On July 25, the FTC published a "baker's dozen" list of key takeaways from its recent enforcement actions relating to sensitive health data. This list is a must-read for companies that process sensitive health data as it summarizes the FTC’s expectations and enforcement priorities. We’ve further summarized the FTC’s positions and added our takes below.
Scope of Sensitive Health Data
- FTC position: Sensitive health data is very broad. It can include anything that conveys information or enables inferences about a consumer’s health.
- Our take: The FTC’s position is the new norm and aligns with state and industry compliance trends. For example, Washington’s My Health My Data Act broadly defines sensitive health data as information that identifies a consumer's past, present, or future physical or mental health status, including inferences. Sensitive health data is no longer limited to personal health information ("PHI") under HIPAA, and companies should carefully review their data sets to determine whether they constitute sensitive health data.
- FTC position: Sensitive health data requires protection through robust safeguards, including risk assessments and appropriate policies and procedures.
- Our take: The FTC’s position reaffirms well-established security requirements and aligns with state privacy laws that require risk assessments when processing sensitive health data. Companies should carefully review their safeguards for protecting sensitive health data, and conduct impact assessments as required.
Disclosing Sensitive Health Data
- Our take: Regulators across jurisdictions are very focused on the use of tracking technologies for marketing and advertising purposes. The various actions brought by the FTC this year regarding sensitive health data all involved the use of tracking technologies, and the California AG’s Office has issued warning letters and pursued legal action against companies relating to the use of tracking technologies. Under most state privacy laws, companies must clearly and conspicuously disclose their use of tracking technologies and collection of data, and offer consumers the ability to opt-out of targeted advertising and sales. Sensitive health data has a heightened standard which generally requires consumers to provide opt-in consent. This standard is tough to meet when using tracking technologies (especially under Washington’s MHMD), and often effectively results in a prohibition for such collection. Even California arguably has an opt-in consent standard (under the CPRA Regs) for collecting sensitive health data through tracking technologies since such practice may otherwise violate the reasonable expectation of consumers. The Plaintiffs Bar has also been active in this area, bringing actions against companies for alleged violations of wiretapping law and the VPPA. The one questionable aspect of the FTC’s position is the application of the Health Breach Notification Rule to tracking technologies; we expect such an application to be challenged at some point in the future.
Receiving Sensitive Health Data
- FTC position: Receiving sensitive health data from third parties that was disclosed without authorization could violate the law if the receiving party does not conduct adequate due diligence.
- Our take: The FTC’s position seemingly goes beyond their recent enforcement actions, which all focused on the discloser, not the recipient, of sensitive health data. It implies that the FTC may be actively investigating data brokers and third party vendors, specifically in the ad tech space. Under some state privacy laws, data recipients can be held liable for privacy violations where they do not have specific language in their contracts or conduct adequate due diligence. Companies must carefully evaluate their data source, especially if licensing data or using data clean rooms or similar services. If a vendor claims it received opt-in consent for the sharing of sensitive health data (including sensitive health data inferences), the receiving company should ask for examples as part of its due diligence as it is likely the vendor is actually relying on an insufficient clickwrap for such sharing.
- FTC position. A company is responsible for all its data flows, no matter which departments are involved.
- Our take: Companies get into trouble when stakeholders have the autonomy to make decisions that impact privacy without legal oversight. Claiming one department did not know what another department was doing is not a defense. Companies should establish a data governance program, which involves a privacy lead and regular data mapping and review of tracking technologies, practices, and policies.
- FTC position. A company should not claim it is compliant with HIPAA, especially if the company is not actually covered by HIPAA or is not actually complying with HIPAA.
- Our take: This position is straightforward.
- FTC position. Clearly and conspicuously disclose all materials facts about the use of sensitive health data (in particular relating to marketing and advertising) and don’t hide or omit material information.
- Our take: The FTC’s position aligns with state privacy laws and industry standards. Companies should carefully review and address the comprehensive disclosure requirements under various state privacy laws.
Biometric and Reproductive Data
- FTC position. Biometric data (including data relating to voice and genetic testing) and reproductive data (including data relating to women’s health) are particular areas of concern for the FTC.
- Our take: We’ve recently seen a lot of action relating to these types of data sets, and expect to see more in the coming months. Companies that process these types of data sets should carefully review additional relevant guidance issued by the FTC.
- FTC position. There are real stakes for privacy violations. Alleged violators have been subject to monetary penalties, data and algorithm deletion requirements, and complete bans relating to use of sensitive health data for advertising purposes. Individuals may also be held personally liable for company practices.
- Our take: While monetary penalties may grab headlines, the enjoinment penalties and potential personal liability generally have a bigger impact on companies. Companies can point to the recent FTC enforcement examples to help convince C-suite to implement Privacy by Design. The FTC is aggressively enforcing alleged privacy violations (even technical ones), so now is a good time for companies to review their compliance.
"The privacy of health information is top of mind for consumers – and so it’s top of mind for the FTC. Companies collecting or using health data, listen up."