On August 28, a bipartisan contingent of U.S. Senators sent a letter (the “Letter”) to the Federal Trade Commission (“FTC”) requesting an investigation and agency guidance into the allegedly deceptive practices of the digital health mobile application, Premom.1 The Letter seeks the FTC’s guidance pertaining to Premom’s consumer data collection and sharing practices. The FTC’s anticipated response could impact digital health companies and other digital technology companies.
According to a letter from watchdog organization International Digital Accountability Council (“IDAC”) referenced in the Letter, non-resettable hardware identifiers are personally identifiable information “because they are tied to a user’s device and it is almost impossible for a user to reset them or erase their digital footprint, thereby allowing companies with this information to infer who the individual users are.”4 The Letter asks the FTC to examine whether Premom’s alleged conduct violated Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”5 Chiefly, the FTC is faced with the question of whether it considers non-resettable device hardware identifiers to be “personally identifiable information,” subject to consumer privacy protections.6
While there remains some uncertainty in the sphere of consumer data collection, digital health companies can take the following steps to avoid inadvertent noncompliance with the FTC Act:
- Update privacy policies to accurately and consistently reflect data collection and sharing practices across all platforms, and regularly review privacy policies to ensure they account for any changes in the company’s operations.
- Ensure users are provided with notice any time their data is being collected, and particularly when it is being shared with third parties in any identifiable (whether on the consumer level or device level) form.
- Provide options for users to opt-out of or revoke consent for sharing personal data (which may include non-resettable hardware identifiers).