The Dobbs v. Jackson Ladies’s Well being Supreme Courtroom resolution has raised the stakes for privateness protections of well being information within the U.S. By the top of the yr, the femtech market — that’s, digital instruments resembling cell functions associated to girls’s well being — is estimated to be a $51.6 billion world market, greater than a 3rd of the whole valuation of digital well being. Whereas the repercussions of gaps in U.S. digital well being information protections prolong nicely past girls’s well being, the post-Dobbs privateness considerations within the femtech market spotlight the complexities of at this time’s well being privateness protections and the advert tech ecosystem.
The U.S. Federal Commerce Fee lately reiterated the company will “vigorously implement the legislation if we uncover unlawful conduct that exploits People’ location, well being, or different delicate information.” This raises the significance for corporations and privateness professionals to know the shifted regulatory and enforcement panorama and the way policymakers are fascinated about potential future legal guidelines and company guidelines.
Well being-relevant information obligations in complete state privateness legal guidelines
The Well being Insurance coverage Portability and Accountability Act, adopted in 1996, protects digital well being information that’s generated, saved and transmitted solely by delineated coated entities, which embrace well being plans, well being care clearing homes, and well being care suppliers in addition to their enterprise associates. The 2009 Well being Info Know-how for Financial and Scientific Well being Act, which up to date sure provisions of HIPAA to align with evolving know-how, continued the legislation’s concentrate on the regulation of medical digital information.
These legal guidelines don’t tackle well being information created outdoors of a medical context, making a hole in digital well being privateness protections that has continued to broaden with the expansion of cell well being apps and different applied sciences. Thus, HIPAA does not apply to a broader class of health-relevant information that’s generated and/or saved by people of their private gadgets and cell apps or created through wearable health monitoring gadgets. Likewise, delicate info resembling geolocation information and search/buy on-line historical past that’s collected and offered is essentially unprotected by federal legal guidelines.
California, Colorado, Connecticut, Virginia, and Utah have began to handle this hole of their complete privateness legal guidelines. These legal guidelines have a HIPAA information exemption, so protected well being info that’s clinically generated could not must adjust to the necessities of the brand new state privateness obligations. Nonetheless, different health-relevant information not below HIPAA is topic to the state protections and the necessities to adjust to particular person information rights to entry, right, delete, and decide out from the gathering and/or sale of private information established within the 5 complete information privateness legal guidelines.
A key definition in every legislation is what health-relevant info is taken into account “delicate private information” that’s topic to stricter necessities. These necessities intention to mitigate the danger of re-identification and dangerous profiling that’s attainable by way of aggregated and publicly-available private information. Whereas some delicate information classes are widespread throughout the 5 state legal guidelines, there are some slight variations in whether or not geolocation and details about a person’s intercourse life are thought-about delicate information factors, as illustrated within the desk beneath:
Every state’s heightened protections for delicate information additionally differ. The CPRA has probably the most expansive definition for delicate information and establishes an opt-out scheme for the processing of that information. In the meantime, the Colorado, Connecticut and Virginia privateness legal guidelines comprise extra restricted definitions however require consent earlier than an information controller can course of delicate information. Utah’s protections replicate each approaches by having a extra restricted definition of delicate information however comply with an opt-out scheme much like California’s course of the place the information controller should “current the buyer with clear discover and a chance to decide out of processing” fairly than get hold of consent.
State protections past complete laws
Along with complete information privateness laws, health-relevant privateness protections will be present in some state constitutions and sector-specific legal guidelines.
First, two states — Missouri and Michigan — handed amendments to their state constitutions that present particular protections and necessities for searches and seizures of digital communications and information. These amendments and the U.S. Supreme Courtroom ruling in Riley v. California, which established a warrant requirement for police searches of cellphones, took on new that means after Roe v. Wade was overturned. Professional-choice advocates anxious in regards to the attainable criminalization of girls looking for abortion and different contraceptive companies. These constitutional provisions could present a foundation for future authorized challenges to legislation enforcement’s present warrantless entry to information from third-party brokers to collect doubtlessly incriminating proof held in cell gadgets and digital communications.
