On July 25, the FTC published a "baker's dozen" list of key takeaways from its recent enforcement actions relating to sensitive health data. This list is a must-read for companies that process sensitive health data as it summarizes the FTC’s expectations and enforcement priorities. We’ve further summarized the FTC’s positions and added our takes below.
Scope of Sensitive Health Data
- FTC position: Sensitive health data is very broad. It can include anything that conveys information or enables inferences about a consumer’s health.
- Our take: The FTC’s position is the new norm and aligns with state and industry compliance trends. For example, Washington’s My Health My Data Act broadly defines sensitive health data as information that identifies a consumer's past, present, or future physical or mental health status, including inferences. Sensitive health data is no longer limited to personal health information ("PHI") under HIPAA, and companies should carefully review their data sets to determine whether they constitute sensitive health data.
Protections
- FTC position: Sensitive health data requires protection through robust safeguards, including risk assessments and appropriate policies and procedures.
- Our take: The FTC’s position reaffirms well-established security requirements and aligns with state privacy laws that require risk assessments when processing sensitive health data. Companies should carefully review their safeguards for protecting sensitive health data, and conduct impact assessments as required.
Disclosing Sensitive Health Data
- FTC position: Collecting and disclosing sensitive health data through pixels, SDKs, or other tracking technologies for marketing or advertising purposes may be an unauthorized disclosure and violate the law (including the Health Breach Notification Rule) if the disclosing company fails to get affirmative express consent for the disclosure or breaches the promises in its privacy policy.
- Our take: Regulators across jurisdictions are very focused on the use of tracking technologies for marketing and advertising purposes. The various actions brought by the FTC this year regarding sensitive health data all involved the use of tracking technologies, and the California AG’s Office has issued warning letters and pursued legal action against companies relating to the use of tracking technologies. Under most state privacy laws, companies must clearly and conspicuously disclose their use of tracking technologies and collection of data, and offer consumers the ability to opt-out of targeted advertising and sales. Sensitive health data has a heightened standard which generally requires consumers to provide opt-in consent. This standard is tough to meet when using tracking technologies (especially under Washington’s MHMD), and often effectively results in a prohibition for such collection. Even California arguably has an opt-in consent standard (under the CPRA Regs) for collecting sensitive health data through tracking technologies since such practice may otherwise violate the reasonable expectation of consumers. The Plaintiffs Bar has also been active in this area, bringing actions against companies for alleged violations of wiretapping law and the VPPA. The one questionable aspect of the FTC’s position is the application of the Health Breach Notification Rule to tracking technologies; we expect such an application to be challenged at some point in the future.
Receiving Sensitive Health Data
- FTC position: Receiving sensitive health data from third parties that was disclosed without authorization could violate the law if the receiving party does not conduct adequate due diligence.
- Our take: The FTC’s position seemingly goes beyond their recent enforcement actions, which all focused on the discloser, not the recipient, of sensitive health data. It implies that the FTC may be actively investigating data brokers and third party vendors, specifically in the ad tech space. Under some state privacy laws, data recipients can be held liable for privacy violations where they do not have specific language in their contracts or conduct adequate due diligence. Companies must carefully evaluate their data source, especially if licensing data or using data clean rooms or similar services. If a vendor claims it received opt-in consent for the sharing of sensitive health data (including sensitive health data inferences), the receiving company should ask for examples as part of its due diligence as it is likely the vendor is actually relying on an insufficient clickwrap for such sharing.
Responsibility
- FTC position. A company is responsible for all its data flows, no matter which departments are involved.
- Our take: Companies get into trouble when stakeholders have the autonomy to make decisions that impact privacy without legal oversight. Claiming one department did not know what another department was doing is not a defense. Companies should establish a data governance program, which involves a privacy lead and regular data mapping and review of tracking technologies, practices, and policies.
HIPAA Representations
- FTC position. A company should not claim it is compliant with HIPAA, especially if the company is not actually covered by HIPAA or is not actually complying with HIPAA.
- Our take: This position is straightforward.
Changes to Privacy Policy
- FTC position. Updating a privacy policy to retroactively expand the types of third parties with whom a company may share sensitive health data requires prior notice and opt-in consent.
- Our take: This position is one of the most important listed by the FTC, and stems back to the Gateway Learning case from 2004. According to the FTC, when updating a privacy policy, a company must provide notice and obtain opt-in consent if it intends to change its practices concerning how it treats data previously collected. We have not seen this position enforced much over the years, and most companies choose to provide no choice or an opt-out right rather than an opt-in right when updating a privacy policy. Also, certain state privacy laws require opt-in consent for material changes. Companies must look closer at the requirements when updating their privacy policies, especially now that the FTC has indicated it intends to enforce this position.
Specific Disclosures
- FTC position. Clearly and conspicuously disclose all materials facts about the use of sensitive health data (in particular relating to marketing and advertising) and don’t hide or omit material information.
- Our take: The FTC’s position aligns with state privacy laws and industry standards. Companies should carefully review and address the comprehensive disclosure requirements under various state privacy laws.
Biometric and Reproductive Data
- FTC position. Biometric data (including data relating to voice and genetic testing) and reproductive data (including data relating to women’s health) are particular areas of concern for the FTC.
- Our take: We’ve recently seen a lot of action relating to these types of data sets, and expect to see more in the coming months. Companies that process these types of data sets should carefully review additional relevant guidance issued by the FTC.
Enforcement
- FTC position. There are real stakes for privacy violations. Alleged violators have been subject to monetary penalties, data and algorithm deletion requirements, and complete bans relating to use of sensitive health data for advertising purposes. Individuals may also be held personally liable for company practices.
- Our take: While monetary penalties may grab headlines, the enjoinment penalties and potential personal liability generally have a bigger impact on companies. Companies can point to the recent FTC enforcement examples to help convince C-suite to implement Privacy by Design. The FTC is aggressively enforcing alleged privacy violations (even technical ones), so now is a good time for companies to review their compliance.