Getty Images

FTC to Enforce Against Illegal Location, Health Data Privacy Practices

In a blog post, the FTC committed to enforcing against improper consumer location and health data privacy practices.

In a blog post, the US Federal Trade Commission (FTC) expressed its intentions to enforce against improper and illegal consumer location and health data privacy practices.

Written by Kristen Cohen, acting associate director of the FTC’s division of privacy and identity protection, the blog post reiterated that the FTC would not tolerate the misuse of consumer data for any purpose.

“The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” the blog post explained.

“These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.”

Concerns surrounding data brokers and the improper use and sale of sensitive data surfaced even before the Supreme Court decided to overturn Roe v. Wade.

In May, 14 US Senators wrote letters to data brokers SafeGraph and Placer.ai asking them to stop selling the location data of people who visit abortion clinics, even citing instances of anti-abortion activists pushing anti-abortion advertisements to people while they were sitting in abortion clinics. In response, the two data brokers agreed to stop selling abortion location data.

In June, just days before the Supreme Court’s decision, US Senators also introduced the Health and Location Data Protection Act, which would ban data brokers from selling location and health data (with select exceptions for HIPAA-compliant activities, authorized disclosures, and protected First Amendment speech).

Since location data and health data not held by a HIPAA-covered entity is out of reach of HIPAA enforcers, much of the enforcement actions in this space are in the hands of the FTC.

In late June, a group of Senators penned a letter to the FTC asking it to investigate Apple and Google’s “unfair and deceptive” data privacy practices regarding the collection and use of location data.

Additionally, President Biden’s recent executive order on reproductive health called on the FTC chair to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.”

President Biden also directed the HHS and FTC Secretaries, along with the Attorney General, to address fraudulent or deceptive online practices to protect access to accurate information about abortion care.

In the blog post, the FTC cited multiple cases that it settled in recent years with the intention of protecting consumer data privacy. For example, in January 2021, the FTC settled with fertility-tracking app Flo Health after alleging that the company shared sensitive health information with third parties such as Google and Facebook.

The FTC noted the dangers of location and health data misuse, including the idea that criminals could use the data to facilitate phishing scams, and that the exposure of health information may subject people to discrimination, stigma, or mental anguish.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” the blog post reiterated.

“We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

The post also provided topics for companies to consider as they think about the collection of consumer information. First, the FTC suggested that companies keep in mind that numerous state and federal laws govern the collection, use, and dissemination of sensitive consumer data.

The FTC actively enforces the Health Breach Notification Rule, the Children’s Online Privacy Protection Rule, and the Safeguards Rule.

In addition, the FTC noted that company claims that data has been “anonymized” are often deceptive and that companies who make such claims should be aware that they could be in violation of the FTC Act if they prove untrue.

Lastly, the FTC reminded companies that it “does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data.”

Next Steps

Dig Deeper on Health data access & privacy