Second, some states are constructing privateness safety schemes in additional focused methods by way of laws like information dealer privateness legal guidelines. For instance:
- California’s legislation establishes an information dealer registration.
- Nevada mandates shoppers have the choice to decide their private information out of gross sales to 3rd events.
- Vermont requires information brokers register with the secretary of state and uphold a “obligation to guard personally identifiable info,” which incorporates biometric and genetic info and data from wellness applications and well being professionals.
Third, the rising recognition and potential enforcement of worldwide privateness controls and common opt-out requests may influence the gathering, retention and sale of health-relevant information through cell apps. In statements in regards to the settlement with Sephora for its alleged CCPA violation, California Lawyer Basic Rob Bonta clarified the statute requires that companies honor user-enabled world privateness controls. Equally, the Colorado Privateness Act requires the state legal professional basic to develop rules for a way companies ought to reply to common opt-out requests by July 1, 2024.
Lastly, California additionally enforces extra health-relevant privateness protections by way of its Genetic Info Privateness Act, which protects info collected by way of shopper genetic testing kits, and the Confidentiality of Medical Info Act. Though the textual content within the CMIA extends privateness obligations to “a supplier of well being care, well being care service plan, or contractor,” Bonta has asserted that the legislation also can apply to some cell apps that use info supposed for use within the administration of a well being situation or derived from well being care suppliers.
The state’s settlement with Glow, as defined beneath, demonstrates this software. Notably, state legislators in California additionally launched AB 1436 final yr, which might prolong CMIA protections for well being information in direct-to-consumer applied sciences without having a direct nexus to a well being care supplier or particular well being situation. The proposed laws handed out of the state meeting however is at the moment held below submission within the senate.
State legal professional’s basic enforcement actions towards cell app builders and advert tech corporations
The state legal guidelines and rules for health-relevant information described above could now be enforced by state legal professional’s basic across the nation.
In 2020, California’s legal professional basic sued Glow, a know-how firm that developed and operated a fertility-tracking cell app, for violating the CMIA and two different legal guidelines. Glow was topic to the CMIA’s heightened confidentiality and safety necessities as a result of it provided “software program to shoppers … designed to take care of medical info for the needs of permitting its customers to handle their info or for the prognosis, remedy, or administration of a medical situation.”
California alleged that Glow did not adjust to the CMIA resulting from its password-change course of vulnerabilities and a characteristic that allowed customers to share their well being information with one other particular person with out first correctly authenticating the second particular person. The settlement included a $250,000 civil penalty and injunctive phrases requiring the tech firm to put in extra privateness and safety measures, resembling acquiring affirmative consent earlier than disclosure to 3rd events, implementing worker coaching, and conducting an evaluation on how weak privateness and safety practices uniquely influence girls.
State attorneys basic have additionally enforced state shopper safety legal guidelines to guard health-relevant information. In 2017, the Massachusetts legal professional basic reached a settlement with advertising and marketing firm Copley Promoting, preempting its use of geo-fencing know-how to observe shoppers getting into reproductive well being clinics after which promote that information to third-party advertisers like being pregnant counseling organizations. Then, in 2020, Vermont sued Clearview AI for its data-scraping practices that used shoppers’ photographs on-line to develop facial recognition know-how with out their consent. The litigation continues to be ongoing.
The FTC’s bolstered enforcement efforts to guard health-relevant information
Alongside this exercise within the states, enforcement actions towards well being information app corporations and information brokers have been growing even sooner on the federal stage. In its criticism final yr towards Flo Well being and its fertility monitoring cell app, the FTC alleged that Flo violated Part 5(a) of the FTC Act for “unfair or misleading acts or practices affecting commerce” by way of its misrepresentations about shoppers’ privateness. The Fee charged that Flo’s disclosure of person information — together with on customers’ menstrual cycles, intention to get pregnant, and place of residence — to 3rd events with out person consent contradicted its privateness insurance policies. These insurance policies assured customers that:
- The app didn’t share information with third events.
