Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)


Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation.    There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers.   Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content

Written by Amy Malone

Amy Malone is attending the Data Protection & Privacy Law Conference in Arlington, Virginia this week and will be providing updates.

Kevin Moriarty from the Division of Privacy and Identity Protection of the Federal Trade Commission addressed the privacy conference on Wednesday.  His discussion focused on the current FTC policy work, including workshops and privacy roundtables.  Kevin reviewed historical cases brought under Section 5 of the FTC Act, and ended with words of advice to prevent your organization from becoming a target of an FTC enforcement action.  He suggests you:

  1. Review the FTC website and use the Consumer Protection Resources. (Kevin said the FTC looks favorably on organizations that can show they have reviewed the site and used the resources provided.)
  2. Keep your promises; do what your privacy policy says you do.
  3. Share information only for permissible purposes.
  4. Dispose of information properly –don’t forget about paper!
  5. Keep up with common threats such as stolen credentials, SQL injection attacks, and access to Wi-Fi networks.
  6. Develop an incident response plan before you have an incident.

The Federal Trade Commission has issued yet another warning to companies operating online:  make sure your privacy policy is not making promises that you cannot (or do not) keep.

Recently, the FTC entered into an agreement with Myspace and issued a consent order to settle a complaint it filed against the social networking website. This post examines the important components of the FTC complaint, focusing on how Myspace indirectly shares its users’ personally identifiable information (PII) in violation of its own privacy policy, and the FTC consent order, which provides yet another road map for companies to stay on the “right” side of the privacy road.   Key takeaways are in Part 2.

Continue Reading FTC Warns: Practice What You Promise – Part 1

Following on the heels of Facebook’s landmark settlement with the Federal Trade Commission, a bipartisan group of members of the House of Representatives has apparently read the “new and improved” Facebook privacy policy and were not impressed.

Reps. Cliff Stearns (R-FL), Ed Markey (D-MA), Joe Barton (R-TX), and Diana DeGette (D-CO), sent a letter to Facebook CEO Mark Zuckerberg, wondering why the site’s new Data Use Policy was longer than the U.S. Constitution.

“Many of these actions [in the FTC settlement] have long since been rectified by Facebook in response to user concerns, but both the practices and user information collected by those practices give rise to questions nonetheless,” the letter said.

The letter pointed out that Facebook’s current privacy policy is almost six times as long as it was in 2005, longer than other social networks’ policies and the Constitution, not including the amendments. The representatives asked Zuckerberg to give them data regarding the percentage of Facebook users who read the full policy.  “We are concerned … that long, complex privacy policy statements make it difficult for consumers to understand how their information is being used,” the letter said.

Facebook aside, the fact is that privacy policies are getting longer and more complex and more difficult for users to comprehend as websites attempt to put every possible way that they may or “might” use information now or in the future into the policies.   The congressional inquiry may help to put a check on the”kitchen sink” approach to drafting.

Other questions that interest in the lawmakers include questions that site operators (and their advisors) should be asking with every privacy policy: how the site tracks users’ browsing habits, including what information it collects, whether the information can be used to identify an individual, and whether users can opt out of tracking, specifically asking:  “How is Facebook making it easier for users to understand their ability to opt out?” The lawmakers requested that Zuckerberg respond to the questions by Jan. 3.

Stearns and DeGette are the chairman and ranking member, respectively, of the House Energy and Commerce Committee’s subcommittee on oversight and investigations. Barton and Markey are co-chairmen of the Congressional Bipartisan Privacy Caucus.

So, when’s the last time you reviewed your company’s privacy policy?

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” —  Federal Trade Commission Chairman Jon Leibowitz

The Federal Trade Commission (FTC) has announced the long-rumored proposed consent decree with Facebook, settling allegations in a complaint that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement comes ahead of Facebook’s planned IPO this spring and carries no financial penalties.  Importantly for Facebook, the settlement does not force Facebook to revert back to its system prior to December, 2009.  Early Facebook users will remember that in those days, users could keep things and people they “liked” completely private.

Let’s take a look at what the settlement does provide.  It imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information.  Surprisingly, it appears that Facebook did not have such a program.

The settlement also requires that Facebook (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree.

Continue Reading FTC: Facebook “Deceived” Consumers by Failing to Keep Privacy Promises