Apps and gadgets that gather personal health information must tell users if their data is compromised or shared with third parties without their permission, according to the US Federal Trade Commission (FTC).
The FTC agreed on a new policy statement on Wednesday in a 3-2 decision to clarify the ten-year-old 2009 Health Breach Notification Rule, which requires organizations handling health records to tell consumers if their data is accessed without their permission, such as as a consequence of a breach.
This has now been expanded to health applications and gadgets, with the FTC chair Lina Khan citing apps that track fertility data, exercise, and blood glucose as examples of apps that “too often fail to invest in proper privacy and data protection.”
“Digital apps are frequently caught playing fast and loose with user data, leaving users’ sensitive health information vulnerable to hacks and breaches,” Khan said in a statement, citing a study published this year in the British Medical Journal that found health apps have “serious problems” ranging from insecure data transmission to unauthorized data sharing with ad networks.
In recent years, there have also been a number of high-profile breaches using health apps. Last year, a data breach occurred at Babylon Health, a U.K. AI chatbot and telehealth startup, when a “software error” allowed users to view other patients’ video consultations, and period tracking app Flo was recently discovered to be sharing users’ health data with third-party analytics and marketing services. Under the new rule, any company that collects personal health data through apps or connected fitness devices must notify customers if their data has been compromised.
The rule, however, does not limit a “data breach” to a cyber-attack; unauthorized access to personal data, including the sharing of information without consent, can also trigger notification responsibilities. “While this rule holds tech companies accountable for abusing our personal information, a more fundamental issue is the commodification of sensitive health data, where companies can use it to power behavioral ads or user analytics,” Khan said.
The FTC said it will “vigorously” pursue fines of $43,792 per violation per day if corporations do not comply with the rule. In recent weeks, the FTC has begun cracking down on privacy infractions. The agency unanimously voted earlier this month to bar spyware maker SpyFone and its CEO Scott Zuckerman from the surveillance industry for harvesting mobile data on thousands of people and posting it on the internet.