In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.
The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce. An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The FTC is becoming more aggressive in its application of the FTC Act against mobile and information technology companies, wringing settlements from companies such as Google and Facebook, but also filing enforcement actions against smaller entities for data breaches and inappropriate privacy practices. In February 2013, for example, the FTC announced a settlement with Path, Inc. (“Path”), a social networking application available as an app. Path gave its users three options to search for additional friends to invite to join Path. One of these options was to allow Path to browse through the users mobile device contacts; the others were to search Facebook, or to allow the user to send SMS messages to friends. No matter which option the user selected, Path searched through the user’s mobile contacts and stored the information, which included names, addresses, birthdays, etc., on Path’s servers. By contrast, Path’s privacy policy stated that Path only collected its users’ IP addresses and assured users that Path protected their privacy. The FTC alleged that this discrepancy constituted an unfair and deceptive trade practice because Path’s users were not presented with any meaningful choice regarding how much information was collected and were deceived by the company’s practices which contradicted their privacy statement.
Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones. The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs. Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.
Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions. First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections. Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products. Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.
If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.