FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data

The Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Rules, which restrict uses and disclosures of healthcare data by HIPAA-covered entities and business associates of those entities. When entities are not covered by HIPAA, privacy violations and illegal uses and disclosures of sensitive consumer data are policed by the Federal Trade Commission (FTC). The FTC recently announced in a blog post that it is fully committed to enforcing the law against illegal uses and sharing of highly sensitive data.

Some of the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Currently, those sensitive types of information are collected by fitness trackers, smartphone apps, browsers, and other connected software and devices, and that information is combined with other data and is monetized and sold to third parties, often without the knowledge of the individuals to whom the data relates.

“The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” said Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection. “These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.”

Location data is collected by connected devices, even when those devices are not being used. They can provide information about where individuals work, sleep, socialize, worship, and seek medical treatment. “While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor,” said Cohen. “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it. After it’s collected from a consumer, data enters a vast and intricate sales floor frequented by numerous buyers, sellers, and sharers.”

Please see the HIPAA Journal Privacy Policy

Since the SCOTUS ruling that overturned Roe v. Wade, these data collection and sharing practices have faced even greater scrutiny due to the potential for the collection and misuse of location data and information related to personal reproductive matters, such as through the use of products that are used for reproductive cycle tracking, monitoring fertility, overseeing contraceptive use, and even for targeting women considering abortion.

In terms of the latter, Cohen explained that this is not just a theoretical risk. In 2017, Copley Advertising, LLC settled a case with the Massachusetts Attorney General over its use of geolocation technology to identify when people passed through a digital fence around a clinic offering abortion services. Those individuals were then served targeted advertisements offering alternatives to abortion. The FTC also recently settled a case with Flo Health over the sharing of the sensitive data of users of its period and fertility tracking app with Google and Facebook, when the company had told users that the information collected by the app would remain private and confidential.

Cohen explained that the misuse of location and any health data exposes consumers to significant harm, and can place consumers at risk of phishing attacks, extortion, physical and emotional injury, discrimination, stigma, mental anguish, and other significant harms. “The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” said Cohen. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”

Cohen warned companies that collect sensitive consumer information to be aware that the information is protected under many federal and state laws, including laws enforced by the FTC such as the FTC Act which prohibits unfair and deceptive trade practices. The FTC also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.

Companies that claim they anonymize or aggregate consumer data should be on guard that such claims could be considered a deceptive trade practice. If found to be untrue, those practices would be in violation of the FTC Act. Cohen said the FTC is cracking down on companies that misuse consumer data and has recently taken action against several companies for using location data without content, improperly collecting and retaining sensitive data, and failing to respect consumer requests to delete sensitive data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.