- Information would solely be used for particular functions.
- The app would solely use non-personally identifiable info and tags.
The ultimate settlement required Flo Well being to stop the misrepresentations, get hold of affirmative consent from customers for its data-sharing practices, and procure an impartial assessment of its privateness practices.
Earlier this yr, the U.S. Division of Justice, on behalf of the FTC, took motion towards WW Worldwide, the corporate higher often called Weight Watchers, and a subsidiary for violating the Youngsters’s On-line Privateness Safety Act Rule. The criticism alleged the corporate didn’t present satisfactory discover in regards to the info it collected by way of its web site and app, didn’t take measures to stop kids below 13 from signing up with out parental consent, and retained kids’s well being info indefinitely until expressly requested by a father or mother — a transparent violation of COPPA. The settlement required WW Worldwide to delete all illegally collected kids’s well being information, delete work product algorithms created utilizing that information, and pay a $1.5 million tremendous for the violations.
Lastly, in a newer case filed towards location information dealer Kochava, the FTC alleged the corporate’s technique of utilizing distinctive cell gadget identification numbers and “timestamped latitude and longitude coordinates displaying the situation of cell gadgets” in customizable information packages offered for promoting put shoppers at vital privateness threat. The criticism argued this info enabled purchasers to establish and observe people not solely at their dwelling addresses, however in different delicate places resembling reproductive well being clinics, locations of worship and home violence shelters. The declare additional alleged that information dealer Kochava had not taken satisfactory measures to safeguard their information from public entry.
Payments circulating round Capitol Hill forecast what could possibly be forward for digital well being privateness
Along with elevated enforcement from the FTC, a number of federal payments containing health-relevant privateness protections have been launched in Congress lately. The next payments every have bipartisan sponsors:
- S. 24 — The Defending Private Well being Information Act: This proposed laws acknowledges the hole in privateness protections for well being information not regulated below HIPAA and directs the Well being and Human Providers Secretary to promulgate rules for brand spanking new well being applied sciences, together with cell apps and direct-to-consumer genetic testing kits, to strengthen and standardize the gathering, use, and disclosure of well being information in areas resembling particular person management and entry, consent, third celebration transfers, and safety. The invoice additionally establishes a nationwide job power on well being information safety.
- S. 3620 — The Well being Information Use and Privateness Fee Act: This invoice proposes a fee that might draft suggestions for “the suitable steadiness to be achieved between defending particular person privateness and permitting and advancing acceptable makes use of of private well being info.” It states the fee would assessment the effectiveness of current legislation and self-regulatory schemes within the personal sector and analyze points resembling person consent, sale and switch of private well being info, information use notices, and deidentification requirements for health-relevant information in gentle of recent applied sciences and growing information assortment.
- S. 3627, H.R. 6752 — The Information Elimination and Limiting In depth Monitoring and Trade (DELETE) Act: This invoice represents one other bipartisan effort for privateness rules that might additionally prolong to health-relevant information. The invoice authorizes the FTC to determine a compulsory registry for information brokers and a centralized information deletion system for people to request that registered information brokers delete their info and request to be added to a “Do Not Monitor” listing for information brokers.
These proposed payments provide beneficial perception into how federal lawmakers are fascinated about the steadiness between information privateness and simpler entry to well being information and evaluation outdoors of HIPAA.
Within the greater than 25 years for the reason that passage of HIPAA, the explosion of health-related cell apps, particularly reproductive well being and fertility apps, has triggered heightened privateness, legislation enforcement and civil rights considerations. State and federal entities are actually responding to those considerations, as demonstrated by way of elevated legislative efforts and enforcement actions. As Samuel Levine, the director of the FTC’s Bureau of Shopper Safety, said, “The place shoppers search out well being care, obtain counseling, or have a good time their religion is personal info that should not be offered to the very best bidder.”
Because the privateness legal guidelines and enforcement actions that defend shoppers’ digital health-relevant information proceed to develop, builders ought to familiarize themselves with privateness and safety necessities to adequately tackle privateness expectations and acceptable practices for future compliance.