• by Wendy Davis  @wendyndavis, August 9, 2023

A Federal Trade Commission proposal to require online health services and app developers to notify consumers about unauthorized disclosures of identifiable health data could “severely hinder advertising,” the Association of National Advertisers contends.

The proposal “would frustrate rather than serve consumers by impeding their ability to access online messaging, including advertising of health-related products and services,” the advertising group writes in a comment filed with the agency on Tuesday.

The proposal, which would update the “Health Breach Notification Rule,” largely draws on a 2021 FTC policy statement regarding companies' obligations to inform consumers about privacy breaches.

The FTC said in that policy statement that privacy breaches were not limited to situations where hackers illegally obtained data, but could include any unauthorized disclosure of identifiable health information.

The 2021 statement also extended the requirements of the Health Breach Notification Rule to developers of mobile health-related apps.

The FTC's new proposed rules broadly characterize identifiable health-care data as information that identifies someone, or reasonably could be used to identify someone, and that relates to health conditions.

The potential data-breach regulations would apply to any online company or app that “provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”

The agency's proposal doesn't explicitly define “unauthorized disclosure,” but the Association of National Advertisers interprets the proposal as effectively requiring opt-in consent to share identifiable health data for ad purposes.

The organization writes that the FTC's proposal “would place unreasonable opt-in consent requirements” on companies that disclose identifiable health information, and “could severely hinder advertising by requiring consent before any ... identifiable health information could be disclosed for an advertising purpose.”

“Regulatory efforts to cabin or ban the use of a certain kind of data absent consumer consent can overburden consumers and unreasonably limit businesses from innovating and providing the products and services consumers desire,” the organization writes.

The self-regulatory group Network Advertising Initiative also weighed in on the potential update.

That organization said some of the proposed changes were consistent with its privacy code, which requires companies to obtain consumers' consent before collecting or using sensitive health data for advertising purposes.

But the Network Advertising Initiative opposed some of the FTC's proposed revisions, including one that could broaden the definition of health care provider to include sites that are “purely informational.”

“While services such as online menstrual cycle trackers and diet applications that collect and manage information such as calories, weight, and age seem to be clearly in scope of the Rule and reflect a modern interpretation of the term, the language proposed threatens to sweep entities such as purely informational health-related websites into the category of 'health care provider,'” the group wrote.

Some privacy advocates generally supported the FTC's proposal, but called for additional restrictions.

For instance, the Electronic Privacy Information Center urged the agency to say that collecting more identifiable health information than necessary is a “breach.”

“Because a reasonable consumer would not typically authorize a company to collect more data than is necessary to provide the product or service they are seeking, any collection in excess of that should be presumptively treated as an unauthorized acquisition,” the group writes.

“The most effective way to ensure that sensitive health information is not breached is to disincentivize the unnecessary collection of that information the first place and to incentivize its deletion once the data is no longer needed for the original purpose of collection,” the organization adds.

Consumer Reports separately urged the FTC to clarify that “device level information” -- such as pseudonymous mobile identifiers -- is identifiable health data, for purposes of the rule.

.