As we have written before, mobile apps geared toward health and fitness have become increasingly popular—and an increasingly popular target for regulators. This makes sense. Health and fitness apps can pose a serious risk if consumers rely on them for personal health information that turns out to be inaccurate or misleading. And the risk goes both ways—an app can provide false reassurance that you’re perfectly healthy when you should really be seeing a doctor, or it can prompt you to seek unnecessary medical attention for a medical issue that’s not an issue at all.

It perhaps comes as little surprise, then, that an app that claims to accurately measure your heart rate—a pretty important indicator of health, you could say—would draw the scrutiny of a State AG.

The New York Attorney General in late March announced settlements with three mobile health app developers that allegedly made misleading and deceptive claims about their apps’ ability to accurately measure heart rates and monitor and play fetal heartbeats. Notably, the settlements also included allegations that the developers maintained inadequate privacy policies that failed to inform consumers about the scope of the developers’ data collection and storage practices. These settlements brought to a close the New York AG’s yearlong investigation into the app developers.

The three app developers all created apps that claim to measure or monitor heart rate. The app Cardiio, which has been downloaded hundreds of thousands of times, purports to measure a user’s heart rate after strenuous exercise when the user places an index finger against the phone’s camera lens or simply holds the phone in front of his face. The Runtastic app, downloaded more than one million times, similarly claims to measure heart rate and cardiovascular performance after strenuous physical activity through the use of the phone’s camera lens. And My Baby’s Beat, an app with hundreds of thousands of downloads, purports to enable a pregnant user to listen to her fetus’s heartbeat through holding a smartphone to her stomach.

According to the New York AG, these claims were deceptive and misleading because the three app developers lacked sufficient evidence to substantiate them. The developers of Cardiio and Runtastic, the AG alleged, failed to test whether the apps accurately measured the heart rate of users engaged in strenuous physical activity, and the developer of Cardiio also misleadingly implied that the Massachusetts Institute of Technology endorsed the app. As for My Baby’s Beat, the developer claimed that the app “can turn your smartphone into a Fetal heart monitor” even though the app had not been reviewed and approved by the Food and Drug Administration, the agency charged with regulating fetal cardiac monitors. The developer also advertised the app as an alternative to a fetal monitor or Doppler without conducting any live testing comparisons of the devices.

The New York AG also alleged that the developers maintained privacy policies that did not require all users’ express consent and that failed to make clear that the apps collected and stored various user data that could be personally identifying information. This information included the user’s GPS data and a unique identifier of his device.

Under the settlement, the developers agreed to provide more information about the apps’ testing, to modify the ads that were misleading, and to pay a combined $30,000 in penalties to the Office of the Attorney General. The apps also now prominently disclose that they are not medical devices and have not been approved by the FDA. And to address the AG’s privacy concerns, the developers have agreed to require that users affirmatively consent to the privacy terms, and they have also started disclosing to the user that the apps collect and store personally identifying information.

These settlements serve as yet another reminder that regulators—both State AGs and the FTC—remain intent on reining in unsubstantiated advertising claims, especially when those claims involve popular health-related apps that purport to accurately measure a person’s vital signs or other indicators of health and wellness. In a concurring statement in another health-app case from January, however, Acting Chairman Ohlhausen expressed the view that the substantiation standard should not be too high. Advertisers just need to ensure that their claims match the substantiation they have and do not mislead consumers.

The New York AG settlements have one other key takeaway—when a mobile app collects and stores personal data, companies should be sure to disclose their privacy policies clearly and conspicuously so that consumers can understand the privacy implications of using the app.