• by Wendy Davis , Staff Writer @wendyndavis, August 10, 2023

The Federal Trade Commission is currently considering new rules that would require health-related online websites and mobile apps to notify consumers if their identifiable health information was disclosed without “authorization.”

The agency's proposed rules don't define authorization, but the FTC has indicated it will go beyond looking at whether consumers technically consented to data sharing, and will instead examine whether companies duped consumers into agreeing to the disclosures. 

“We’ve seen ... how businesses can and do use dark patterns to trick consumers into 'consent,'” she stated. “People also often feel like they don’t have any meaningful choice -- either because they already feel locked in to using the service or because the service is too critical.”

The FTC's proposal drew more than 100 comments from a variety of organizations, including privacy advocates, ad groups like the Association of National Advertisers, and others, including browser developer Mozilla.

That company, which has long built anti-tracking features into Firefox, urged the agency to both define “authorization,” and to explicitly ban interfaces that dupe people into consenting to data sharing.

“The best way for the Commission to protect consumers ... would be to clarify what it means by authorization,” Mozilla said wrote.

“Deceptive designs create a facade of consent that clearly violates ... the FTC Act. They should therefore be clearly prohibited in any statute or regulation defining consent or authorization for data collection,” the company added.

Mozilla also urged the FTC to prohibit health-related apps and websites from sharing identifiable health data of users who attempt to preserve their privacy through tools like the “Global Privacy Control,” which effectively function like a do-not-track command.

The Global Privacy Control -- developed by privacy experts -- is available on some browsers including Mozilla's Firefox, and as a downloadable browser extension.

The control, like the older “do-not-track” setting, aims to enable consumers to opt out of online data collection once and for all by transmitting a do-not-share-my-data signal to every website they visit.

“Browser-based signals are particularly important ... where individuals are likely to want to make a simple and clear decision about the sharing of their health data,” Mozilla wrote.

“This method of expressing consent preferences is gaining significant legislative and regulatory momentum because browser-based signals are much more consumer-friendly than a barrage of cookie banners,” the company added.

In the last several years five states -- California, Colorado, Connecticut, Montana and Texas -- have passed laws or regulations that require some online companies to honor those signals.