This case is really a huge deal. For years, we've read stories of health apps sharing data with G/FB/data brokers.
With this case, the FTC is saying that apps sharing personal health data without explicit permission violates the Health Breach Notification Rule.
Conversation
Privacy people talk about the HIPAA cliff (or gap) --- medical providers have rules under HIPAA but apps and websites aren't covered. But the FTC is using other legal authorities to impose strict protections. To wit:
1
1
4
The FTC previously signaled this direction with an updated Policy Statement in 2021. In addition to articulating a clear prohibition on sharing health data, invoking the HBNR means the FTC can get massive fines for violations.
Replying to
The FTC also alleges sharing this data without permission was an "unfair" business practice under Section 5. The logic of this count applies beyond health data, and reflects a broader trend from the FTC and other regulators to cracking down on sharing data for targeted ads.
1
4
8
Punting everything to consent can be problematic if it just means blanket permissions in EULAs or annoying and confusing interstitials. But I suspect the FTC will have a high bar on what constitutes valid consent for selling or sharing health data.
1
1
7
And as Ben points out, at least GoodRx can't even ask for consent. The FTC is imposing a blanket prohibition on sharing health data for ad targeting for the company going forward (which is the right policy anyway).
Quote Tweet
The @FTC's order against @GoodRx includes a flat-out ban against selling user health data to 3rd parties in the future. This is the kind of conduct-changing remedy that has been hard to obtain in past cases (and why unfairness can be such a powerful tool). twitter.com/benrossen/stat…
Show this thread
1
2
11
It's especially gratifying that this case came out of a investigation conducted by (with help from ). They uncovered a lot of dodgy stuff and laid out a great fact pattern. Well done!
2
12