Health app developers must be vigilant not only of federal laws, but of state laws as well.
On March 23, New York Attorney General Eric T. Schneiderman announced a settlement with developers of three health-related applications (health apps) to resolve allegations concerning misleading and unsubstantiated claims as well as irresponsible privacy practices. Significantly, although two of the apps were fitness apps exempt from regulation by the Food and Drug Administration (FDA), the Office of the Attorney General of New York (NYOAG) nonetheless pursued the apps for alleged violations of New York’s Consumer Protection and False Advertising laws. Under the settlements, the three health app developers agreed to add new disclaimers, modify their claims, update their privacy policies, and pay a combined $30,000 in penalties.
Allegations Related to Marketing Claims
Two of the apps at issue—Cardiio and Runtastic—were marketed for heart rate monitoring, including claims that the apps could accurately measure and monitor a user’s heart rate using the camera lens and flashlight of a smartphone. Although FDA generally considers heart rate monitoring for fitness and exercise purposes to be exempt from FDA’s medical device requirements,[1] the NYOAG investigation alleged that the net impression of the marketing claims made by the app developers (Cardiio, Inc. and Runtastic GmbH) was that the apps would measure and monitor the user’s heart rate with the accuracy of a medical device.
In its Assurance of Discontinuance with Cardiio, Inc., the NYOAG further expressed concerns with the app’s “life expectancy” calculation, which was based in part on the user’s heart rate data. Similarly, the Assurance of Discontinuance with Runtastic GmbH cited specific claims that the Runtastic app could help users determine “how their cardiovascular system is doing under stress.” The inquiry also found that both apps had consumer reviews that indicated the apps were being used by consumers with serious medical conditions, and that the app developers either did not have any records substantiating their claims or did not provide sufficient evidence regarding the accuracy of such claims.
The third app—My Baby’s Beat—was developed and marketed by Matis Ltd., which claimed the app allowed a pregnant user to listen to the heartbeat of her fetus by holding a smartphone to her belly. The Assurance of Discontinuance with Matis Ltd. also lists claims stating that the app turned a user’s smartphone into a fetal heart monitor or fetal stethoscope, as well as promoting the app as a replacement for a home Doppler monitor (an FDA-regulated medical device). The NYOAG expressed concerns with these medical device claims and also concluded that the company did not have sufficient evidence substantiating that the app actually played or found fetal heart beats.
Privacy Concerns
The investigation also generated concerns about the three app developers’ privacy practices—finding that neither Cardiio nor Runtastic required users to expressly consent to a privacy policy, and that all three companies’ privacy policies had unclear, inconsistent, or incomplete statements about how users’ personal information may be collected and/or shared with third parties.
Takeaways
These recent settlements highlight that federal regulators, such as FDA and the Federal Trade Commission (FTC), are not the only regulators that may scrutinize health- or medical-related apps. Moreover, Attorney General Schneiderman has shown a willingness here to pursue apps beyond the scope of what federal regulators had previously targeted. For example, although the FTC has taken multiple actions against health-related apps in recent years, those actions have been limited to apps with specific medical claims (e.g., melanoma detection apps and apps to reduce/delay cognitive impairment associated with age and other serious health conditions). Similarly, FDA’s only publicized enforcement letter concerning a mobile app related to an app marketed for urinalysis testing.
Here, however, the NYOAG pursued two fitness apps with no specific claims related to diseases or other medical conditions—apps that the FDA and FTC likely would consider “low risk.” This willingness to pursue action for misleading and unsubstantiated claims in this context should put health app developers on notice. It remains to be seen, however, whether this type of action is a “one-off” or whether New York or other states will continue to scrutinize fitness and general wellness apps.
[1] See, e.g., FDA’s General Wellness: Policy for Low Risk Devices.