Health data privacy “a high priority” for FTC

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

FTC Enforces and Expands the Health Breach Notification Rule

One day after announcing its settlement with Premom app provider Easy Healthcare over violations of the Health Breach Notification Rule (HBNR), the FTC announced proposed HBNR changes, including changes to clarify that the HBNR applies to health apps.

The FTC also requested public comment on a number of topics, including whether recent FTC enforcement actions have provided sufficient guidance to put companies on notice about their obligations for obtaining consumer authorization before disclosing sensitive health information. 

TAKEAWAY

The Premom settlement is the third recent enforcement action by the FTC regarding sensitive data collection by health apps, following actions against online mental health counseling service Betterhelp and telehealth company GoodRx, and they likely won’t be the last.

In its press release about changes to the HBNR, the FTC made clear that “protecting the privacy and security of personal health data is a high priority for the FTC”. 

Europe

CNIL Reports on the Impact of Its Cookie Plan, And Issues A Cookie Fine

The French data protection authority, CNIL, made two announcements regarding cookies this week:

reporting the impact of the CNIL’s 2020-2022 action plan on cookies, according to its recent evaluation;

reporting a €380,000 fine regarding website doctissimo.fr‘s infringement of the GDPR and non-compliance relating to the use of cookies.

The CNIL’s cookie report revealed that, according to analysis of 1,000 websites with the highest audience in France, the proportion of sites depositing more than 6 third-party cookies before any action by the user fell from 24% to 12% from January 2021 to August 2022.

They also observed an overall reduction of the average number of third-party cookies deposited per site during that period.

However, the report noted that the tracing of browsing data by targeted advertising players, without people’s consent, remains potentially significant. As a result, the CNIL will maintain its compliance efforts on sites with large audiences in France. 

As part of the investigation of doctissimo.fr, the CNIL observed the deposit of an advertising cookie on the users’ terminal without consent as soon as the users arrived on the website, as well as the deposit of two advertising cookies after clicking on the button “REFUSE ALL”, which the CNIL found to violate Article 82 of the French Data Protection Act.

TAKEAWAY

 The CNIL issued 8 sanctions from 2020 to 2022 on the theme of cookies, with sanctions totaling 421 million euros.

The reasons for those fines included lack of information, the deposit of cookies without prior consent, the failure of the refusal mechanism, or the impossibility of refusing cookies as easily as accepting them.

The CNIL’s recent report and fine of doctissimo.fr over cookie violations indicate that their focus and enforcement efforts will continue for the foreseeable future. 

INdustry

Google to Require Publisher Adoption of IAB TCF

Google announced that, later this year, the company will require all publishers using AdSense, Ad Manager or AdMob to adopt IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK.

Google will make available in the coming weeks a list of Google certified consent management platforms that have integrated with the TCF that publishers can use. 

NEXT STEPS

Google’s announcement follows shortly after IAB Europe’s launch of TCF v2.2, a new iteration of the TCF designed “to better meet the expectations of regulators and needs of end-users”.

CMPs and vendors will be required to implement the new policies and specifications by 30 September 2023. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.