The Federal Trade Commission recently said it would crack down on the sharing of information about children by mobile apps, and now we see indications that it will turn its regulatory gaze toward apps that collect health data.
In late February and early March, the commission conducted a small study of health and fitness apps to see how much personal data they collect and share with third parties. Turns out, it’s a lot.
Jared Ho, an attorney in the FTC mobile technology unit, studied a group of exercise, pregnancy, smoking cessation, diabetes, dietary, and diagnosis apps, and he found that they shared personal and device data with 76 third-party data collectors. Advertising and marketing companies typically collect such information to develop profiles of likely customer types — and in some cases directly target potential customers.
“The purpose was to point out that these apps transmit a variety of very sensitive information about the body and consumers need to understand that when interacting with health apps,” Ho told VentureBeat.
Of the 76 third parties, 18 collected the Unique Device Identifier (UDID) of the phone, the phone’s media access control address (MAC address) and its International Mobile Station Equipment Identity (IMEI). Ho says the collection of such IDs has clear privacy implications.
“It’s important because those device IDs could potentially allow third parties to connect the information between apps,” Ho says. “If one app is collecting and transmitting exercise information and another is collecting and transmitting diet information [on the same device], there is some potential for connecting that information through a device ID.”
Asked if the small study might be the beginning of a deeper looking into the matter at the FTC, Ho replied: “Health apps are an important area that we are continuing to look into,” Ho said. “It’s an issue of public concern and one that the FTC cares about.”
The United States has aggressively legislated the protection of health data with its Health Insurance Portability and Accountability Act (HIPAA) laws. But because the health data shared with apps falls outside the medical setting, it is not covered by the laws. The FTC is concerned that consumers might not make the distinction.
“Consumers are used to sharing that information with their health care providers, and the privacy of that information is protected by HIPAA regulations,” says Cora Han of the FTC’s Privacy and Identity Protection Division. “We wanted to take a look at apps that generate and share sensitive data that are outside the protection of HIPAA.”
So as more and more fitness and health devices and associated apps show up in the marketplace, the more personal health data is collected and potentially shared. If the FTC decides to enforce rules on the collection and sharing of such data, the data-analytics part of some app developers’ business model could face a threat.
We’ll continue to watch the FTC’s actions with regard to personal health-data privacy.