Developers of health apps should notify consumers about privacy breaches -- including unauthorized disclosures of their identifiable health information -- the agency said Wednesday in a new policy statement.
The FTC voted 3-2 to approve the policy statement, with the two Republican commissioners dissenting.
Apps “are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” FTC Chair Lina Khan stated Wednesday. “Given the rising prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans.”
The policy statement specifically provides that app developers must notify consumers about more than “cybersecurity intrusions or nefarious behavior.”
“Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule,” the FTC stated.
The policy statement approved Wednesday extends the FTC's “Health Breach Notification Rule” -- which currently covers vendors of personal health records and their service providers -- to app developers.
Khan also signaled her intention to more broadly examine the way data, including health information, is used for commercial purposes.
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” she stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
Commissioner Rebecca Kelly Slaughter suggested in a concurring statement that the agency will consider issuing new privacy rules.
“I look forward to the Commission taking more action to limit the unfair collection and use of data, especially through rulemaking,” Slaughter said. “We all know that too many digital services collect more data than they need, keep it way too long, share it far too widely and use it in problematic ways. The FTC must lead a market shift towards data minimalism.”
Commissioner Christine Wilson, who dissented, suggested the FTC was moving too quickly by issuing the statement without first seeking input from other agencies or the public.
“The policy statement significantly expands both the covered universe of entities and the circumstances under which the Commission will initiate enforcement,” she stated. “Given the novel and expansive interpretation of this Rule that the Commission announces today, and consistent with past practice, it would be prudent for the Commission to publish a Federal Register Notice announcing the modifications to the Rule.”