FTC continues health data privacy enforcement

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

FTC Continues Health Data Privacy Enforcement

The FTC made two announcements this week demonstrating its increasing focus on health information privacy enforcement: a proposed settlement with online counseling service BetterHelp regarding the sharing of health information with social media platforms for advertising purposes; and a warning to Amazon that it will hold the company accountable for ensuring personal health information from newly acquired company One Medical will not be shared or used to sell other Amazon products, absent clear user permission.

TAKEAWAY

These actions come on the heels of a $1.5MM FTC enforcement action against telehealth company GoodRX for alleged sharing of user email addresses with Facebook for targeted advertising purposes without user authorization. Collectively, these actions send strong signals of the FTC’s intentions in the health data privacy space. More explicitly, in its warning letter to Amazon, the FTC also sent a warning to the industry: “companies that fail to have adequate safeguards or controls in place to protect sensitive health data or fail to obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data may be in violation of the law…the parties and the market more broadly should be on notice that the Commission will continue to monitor this space and bring enforcement actions whenever the facts warrant.” 

Read more about the proposed BetterHelp settlement, and what it means for health data privacy.

Montana Privacy Legislation Passes One Chamber

The Montana Senate unanimously passed SB 384, which would implement a Connecticut-style comprehensive privacy law, transmitting the legislation to the Montana House

TAKEAWAY

Montana is the second state in 2023 to pass comprehensive privacy legislation through one chamber, joining Indiana, which passed SB 5, a Virginia-style bill, out of the Senate in early February. 

Consideration of Federal Privacy Legislation Starts Again

The U.S. House Innovation, Data and Commerce Subcommittee held a hearing to discuss comprehensive privacy legislation at the federal level. Speakers at the hearing included representatives from nonprofit Center for Democracy & Technology; privacy tech company Anonym; and law firm Kelly Drye & Warren. While the speakers’ had some differing viewpoints on what privacy legislation should include, all supported the general passage of federal privacy legislation. 

BACKGROUND

 A bill to implement the American Data Privacy and Protection Act (ADPPA), a federal comprehensive privacy law, was introduced and failed to pass in 2022, perhaps largely due to strong objections from the California Privacy Protection Agency, among other U.S. state authorities, based on the bill’s broad preemption language. The ADPPA has not yet been reintroduced in 2023 but will likely serve as a starting point for 2023 discussions. 

EUROPE

noyb Files Complaints re Cookie-Based Access Request Authentication

Advocacy group None of Your Business (noyb) announced its filing of a series of complaints alleging that certain data brokers and websites failed to sufficiently respond to access requests with respect to cookie-based data. Specifically, when sent an access request citing a cookie identifier, the companies allegedly either asked for other forms of identification (such as additional personal details) or ignored the request altogether. noyb alleged that these actions were inconsistent with GDPR and recent EDPB guidance.

CONTEXT

The cited EDPB guidance, issued in January 2022, includes a section addressing “issues with establishing the identity of the person making the request” and includes a specific example of a controller that processes cookies and associated pseudonymous random identifiers for behavioral advertising. The guidance says that, in this scenario, if the data subject exercises his right of access via the controller’s website, the controller should be able to precisely identify the data subject to show the data subject’s behavioral advertising data, by linking the terminal equipment of the data subject to its advertising profile with the cookies dropped in the terminal, and subsequently grant access to the personal data, since a link between the data processed and the data subject can be found. Alternatively, if the data subject makes a request via email, the controller will have no other choice but to ask the data subject to provide additional information (the cookie identifier stored in the terminal equipment of the data subject) to be able to identify the advertising profile associated with the data subject.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.