The Next Post They Write Might Be About You: The FTC’s Business Blog Calls Out Health Data Practices That Can Violate Section 5
In another example of the agency’s practice of regulation by blog, the FTC published last week a Business Blog Post about protecting consumer health information. The post, which summarizes key points from several recent enforcement cases such as BetterHelp and GoodRx, is notable because it also calls out several practices that weren’t directly at issue in those cases, but that the agency says can be unfair or deceptive under Section 5 of the FTC Act.
Rules We Already Knew
The FTC’s post distills and emphasizes rules that were announced in previous cases and confirms that the agency intends to continue to flex its enforcement muscle against companies that break those rules. To that end, the post emphasizes that:
- Collecting and using health information for advertising purposes, especially through third-party pixels on websites and SDKs in mobile apps, without affirmative express consent violates Section 5 (a point made most recently in joint letters the FTC and HHS’ Office for Civil Rights sent to some 130 hospitals and telehealth providers about online tracking technologies).
- The agency takes a broad view of what constitutes “health information,” and interprets that term to include the mere fact that a consumer is using a particular health-related app or website, as well as location data that can reveal a consumer seeking or using healthcare services.
- Unauthorized disclosures of health information for advertising and marketing practices can require notification of consumers under the FTC’s Health Breach Notification Rule.
- Displaying HIPAA “seals” or “certifications” violates Section 5 if they falsely suggest that a company is covered by or complies with HIPAA, or imply “some government imprimatur that doesn’t exist.”
Other Consumer Health Information Practices that, according to the FTC, Violate Section 5
The FTC’s post goes beyond the conduct at issue in previous cases and discusses several other acts and practices involving consumer health information that the agency believes can violate Section 5.
Receiving Improperly Disclosed Consumer Health Information
The post opines that recipients of improperly disclosed consumer health information can face liability under Section 5, along with the senders of the information. To that end, the FTC’s post states, somewhat cryptically and as an “example,” that companies that “receive information from other companies for advertising or marketing purposes” are required under Section 5 to “take steps (such as procedural and technical measures) to ensure [they] don’t engage in unauthorized receipt, use, or onward disclosure of sensitive information.” The post adds that these recipients can’t simply rely on contractual terms that prohibit senders from sharing sensitive information to avoid liability.
These statements seem directed toward companies like Meta, whose terms prohibit websites and apps that use its tools from sharing sensitive information with the company, but who, it has been reported, regularly receives consumer health information from health care providers whose websites use its tracking pixel. Their logic, however, could extend to all manner of companies that receive and process data on their customers’ behalf.
Using “Euphemisms” in “Dense Privacy Policies” to Describe Uses and Disclosures of Consumer Health Information
The post also takes on companies that “hide key terms about data practices in dense privacy policies or terms of service filled with ambiguous language that cloaks how they really use consumers’ health information.” In that regarding, the FTC claims, “too many companies make enigmatic references in privacy policies to the ‘disclosure of information about the use of the services.’” Instead of those references, the post opines, companies that use consumer health information for advertising must:
lay[ ] their cards on the table by saying prominently (think front-and-center on the home page) “We share your health information with third-party advertising companies so that we can target you with ads.”
(emphasis added). That level of clarity and conspicuousness is required, the post explains, for a company to validly obtain affirmative express consent for disclosing consumer health information for marketing and advertising.
Providing HIPAA Seals and Certifications to Other Businesses
After calling out companies that display HIPAA seals and certifications, the post targets companies that provide certifications and seals about HIPAA compliance to other businesses. Noting that the FTC has brought actions under Section 5 against sellers of “green” seals and certifications that weren’t backed up by appropriate evidence, the post applies the same logic to companies that provide HIPAA-related seals and certifications. The post thus concludes that both the purported certifier and the user of the HIPAA seal or certification can face FTC enforcement actions for making deceptive representations that violate Section 5.
Not Making Technical Staff Communicate with Compliance Staff About Tracking Technologies That Could Share Consumer Health Information
Finally, the FTC’s post focuses on a common cause of improper consumer health information sharing: technical staff using third-party pixels or software development kits without advising the company’s compliance staff. Companies targeted for enforcement based on their use of tracking technologies, the post says, sometimes rely on that disconnect as a defense. According to the FTC, however, it’s not: compliance requires understanding all data flows, “regardless of which department or staff is in charge of the data.”
The FTC thus expects companies to implement policies and procedures that require pre-deployment legal or compliance review of any tracking technologies and that otherwise ensure the left hand knows what the right hand is doing when it comes to uses and disclosures of consumer health information.
* * * *
The FTC’s post makes clear that the agency will continue to prioritize protecting consumer heath data, and will take an expansive view of the acts and practices in that realm that are “unfair” or “deceptive” under Section 5. If you would like help reviewing your current practices or future initiatives against this latest guidance, please contact any member of the Wyrick Robbins Privacy and Data Security Team.