminder that companies in the health and wellness space have privacy and security obligations even if outside the scope of HIPAA applicability.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 49
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Allison Fulton DC SheppardMullin Shareholder Life Sciences FDA
Shareholder

Allison Fulton is a partner in the Life Sciences and FDA team and is based in the firm's Washington, D.C. office. Allison advises life sciences companies, including pharmaceutical, medical device, dietary supplement, food and cosmetic companies, in matters relating to the development, manufacture, and marketing of products regulated by the U.S. FDA.

Areas of Practice

Allison’s areas of focus include assisting U.S. and international companies comply with current Good Manufacturing Practice (GMP) and the Quality System Regulation (QSR). She regularly advises...

202.747.2195
Advertisement
Advertisement
Advertisement