The U.S. Federal Trade Commission has issued a policy statement confirming that health apps that collect or use users’ health data must comply with the Health Violation Notification Rule, which requires them to notify consumers when health data is breached or shared with third parties without permission.
The rule also applies to connected devices such as wearable fitness trackers that collect consumers’ health information. The Commission voted 3-2 to approve the policy statement during the open virtual meeting.
FTC Chair Lina M. Khan said in a statement that “While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.”
“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
The FTC said it would “vigorously” impose fines of $43,792 per day per violation on companies that do not comply with the rule.
Back in January, The FTC had reached a settlement with Flo Health, a widely used period and fertility-tracking app which has more than 100 million users worldwide, over allegations that it broke its privacy promises by improperly sharing private health information with Facebook, Google and other third-party companies. In June, The FTC finalized the settlement and said Flo Health must notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data.