Enterprise Mobility Management / BYOD , Governance & Risk Management , Privacy
NY Deals with App Vendors Could Fuel More Privacy ActionsLegal Experts Say Other State AGs Could Join Privacy Fray
Recent settlements between New York State's attorney general and three mobile health application vendors over misleading privacy and marketing practices could potentially have ramifications for other developers, especially if other states follow New York's lead with their own related enforcement actions.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
New York Attorney General Eric Schneiderman, in a March 23 statement, says the state's recent individual settlements with three vendors - Matis Ltd., Runtastic GmbH and Cardiio Inc. - that sold their mobile health apps online was the result of a year-long investigation by his office.
The settlement requires each company "to amend deceptive statements about their apps and modify their privacy policies to better protect consumers, while also making clear that their apps are not medical devices and are not approved by the U.S Food and Drug Administration," the AG's statement says.
'Single Most Interesting Case'
Privacy attorney Kirk Nahra of Wiley Rein LLP characterizes the New York State AG's settlements "the single most interesting case we've had so far this year," pointing out that federal laws such as the Health Insurance Portability and Accountability Act don't cover mobile apps sold directly to consumers. Schneiderman employed the New York State Executive Law that prohibits "illegal and fraudulent acts" in conducting business to pursue the three vendors.
The attorney general's investigation revealed that two developers - Runtastic and Cardiio - claimed that their apps accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor and therefore could be used to play an unborn baby's heart rate, even though the app was not approved for fetal heart monitoring by the FDA.
"The three developers initially marketed these apps without possessing sufficient information to back up their marketing claims, but have since cooperated with the Office of the Attorney General to revise their advertising, consumer warnings and privacy practices," Schneiderman's statement says.
More States to Follow?
Privacy attorney Stephen Wu of the Silicon Valley Law Group predicts that more states could follow New York in taking on enforcement actions related to mobile app vendors' privacy practices, including requiring more transparency to consumers about the companies' data sharing activities.
"Some states are going to take on privacy more, especially now that there has been ... a pull-back by the federal government on privacy," Wu says, referring to Congress' recently voting to block implementation of an Obama-era Federal Communication Rule privacy rule (see FCC Privacy Rule a Presidential Signature Away From Being Axed).
That FCC rule would have required internet services providers to get customers' permission - or opt in - to allow their internet browsing, application use, email content and other personal data such as health and financial information to be sold to advertisers or other parties. President Trump is expected to sign the legislation allowing the dismantling of the FCC rule.
Wiley Rein's Nahra says the enforcement action by the New York attorney general shines a light "on a gap in HIPAA."
"These mobile apps aren't regulated by HIPAA because they're sold directly to consumers," he says. "The government went after these vendors for a combination of points - accuracy related issues, privacy related issues and other disclosures to consumers. There's all this non-HIPAA regulated data that's being created through wearables and mobile apps, and things like that. During the Obama administration, there was an effort to start to flag these issues and start down the path of regulations for what's unregulated today."
Under the Trump administration, which has promised to roll back regulations, "obviously those efforts will stall for the foreseeable future," Nahra says. But the action by the New York attorney general is an early example of "a state jumping in and starting to fill in those gaps," he says.
A number of state attorneys general are becoming increasingly active in areas that have been traditionally filled by federal regulators, such as the Federal Trade Commission in its enforcement of data security related issues under the FTC Act's unfair or deceptive business practices regulations.
"Some state consumer protection laws establish privacy rights or regulate business practices in ways that are as or more protective than federal law," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "A number of states allow for long-arm enforcement of their statutes against companies that do business in their jurisdictions or handle information of state residents."
Changing Privacy Practices
The three companies are paying a total of $30,000 to settle the cases, and have agreed to post "clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA," the AG statement says.
Additionally, the developers also agreed to make changes to their privacy practices. "The developers now require affirmative consent to their privacy policies for these apps and disclose that they collect and share information that may be personally identifying. This includes users' GPS location, unique device identifier and de-identified data that third parties may be able to use to re-identify specific users," Schneiderman says.
For instance, in its settlement with New York, Matis has agreed:
- To not misrepresent the extent to which it maintains the privacy or security of user information, including its collection or disclosure of any user information, and the extent to which it makes user information accessible to third parties;
- Prior to sharing any de-identified user information with third parties, Matis shall, in writing, request that such third parties not attempt to re-identify the information to any particular individual;
- At least bi-annually, to review its existing security policies and procedures designed to protect user information, and update such policies and procedures as necessary to maintain reasonable security.
AG Probed 20 Apps
Schneiderman's office says its investigation examined some 20 apps for which developers marketed the apps' ability to measure or analyze important health indicators such as heart rate, fetal heartbeat, blood pressure, moles and oxygen levels.
The attorney general's office say it contacted the developers to review how the companies created the apps, what tests were done during development and what evidence they had to support their marketing claims. Half of the companies did not respond, and others pulled down their apps from the Apple App store and Google Play following the AG's initial contact.
Schneiderman's office also say it has identified other apps that it considers misleading in similar ways to the ones involved in the settlements, and that it could take further action down the road.
The office says it recommends that all mobile health application developers make a concerted effort to employ non-misleading marketing practices and protect the privacy of their consumers.