Free health apps – often funded by advertising revenue – may result in disclosure of private health information to third parties without permission from consumers.
A company that operates a health app or collects consumer health data should analyze how ad-tracking tools are used within their ecosystem. In 2021, the Federal Trade Commission (“FTC”) issued a policy statement clarifying mobile health app makers’ obligations to notify consumers if their data is exposed or shared without their permission, and the FTC stated that the policy was meant to fill a “gap” in regulations for health apps which generally are not covered by the Health Insurance Portability and Accountability Act (“HIPPA”).
Failure to fulfil these obligations may result in a government action, such as an action by the FTC which: (1) has authority over businesses that collect health information under the FTC Act and (2) may bring enforcement actions regarding deceptive claims about the use or disclosure of health data. Recent federal and state enforcement actions include:
- FTC action: Flo Health Inc. settled FTC allegations that the company shared health information of its users with outside data analytics providers after promising such information would be kept private. The FTC filed the Complaint against Flo Health asserting that Flo Health: (1) disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division and Google’s analytics division, (2) disclosed sensitive health information, such as the fact of a user’s pregnancy, to third parties in the form of “app events,” which is app data transferred to third parties for various reasons and, (3) did not limit how third parties could use this health data.
- California AG action: Glow Inc. settled a probe by the California Attorney General regarding its fertility-tracking mobile app that stores personal and medical information. The Attorney General’s Complaint alleged that the app: (1) failed to adequately safeguard health information, (2) allowed access to user’s information without the user’s consent, and (3) had additional security problems with the app’s password change function that could have allowed third parties to reset user account passwords and access information in those accounts without user consent. Within the settlement, Glow was required to: (1) incorporate privacy and security design principles into its app and (2) obtain affirmative consent from users prior to sharing or disclosing personal, medical, or sensitive information and require the users to revoke previously granted consent.
In sum, a company that operates a health app or collects consumer health data should analyze how ad-tracking tools are used within their ecosystem.