Qayyum Ali
Associate Editor
Loyola University Chicago School of Law, JD 2025
The Federal Trade Commission (“FTC”) is intensifying its already rigorous oversight of how health apps, such as fitness apps, menstrual cycle trackers, sleep trackers, etc., utilize and disseminate sensitive personal information. However, unresolved questions regarding the extent of the agency’s authority are likely to precipitate challenges that could significantly curtail these efforts.
Origins of the Health Breach Notification Rule
The FTC enacted the Health Breach Notification Rule (“Rule”) in 2009; the Rule solely required vendors of Personal Health Records (“PHR”) and related entities to notify individual consumers and the FTC (and media outlets in cases of large-scale breaches) when identifiable health information was inappropriately disclosed in a security breach. It did not cover instances when information was deliberately disclosed without authorization from users. Thus, health apps and wearable tech were not under an obligation to report the deliberate dissemination of user data to third parties.
FTC’s amendment expands the Health Breach Notification Rule to include health apps and wearables
In 2021, the FTC issued a policy statement that broadly interpreted the Rule to encompass any unauthorized release of protected health information (“PHI”), including information inappropriately disclosed in a security breach. This interpretation extended the Rule’s application to developers of health applications and connected devices, mandating that any disclosure made without individual authorization be reported, not just unauthorized breaches.
The FTC has historically maintained that privacy policies must be accurate and not misleading under Section 5 of the Federal Trade Commission Act; however, the FTC has previously lacked the authority to impose financial penalties for such violations. With the implementation of the finalized rule, the FTC has now acquired the capacity to issue civil penalties to enforce compliance.
Effective July 29, 2024, the FTC promulgated a final rule that expands the purview of its existing Health Breach Notification Rule to encompass health applications and analogous technologies that collect or utilize consumers’ health information typically associated with wearable devices such as smartwatches. Due to the continued proliferation and diversification of such technologies, numerous entities currently amass and store substantial quantities of sensitive personal health information, including heart rate and fitness data, which falls outside the purview of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The FTC’s amended Rule aims to enhance the protection of such information and exemplifies the increasing regulatory scrutiny of the security and privacy practices pertaining to health-related applications and technologies.
FTC’s enforcement of the Rule
Although the Rule has been in effect since 2009, the FTC did not utilize it in an enforcement action until after proposing amendments to it in 2021. In 2023, in accordance with the FTC’s proposed modifications, the FTC’s initial enforcement action accused the digital healthcare platform GoodRx Holdings Inc. of having “repeatedly” violated its commitment not to share personal health information with Facebook, Google, and other advertisers. This resulted in an agreement for GoodRx to pay a civil penalty of $1.5 million.
On May 17, 2023, the FTC announced its intention to wield the Rule in an enforcement action against the fertility app Premom. The FTC alleged that Premom had disseminated users’ sensitive personal information to third parties, including two China-based entities, AppsFlyer and Google, and had failed to inform consumers of these unauthorized disclosures, thereby violating the Rule. This resulted in Easy Health (Premom) agreeing to pay a civil penalty of $100,000.
It is highly probable that the FTC will persist in initiating legal proceedings that emphasize the dissemination of sensitive health information, particularly in light of heightened concerns regarding third-party access to personal data, such as medical records and location history, following the U.S. Supreme Court’s decision in Dobbs, which overturned the constitutional right to abortion. Millions of women utilize menstrual cycle-tracking apps like Flo and Clue. The personal health data stored within these applications is among the most sensitive information individuals can share and can be highly indicative. These applications have the capability to record menstrual cycle commencement and cessation, pregnancy initiation and termination, as well as geolocation data. If this data is subpoenaed or sold to a third party, it could potentially be employed to infer that an individual has undergone or is contemplating an abortion; this information may subsequently be utilized in legal proceedings against individuals.
FTC’s amended Rule has teeth, but companies may bite back
The final Rule eliminates ambiguity for entities attempting to determine their compliance obligations and would enhance the enforcement capabilities of the 2021 policy statement. Developers of health and wellness applications should interpret this final Rule as a significant modification in the FTC’s regulatory approach to data protection practices. Application developers and other health-related entities that utilize consumer PHR should thoroughly evaluate the implications of this final Rule on their internal operational frameworks and consumer privacy assurances.
Nevertheless, this more assertive approach is unlikely to remain unchallenged. In the FTC’s cases against GoodRx and Premom, both companies settled their claims to avoid the “time and expense” of litigation. However, the Supreme Court’s ruling in the Loper Bright Enterprises v. Raimondo case, which overturned “Chevron deference,” will have implications for nearly every agency, including the FTC. This means that courts must now interpret federal statutes without deference to agency interpretations; relying instead on standard statutory interpretation tools, including plain language and congressional intent, thus providing new opportunities for parties to challenge an agency’s rulemaking and interpretations at all process stages.
The Loper Bright decision will significantly affect the FTC’s consumer protection division. While Congress granted the FTC authority to establish rules encompassing PHR, the FTC’s revised Rule purports to extend its jurisdiction to encompass virtually all health applications and connected devices, potentially leaving the agency over-extended and without the protection of Chevron deference. Entities seeking to challenge the Rule now possess a formidable legal instrument in their arsenal.