In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws.  However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA.  Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.

The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce.  An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC is becoming more aggressive in its application of the FTC Act against mobile and information technology companies, wringing settlements from companies such as Google and Facebook, but also filing enforcement actions against smaller entities for data breaches and inappropriate privacy practices. In February 2013, for example, the FTC announced a settlement with Path, Inc. (“Path”), a social networking application available as an app. Path gave its users three options to search for additional friends to invite to join Path.  One of these options was to allow Path to browse through the users mobile device contacts; the others were to search Facebook, or to allow the user to send SMS messages to friends. No matter which option the user selected, Path searched through the user’s mobile contacts and stored the information, which included names, addresses, birthdays, etc., on Path’s servers.  By contrast, Path’s privacy policy stated that Path only collected its users’ IP addresses and assured users that Path protected their privacy. The FTC alleged that this discrepancy constituted an unfair and deceptive trade practice because Path’s users were not presented with any meaningful choice regarding how much information was collected and were deceived by the company’s practices which contradicted their privacy statement.

Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones.  The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs.  Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.

Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions.  First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections.  Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products.  Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.

If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.