A Federal Trade Commission proposal to require online health
services and app developers to notify consumers about unauthorized disclosures of identifiable health data could “severely hinder advertising,” the Association of National Advertisers
contends.
The proposal “would
frustrate rather than serve consumers by impeding their ability to access online messaging, including advertising of health-related products and services,” the advertising group writes in a
comment filed with the agency on Tuesday.
The proposal, which would update the “Health Breach Notification Rule,” largely draws on a 2021 FTC policy statement regarding companies'
obligations to inform consumers about privacy breaches.
The FTC said in that policy statement that privacy breaches were not limited to situations where hackers illegally obtained data, but
could include any unauthorized disclosure of identifiable health information.
The 2021 statement also extended the requirements of the Health Breach Notification Rule to developers of mobile
health-related apps.
The FTC's new proposed rules broadly characterize identifiable health-care data as information that identifies someone, or reasonably could be used to identify someone,
and that relates to health conditions.
The potential data-breach regulations would apply to any online company or app that “provides mechanisms to track diseases, health conditions,
diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides
other health-related services or tools.”
The agency's proposal doesn't explicitly define “unauthorized disclosure,” but the Association of National Advertisers
interprets the proposal as effectively requiring opt-in consent to share identifiable health data for ad purposes.
The organization writes that the FTC's proposal “would place
unreasonable opt-in consent requirements” on companies that disclose identifiable health information, and “could severely hinder advertising by requiring consent before any ...
identifiable health information could be disclosed for an advertising purpose.”
“Regulatory efforts to cabin or ban the use of a certain kind of data absent consumer consent can
overburden consumers and unreasonably limit businesses from innovating and providing the products and services consumers desire,” the organization writes.
The self-regulatory group
Network Advertising Initiative also weighed in on the potential update.
That organization said some of the proposed changes were consistent with its privacy code, which requires companies to
obtain consumers' consent before collecting or using sensitive health data for advertising purposes.
But the Network Advertising Initiative opposed some of the FTC's proposed revisions,
including one that could broaden the definition of health care provider to include sites that are “purely informational.”
“While services such as online menstrual cycle
trackers and diet applications that collect and manage information such as calories, weight, and age seem to be clearly in scope of the Rule and reflect a modern interpretation of the term, the
language proposed threatens to sweep entities such as purely informational health-related websites into the category of 'health care provider,'” the group wrote.
Some privacy advocates
generally supported the FTC's proposal, but called for additional restrictions.
For instance, the Electronic Privacy Information Center urged the agency to say that collecting more
identifiable health information than necessary is a “breach.”
“Because a reasonable consumer would not typically authorize a company to collect more data than is necessary to
provide the product or service they are seeking, any collection in excess of that should be presumptively treated as an unauthorized acquisition,” the group writes.
“The most
effective way to ensure that sensitive health information is not breached is to disincentivize the unnecessary collection of that information the first place and to incentivize its deletion once the
data is no longer needed for the original purpose of collection,” the organization adds.
Consumer Reports separately urged the FTC to clarify that “device level information”
-- such as pseudonymous mobile identifiers -- is identifiable health data, for purposes of the rule.
.