FTC Cites Privacy Concerns Related to Mobile Health Apps

May 9, 2014 – Mobile health and fitness applications are on the Federal Trade Commission’s privacy-protection radar following a study of 12 mobile apps that widely shared data with other entities, according to FTC officials who spoke May 7 at the FTC’s Spring Privacy Series session, “Consumer Generated and Controlled Health Data.”

The FTC Mobile Technology Unit’s Jah-Juin Ho stated that the 12 apps the FTC tested transmitted information to 76 different third-parties. This information included:

  • Device information
  • Consumer-specific identifiers
  • Unique device IDs capable of allowing third parties to track users’ devices across apps
  • Unique third-party IDs capable of allowing third parties to track users’ devices across apps
  • Consumer information, such as exercise routine, dietary habits and system searches

“There are significant privacy implications where health routines, dietary habits, and symptom searches are capable of being aggregated using identifiers unique to that consumer,” the FTC’s presentation states. (To view the FTC slides, go to: http://www.ftc.gov/system/files/documents/public_events/195411/consumer-health-data-webcast-slides.pdf)

Further, a July 2013 FTC study that examined 43 free and paid health and fitness apps found that 26 percent of the free apps and 40 percent of the paid apps did not have a privacy policy and that 39 percent of the free apps and 30 percent of the paid apps sent data to someone not disclosed by the developer either in-app or in any privacy policy. These findings have led the FTC to conclude “that from a privacy perspective, mobile health and fitness applications are not particularly safe when it comes to protecting user privacy.”

“This is a clear warning shot by the FTC to all medical marketers that the FTC regulation of privacy matters applies to medical apps as well as all other marketing activities of health care companies,” said Coalition for Healthcare Communication Executive Director John Kamp. “Medical marketers – like all other marketing professionals – must have a privacy policy, follow it, and maintain significant security protections to protect the privacy of their customers,” he said.

“Although the FTC has not been hyper active in the medical marketing space, this report tells the industry that it takes medical privacy protections very seriously,” Kamp continued. “Be warned. Most often in such circumstances, heavy and high-profile enforcement follows.”

FTC Chief Technologist Latanya Sweeney stated that the FTC is committed to ensuring that consumers not be penalized based on their health data. A Senate bill, “The Data Broker Accountability and Transparency Act of 2014,” which attempts to address the gaps in healthcare data privacy, was introduced in February. The Direct Marketing Association has criticized that bill.