FTC to crack down on biometric tech, health app data privacy violations

Developers of consumer-driven health apps and tech can expect more stringent enforcement, as the Federal Trade Commission intends to update its Health Breach Notification Rule to clarify language around breach of security, user consent language and other functions.

The FTC voted unanimously May 18 to update the HBNR, in addition to issuing a policy statement on its intent to combat unfair or deceptive practices tied to the collection, use and marketing of consumers’ biometric information and technologies. The risk of biometric tech violations is directly tied to the exposure of the digital identity of consumers and their privacy.

The FTC vote followed a second enforcement action taken under the HBNR against the makers of Premom on May 17 to resolve a host of privacy allegations, including that the fertility app and its parent company, Easy Healthcare, deceived users by sharing their personal and health data with third parties.

In addition to a monetary penalty, the app developer is required to make a host of changes to its privacy and security program and inform users of the settlement with FTC.

The unauthorized disclosures were tied to Premom’s use of third-party software development kits (SDKs), which were among the concerns named during the May 18 hearing, as well as the proliferation of telehealth and health apps

“More and more companies are involved in the business of collecting health data, some of which fall outside the Health Insurance Portability and Accountability Act,” said Ben Wiseman, acting associate director for the division of privacy and identity protection at the FTC said during the meeting.

“But it doesn’t mean that consumers have no privacy protections,” said Wiseman. “To the contrary, the FTC has wide jurisdiction over companies collecting health data and is committed to safeguarding consumers’ sensitive health information.”

The FTC settlements against GoodRx and BetterHelp, for example, highlight the agency’s ability to crack down on possible consumer data privacy violations. These actions also spotlighted the need for app developers to institute policies and practices to protect all health data to prevent unfair practices.

“Like pixels, SDKs are hidden pieces of code, and websites and apps that can transfer user information to advertisers,” Wiseman continued. “These cases and recent tech guidance make clear that the FTC will scrutinize company's use of this and any technology that transmits consumer sensitive information.”

What’s more, health information encompasses a broader definition than what’s detailed in HIPAA. Medical data can include data from which a company or tech could infer sensitive health information about an individual. Wiseman pointed to consumers visiting or using a mental health treatment service.

When their email was disclosed as part of BetterHelp’s advertising plan, it “was a disclosure of their health information because it effectively identified them as seeking or receiving mental health treatment,” he explained.

The commission voted to revise the HBNR to clarify language that could trip up entities interacting with consumer health data, including definitions for the rule’s application to health apps and similar technologies not covered by HIPAA and the definition of “PHR identifiable health information.” 

The FTC also intends to better describe a “breach of security” under the rule to add the “unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure” and improve the rule’s readability and promote compliance.

Once the rule is published in the Federal Register, the public will have 60 days to submit comments on these proposed changes.

FTC signals tightening biometric information enforcement 

The FTC has grown increasingly concerned over biometric surveillance, given the proliferation of technologies such as facial-, iris- or fingerprint-recognition tech, which collect and process biometric information to identify individuals. Biometrics can be used to deduce highly sensitive details about an individual, including their demeanor.

In one of the most recent examples, Vimeo agreed to pay $2.25 million to users of its AI-based video creation and editing platform Magisto to resolve claims it collected and stored their biometric data without their consent. The app allegedly uploaded users’ photographs and videos to the platform in violation of Illinois’ Biometrics Information Privacy Act (BIPA).

Biometrics raise “significant consumer privacy and data security concerns and the potential for bias and discrimination,” according to the policy notice.

Samuel Levine, director of the FTC’s Bureau of Consumer Protection, warned that, “Today’s policy statement makes clear that companies must comply with the law, regardless of the technology they are using.”

To avoid these pitfalls, companies should holistically assess potential harms to consumers before collection of biometrics. A third-party should evaluate the particular context in which the technology will be used and consider the role of human operators, in addition to other preventable risks to the information.

The policy statement details potential pitfalls for companies leveraging biometrics, including descriptions of possible deception means. In particular, that “false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of tech using biometric information,” constitute deceptive practices in violation of the FTC Act.

Among the obvious deception elements, “businesses must not make false or unsubstantiated claims about real-world validity, accuracy, or performance of biometric information technologies when the claims are based on tests or audits that do not replicate real-world conditions or how the technology will be operationalized by its intended users,” according to the policy notice.

The law also requires companies to implement reasonable privacy and data security measures the biometric information collected or maintained is protected, both internally and externally.

The policy notice details the expectation for biometric use in companies, and potential enforcement of these technologies, moving forward. Developers should review these factors to ensure compliance, as the FTC continues to crack down on violations of consumer data privacy.