The Office of the New York State Attorney General (“NY AG”) recently announced a settlement of its investigation into the privacy policy and advertising-related business practices of three popular health-based mobile applications. Each of the applications ostensibly allowed users to track their fitness, and measure vital signs and other heath indicators, as a method to promote healthy behavior.

What was the nature of the privacy-related practices that landed the health application operators in hot water?

The NY AG focused its investigation into both the app developers’ alleged misleading advertising claims, as well as their practices regarding the collection, use and sharing of personal information. Generally speaking, with respect to the app developer privacy practices, the NY AG investigation was concerned with practices that did not require users to consent to applicable privacy policies, nor agree to the collection of various forms of personal data generated through use of the applications (including age, gender, weight, heart-rate, etc.) as part of the sign-up process. Additionally, the NY AG alleged that the developers did not disclose to users that the personal information that was collected from them and shared with third-parties might not be afforded the protections required by the federal Health Insurance Portability and Accountability Act (“HIPAA”).

Furthermore, with respect to marketing practices, the NY AG investigation focused on alleged deceptive statements concerning the performance of the subject applications. Specifically, through their marketing, the application developers represented to users that the applications could turn smartphones into accurate heart rate monitors, without the requisite information and testing necessary to substantiate those marketing claims.

In accordance with the settlement, the app developers have agreed to pay $30,000 in penalties, to affect changes to their privacy practices that require that they obtain affirmative consent from consumers in order to collect, use and share personally identifying information, and to include in their marketing that the applications have not been approved by the U.S. Food and Drug Administration.

Changing Rules of the Road for Online Privacy and the Need for A Well-Drafted Privacy Policy

Given the current legal landscape concerning the collection, use and sharing of various forms of personally identifiable information, it makes good business and legal sense to craft a privacy policy that is not only well-suited to the needs of your business, but that also provides your customers/users with all the information that they require to make informed decisions regarding the disclosure of their personal information. Once in place, however, it is equally important to strictly adhere to the terms of your privacy policy. The privacy policy is a contract with customers. The failure to adhere to the terms included in your privacy policy could expose your business to significant liability, including regulatory action and private litigation.

The ongoing evolution of online and mobile privacy law warrants continued attention from Internet attorneys, technology attorneys and those interested in consumer privacy in general. If you are interested in learning more about this topic, or preparing an online or mobile privacy policy for your business, please e-mail us at info@kleinmoynihan.com or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.