On August 28, a bipartisan contingent of U.S. Senators sent a letter (the “Letter”) to the Federal Trade Commission (“FTC”) requesting an investigation and agency guidance into the allegedly deceptive practices of the digital health mobile application, Premom.1 The Letter seeks the FTC’s guidance pertaining to Premom’s consumer data collection and sharing practices. The FTC’s anticipated response could impact digital health companies and other digital technology companies.
According to a letter from watchdog organization International Digital Accountability Council (“IDAC”) referenced in the Letter, non-resettable hardware identifiers are personally identifiable information “because they are tied to a user’s device and it is almost impossible for a user to reset them or erase their digital footprint, thereby allowing companies with this information to infer who the individual users are.”4 The Letter asks the FTC to examine whether Premom’s alleged conduct violated Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”5 Chiefly, the FTC is faced with the question of whether it considers non-resettable device hardware identifiers to be “personally identifiable information,” subject to consumer privacy protections.6
While there remains some uncertainty in the sphere of consumer data collection, digital health companies can take the following steps to avoid inadvertent noncompliance with the FTC Act:
- Update privacy policies to accurately and consistently reflect data collection and sharing practices across all platforms, and regularly review privacy policies to ensure they account for any changes in the company’s operations.
- Ensure users are provided with clear and unambiguous notice any time their data is being collected, and particularly when it is being shared with third parties in any identifiable (whether on the consumer level or device level) form.
- Provide readily accessible and navigable options for users to opt-out of or revoke consent for sharing personal data (which may include non-resettable hardware identifiers).
For questions regarding this article or digital health matters, please contact one of the authors or a member of our Healthcare and Life Sciences or Precision Medicine and Digital Health practice groups.
1. Letter from United States Senators Amy Klobuchar, Jerry Moran, Maria Cantwell, Shelley Moore Capito, Richard Blumenthal, Elizabeth Warren, and Mark R. Warner to the Hon. Joseph J. Simons, Chairman of Fed. Trade Comm’n (Aug. 28, 2020), https://www.capito.senate.gov/imo/media/doc/21CB6CC23B42B9A1BCE0C4076F467E2E.082820ftcpremom.pdf
2. PREMOM HOMEPAGE, www.premom.com (last visited Sept. 4, 2020).
3. One of the third-party companies allegedly attempted to conceal the data transmissions it was receiving from Premom, further raising suspicion regarding Premom’s data-sharing practices. Letter from Int’l Digit. Accountability Council to the Fed. Trade Comm’n at 3 (Aug. 6. 2020), https://digitalwatchdog.org/wp-content/uploads/2020/08/IDAC-Federal-Trade-Commission-Letter.pdf [hereinafter IDAC Letter].
4. IDAC Letter, supra note 3, at 3-4.
5. 15 U.S.C. §45(a)(1).
7. Press Release, Fed. Trade Comm’n, Retail Tracking Firm Settles FTC Charges it Misled Consumers About Opt Out Choices (Apr. 23, 2015), https://www.ftc.gov/news-events/press-releases/2015/04/retail-tracking-firm-settles-ftc-charges-it-misled-consumers.