Governance & Risk Management , Healthcare , Industry Specific
FTC Makes Moves to Enhance Data Privacy Oversight
Includes Proposal to Expand Techs, Apps Under Health Breach Notification RegsThe Federal Trade Commission on Thursday made a few bold moves to ramp up its oversight of data privacy, including initiating an effort to codify sweeping changes to the Health Breach Notification Rule and releasing a policy statement warning of heightened scrutiny over the use of biometric information.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
FTC leadership also indicated publicly that the commission will forge ahead with its privacy litigation against data analytics firm Kochava.
The proposed rule-making changes build on a 2021 policy statement that expanded the commission's interpretation of the breach notification rule. The policy statement attracted unanimous opposition from the two Republican commissioners, who accused their Democratic counterparts of going beyond the agency's statutory authority. Both Republican commissioners have since resigned, leaving the FTC with a majority of three Democratic commissioners.
Thursday's notice of proposed rule-making would enshrine changes from the policy statement including applicability of the health breach notification rule to health apps, fitness trackers and other consumer products.
When the FTC first issued its rule more than a decade ago, the regulations pertained to a more narrow definition of "personal health records" not covered under HIPAA. The rule reflected brief-lived Obama-era expectations that consumers would take advantage of the portability requirements of HIPAA to store medical data in personal digital records.
The rule went unenforced until earlier this year, when the agency used its expanded interpretation to fine discount prescription drug provider GoodRX $1.5 million (see: FTC Hits Firm With $1.5M Fine in Health Data-Sharing Case).
"As an outgrowth of the COVID-19 pandemic, consumers' use of health-related technologies has increased significantly," FTC Chair Lina Khan said during a public meeting Thursday shortly before the commission voted to publishing the proposed rule-making. Once published in the Federal Register, the rule-making proposal will be open to public comment for 60 days.
"Companies these days are collecting, using and disposing of vast amounts of consumers' sensitive data. Consistent with the commission's priorities, we are committed to use every tool available to protect the American public from privacy harms - not just through longer privacy policies and more boxes to check, but through real guardrails on the use and abuse of people's sensitive information," Khan said.
The agency undertook a second health rule enforcement on Wednesday when the developer of fertility logging app Premom agreed it shouldn't share user information with advertisers (see: FTC Fines Fertility App Vendor, Bars It From Data Sharing).
Biometric Information
Commissioners also voted unanimously to issue a policy statement warning that the proliferation of using consumers’ biometric information and related technologies, including those involving machine learning, raises "significant privacy and data security concerns" and the potential for bias and discrimination."
Commissioner directed the agency to ramp up its scrutiny in determining whether companies collecting and using biometric information or marketing or using biometric technologies are comply with prohibitions against unfair or deceptive practices.
"If you are making marketing claims about how accurate your technology is or how it isn't biased, you need proof of that. And not just proof from the laboratory where your cameras are high definition or your photos are of perfect quality," said Commissioner Alvaro Bedoya.
Kochava Case Forging Ahead
Khan also indicated that the FTC will forge ahead in its data privacy enforcement action against data analytics vendor Kochava.
An Idaho federal court on May 4 dismissed the agency's lawsuit against Kochava, a bid by the FTC to permanently stop the company from selling geolocation data collected from mobile devices (see: Court Dismisses FTC Complaint Against Data Broker Kochava).
The court also provided 30 days for the FTC to file an amended complaint with a strengthened argument against Kochava.
"This is really an important case for us at the commission," Khan said, adding that FTC attorneys who are leading the case "are all excited to see it move forward."