Yesterday the Acting Associate Director of the Federal Trade Commission (“FTC”) Division of Privacy & Identity Protection posted a blog underscoring the agency’s “unprecedented” concerns to individuals’ personal privacy with connected devices. This announcement comes in the wake of an Executive Order from President Biden intended to address, among other issues, the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services. As explained below, the FTC will continue to “vigorously” enforce laws protecting consumer privacy, including for violations involving location and health data.
I. Overview of Renewed Agency Focus
As the FTC explained: “Beyond location information generated automatically by consumers’ connected devices, millions of people also actively generate their own sensitive data, including by using apps to test their blood sugar, record their sleep patterns, monitor their blood pressure, or track their fitness, or sharing face and other biometric information to use app or device features. The potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers.”
This could include, according to the FTC, the potential for harm posed by data aggregators and brokers, which compile information from multiple sources and then sell access to it or analyses derived from it to marketers, researchers, and government actors. The FTC also expressed concern with a “particularly sensitive subset at the intersection of location and health,” information related to personal reproductive matters. This could include, for instance, products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion.
II. Prior Enforcement Activity Highlighted by FTC Concerning Location Tracking and Sharing of Health Data
The FTC’s blog noted that the concerns set forth above were not theoretical and had already been implicated by prior enforcement activity at the state and federal level.
Previously the Massachusetts Attorney General had reached a settlement in 2017 with a marketing company using location technology to identify individuals who crossed a “geofence” near healthcare facilities offering abortion services. The company used that data to send targeted phone ads with links to websites with information about abortion alternatives to women seated in the wait rooms of the healthcare facilities. The settlement addressed allegations that the company’s practices violated Massachusetts consumer protection law.
And in 2021, the FTC reached a settlement with Flo Health Inc., which developed an ovulation-tracking app, to address concerns that app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers. This was so notwithstanding promises from the company that such information would be kept private.
III. FTC Roadmap for the Private Sector Going Forward
The FTC blog emphasized that “[t]he Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy”. The FTC warned that it will “vigorously enforce the law” if it uncovers illicit conduct that “exploits Americans’ location, health, or other sensitive data.” It listed the following core considerations for companies that deal with the collection of confidential consumer information, including information related to location and health data:
(1) Sensitive Data is Protected by Federal and State Laws: This includes, in addition to Section 5 of the FTC Act, which broadly prohibits unfair and deceptive trade practices, the FTC also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule. The FTC cautioned that it had “brought hundreds of cases to protect the security and privacy of consumers’ personal information,” which in some instances included significant monetary penalties.
(2) The FTC Views Claims That Data is “Anonymous” or “Has Been Anonymized” As “Often Deceptive”: Citing research demonstrating that “anonymized” data can often be re-identified, the FTC cautioned that “[f]irms making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue.”
(3) The FTC Will Bring Enforcement Actions Against Companies That Misuse Consumers’ Data: Additionally, citing recent enforcement actions, the blog cautioned that “the FTC does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data.” This included, among others, the FTC’s recent action against WW International, Inc.—formerly known as Weight Watchers—over claims the company violated the Children’s Online Privacy Protection Act by collecting children’s personal information without providing notice or obtaining parental consent.
This development underscores that privacy and security will continue to remain a FTC priority—particularly in light of recent rulings from the Supreme Court that have brought a renewed focus to healthcare privacy. For more on this, stay tuned. CPW will be there to keep you in the loop.