How the FTC Is Sharpening Its Health Data Privacy Focus

Former FTC Consumer Protection Bureau Leader Daniel Kaufman Discusses Top Concerns
Daniel Kaufman, former FTC attorney and current partner at BakerHostetler

With the Federal Trade Commission sharpening its attention on data brokers - especially those that collect health and geolocation data - any company that participates in those activities should review its practices, says Daniel Kaufman, former acting director of the FTC's Consumer Protection Bureau.

See Also: The Ultimate PIA and DPIA Handbook for Privacy Professionals

"The FTC is really focused on entities like data brokers that collect large amounts of sensitive information and [whether] consumers are aware of what's being collected and how it's being shared," he says.

Companies "need to be sensitive of the post-Dobbs issues of how geolocation is being used," he says, referring to the Supreme Court's decision in July to overturn Roe v. Wade.

"Look carefully at how you're getting information, what it's being used for," says Kaufman, an attorney at law firm BakerHostetler, in a video interview with Information Security Media Group.

There's an entire universe of health information not subject to HIPAA that is "in the FTC's sweet spot," he says.

Entities should assume that the FTC's rules and authority are going to be interpreted broadly, he warns: "Things that were the case 10 years ago are no longer the case. The FTC is changing course and becoming more aggressive."

At the same time, Kaufman says, data minimization issues are also very important. "Make sure you understand what you're sharing, and see if you can share less. Also, if you tell consumers their data is anonymized, make sure it's really anonymized."

In the video interview, Kaufman also discusses:

  • The significance of recent litigation between the FTC and data broker Kochava Inc., which the agency alleges is "unfairly" collecting and selling consumers' sensitive geolocation data;
  • The prospect of the FTC enforcing its never-yet-enforced, decade-old Health Data Breach Notification Rule following the agency's "reinterpretation" of the regulations last year (see: FTC: Health App, Device Makers Must Report Breaches);
  • Whether the FTC will become more "prescriptive" in its data security expectations for companies, especially in the wake of the agency's long-drawn-out litigation a few years ago against now-defunct Atlanta-based medical testing laboratory LabMD;

Kaufman joined national law firm BakerHostetler in Washington, D.C, as a partner in October 2021after working at the FTC for nearly 25 years. Most recently, he was acting director of the FTC's Bureau of Consumer Protection. As deputy director of the bureau, Kaufman was involved in virtually every high-profile consumer protection and privacy case brought by the FTC in the past decade, including matters involving some of the largest technology and consumer products companies and matters involving startups and innovators.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.