FTC Urged to Implement Breach Notification Rule Whenever Fertility Tracking Apps Share User Information With no Authorization

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Mikie Sherrill (D-New Jersey) and Bonnie Watson Coleman (D-New Jersey) authored a letter recommending to the Federal Trade Commission (FTC) to commence implementing the Health Breach Notification Rule.

The Federal Trade Commission (FTC) is required to secure the American people from bad personalities that betray customer trust and incorrectly use consumers’ healthcare information and has the capacity to carry out enforcement action but is not imposing submission to the Health Breach Notification Rule.

The Health Breach Notification Rule was created in connection with the American Recovery and Reinvestment Act of 2009 and demands vendors of personal health data, PHR linked entities, and third-party service companies to advise consumers concerning unauthorized disclosures of personal health information.

The Health Breach Notification Rule is applicable to entities not included in the Health Insurance Portability and Accountability Act (HIPAA) and has the same terms as the HIPAA Breach Notification Rule. Although the HHS’ Office for Civil Rights already implements the HIPAA Breach Notification Rule, the FTC hasn’t done any enforcement actions towards entities that dishonored the Health Breach Notification Rule.

In the letter addressed to FTC’s Acting Chair Honorable Rebecca Kelly Slaughter, the lawmakers exhorted the FTC to carry out enforcement actions versus firms that don’t advise consumers regarding unauthorized uses and disclosures of personal health data, in particular disclosures of consumers’ personal health data to third parties without permission by menstruation tracking mobile application vendors.

Over the last several years, various menstruation and fertility tracking applications were identified to be sharing app user facts with third parties with no authorization. In 2019, a Wall Street Journal report showed the period tracking app Flo was sharing users’ personal health data with third parties without acquiring permission. Though Flo Health mentioned in its privacy policy that the personal health information of people will be protected and not shared with third parties, end-user details were actually being disclosed to technology organizations including Facebook And Google.

The FTC submitted a complaint versus Flo concerning the privacy breach and arrived at a settlement with Flo Health and that demanded the application creator to change its privacy practices and acquire authorization from app users prior to using their health data, nonetheless, the complaint didn’t deal with the insufficiency of giving notifications to users.

Flo isn’t the sole period tracking application to share consumers’ personal health details without getting permission. The watchdog group International Digital Accountability Council identified that the privacy policy of the fertility tracking app Premom was different from its real data sharing procedures, and the app was disclosing user data without authorization. In 2019, Privacy International investigated the privacy violations of one more period tracking application and learned that user information was furnished to Facebook before users can see modifications to its privacy policy and give their permission.

The lawmakers encourage having tougher [Health Breach Notification Rule] implementation, particularly, in the case of period-tracking apps, which involve data that is personal and remarkably important to advertisers. All tools, such as the Health Breach Notification Rule, must be used to safeguard women and all menstruating individuals from mobile applications that take advantage of their personal information.