On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order)1 with Easy Healthcare Corporation, which operates the Premom fertility tracking app (Premom). The FTC alleges Premom misrepresented its data sharing practices to consumers and failed to provide notice to users when it shared their health information without their consent.2
This is the second enforcement action that the FTC has brought under its broad interpretation of the Health Breach Notification Rule (HBNR), following its first HBNR enforcement action in February against GoodRx. The close proximity between these two enforcement actions, combined with the FTC’s Notice of Proposed Rulemaking modifying the HBNR (NPRM) last week, indicates the FTC’s continued interest in regulating digital health privacy.
The Complaint
The FTC complaint (Complaint) charged Premom with eight different counts: three counts of affirmative deceptive representations, two counts of deception by omission, two counts of unfairness, and one count of violating the HBNR.
Deception
According to the Complaint, Premom made deceptive statements in its privacy policy, including statements that: 1) Premom would not share health information with third parties without users’ knowledge or consent; 2) Premom would only collect and use nonidentifiable user information; and 3) Premom would use personally identifiable information solely for its own analytics or advertising purposes. Despite those representations, the Complaint alleges, Premom did indeed share users’ identifiable information, including users’ identifiable health information, with third parties.
Unfairness
To support its unfairness counts, the FTC alleged that consumers suffered actual and increased risks of harm in three ways: 1) Premom sent sensitive user information to third parties outside the U.S. (analytics companies headquartered in China) without adequate encryption, thereby subjecting that information to potential interception or seizure by bad actors and foreign governments; 2) Premom sent users’ nonresettable device identifiers and identifiable information to third parties for advertising purposes without users’ knowledge or consent, thereby enabling third parties to track users in a way that circumvented operating system privacy controls; and 3) Premom’s disclosure of custom app events conveying sensitive health information without user authorization was likely to cause users stigma, embarrassment, or emotional distress, and may also affect their ability to obtain or retain employment, housing, health insurance, disability insurance, or other services. The FTC’s complaint did not, however, allege any specific facts to support that these harms had actually occurred or were likely to occur.
Health Breach Notification Rule
The Complaint summarily concluded that Premom is a “vendor of personal health records” under the HBNR because it collects and receives identifiable health information from multiple sources. Specifically, the Complaint stated that users were able to input health information into the Premom app and were able to import their health data from Bluetooth thermometers or third-party apps. The FTC then alleged that Premom disclosed this identifiable health information without users’ consent and that such disclosures therefore constituted a breach of unsecured health information under the HBNR.
As noted above, this is the second time that the FTC has charged an app developer (or any other type of entity, for that matter) with a violation of the HBNR, despite the lack of statutory authority (or even of a final rule) that would bring app developers under the scope of the HBNR. As we have discussed in more detail in other articles, the FTC’s broad interpretation and enforcement of the HBNR represents an unauthorized expansion of FTC authority.
The Stipulated Order
Under the proposed order, Premom would be required to, among other things:
- permanently cease the sharing of health information with third parties for advertising purposes;
- obtain users’ affirmative express consent prior to sharing user health information with third parties for a non-advertising purpose;
- provide sufficient notice to the media, the FTC, and each user whose unsecured individually identifiable health information was acquired by an unauthorized third party in accordance with the HBNR;
- require the third parties that obtained user health information from Premom to delete the information;
- implement a comprehensive privacy program that protects the privacy, security, and confidentiality of users’ personal information, including their health information;
- establish, document, and adhere to a data retention schedule that is publicly available with details about the information Premom collects and why such collection is necessary; and
- obtain an initial and biannual privacy assessment conducted by an independent, third-party professional that must be approved by the FTC.
Key Observations
The requirements of the stipulated order are strikingly similar to the requirements imposed under the BetterHelp and GoodRx orders, indicating that the FTC is likely to take a similar approach to orders in any future health information privacy cases. Nevertheless, there are also some parts of the Complaint and order that are unique and provide insight into how the FTC is approaching the disclosure of consumer information more generally.
- Classifying precise geolocation data and resettable identifiers as identifiable information. The FTC is taking an increasingly broad approach to what constitutes identifiable information. In the Complaint, the FTC argued that third parties can use device identifiers coupled with location signals to identify particular individuals and that this information reveals sensitive information about consumers.
- Expressing concerns about transferring data outside the U.S. In the Complaint, the FTC emphasized that Premom was transferring information to companies with servers outside the United States (in this case, Chinese analytics companies) and argued that the inadequate security measures used by these companies exposed the information to potential acquisition by foreign governments or other bad actors. We have not seen this type of allegation in prior FTC cases.
- Continuing to incorporate data security requirements into health privacy cases. As discussed in our client alert on the BetterHelp settlement, the FTC’s recent health privacy cases have established a broader definition of “breach” and are imposing reporting requirements on digital health companies regardless of whether a conventional security breach has occurred. Instead, the FTC is interpreting the HBNR to claim that a breach has occurred whenever health information is disclosed without user consent.
- Imposing limitations beyond consumer consent. By imposing a blanket prohibition on the disclosure of health information to third parties for advertising purposes, the FTC is reinforcing the notion that consumer consent may no longer be a sufficient basis on which companies can justify the collection and use of sensitive information in certain circumstances.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Maneesha Mithal, Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, and Laura Ahmed, or any member of the firm’s privacy and cybersecurity practice.
[1]The FTC commissioners unanimously voted to refer the complaint and stipulated final order to the U.S. Department of Justice for filing. The final order must be approved by the federal court to go into effect.
[2]Premom also agreed to a settlement with the attorneys general for Washington, D.C., Connecticut, and Oregon based on related conduct. Premom will be required to pay another $100,000 under that settlement, which includes injunctive provisions similar to those included in the FTC’s proposed order.