On July 8, 2022, following the Supreme Court’s decision in Dobbs, the president signed an executive order that called on a number of federal agencies to take steps to protect reproductive rights. He specifically asked the Federal Trade Commission (FTC) to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services.” The FTC responded swiftly with a high-profile post authored by the acting director of the FTC’s Division of Privacy and Identity Protection.
With one exception (discussed below), the FTC post mostly reiterates the agency’s long-held commitment to addressing misuse of health and geolocation data. Health issues have been an FTC privacy focus for decades. Indeed, one of the FTC’s first modern-era privacy cases was brought against a pharmaceutical company that inadvertently sent an email to consumers and put email addresses in the “To” line instead of the “Bcc” line,” thereby disclosing sensitive health information to all recipients of the email. Since then, there has been a steady stream of health-related cases, including a 2021 case against Flo Health, the developer of a period-and-fertility-tracking app that shared health information with third-party analytics providers after promising that such information would be kept private. The FTC also enforces the Health Breach Notification Rule and recently issued a policy statement that broadened the interpretation of that rule, which governs breaches that occur with health apps not covered by the Health Insurance Portability and Accountability Act (HIPAA).
The FTC has also brought many cases challenging the use or sharing of location data. Recently, the FTC case against OpenX alleged that although the adtech company represented that consumers could opt out of location data collection, it nonetheless accessed such data from Android users even after they opted out. Geolocations issues were also at the forefront of a 2013 FTC case involving a flashlight app that collected location data and allegedly deceived consumers about how their information would be shared with third parties.
FTC Calls Out Deceptive Claims of Data Anonymization and Aggregation
The July 11 post appears to be the first time the FTC has addressed false or deceptive claims related to data anonymization or aggregation as an avenue of enforcement. With the rising concern that health app data could be leveraged against individuals seeking reproductive care, a 2017 example of which can be found here, the FTC post indicates that companies may try to “placate” consumers by using statements about how data is anonymized or aggregated. The post cites to one study that, using just four location data points, was able to uniquely identify 95 percent of a 1.5 million-person dataset that was apparently anonymized. This demonstrates that app developers may not fully understand the extent to which they are (or are not) anonymizing data.
Whether intentional or not, the failure to accurately understand or represent their company’s anonymization may be due to the lack of specific, enforceable de-identification standards like those required by HIPAA. The FTC’s 2012 Privacy Report discussed the issue of de-identification and noted that companies must “achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.” The report also noted that relevant considerations as to what constitutes such “justified confidence” include the available methods and technologies as well as the nature of the data at issue and the purpose for which it will be used. The report further stated that “companies must take reasonable steps to ensure that data is de-identified.” Since 2012, data collection and monetization have exploded, sharing of significant health information outside their primary care relationships has become the norm, and now criminalization of abortion services will be permitted. It is likely that the FTC will be expecting something more than reasonable steps and perhaps will provide clearer standards for de-identification.
In the meantime, companies that collect consumer data should reexamine their de-identification processes and representations regarding data anonymization in their consumer-facing documents, as the FTC made clear in their July 11 post: “Companies that make false claims about anonymization can expect to hear from the FTC.”