Health data privacy “a high priority” for FTC

Julie Rubash, Chief Privacy Counsel
May 22, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

FTC Enforces and Expands the Health Breach Notification Rule

One day after announcing its settlement with Premom app provider Easy Healthcare over violations of the Health Breach Notification Rule (HBNR), the FTC announced proposed HBNR changes, including changes to clarify that the HBNR applies to health apps.

The FTC also requested public comment on a number of topics, including whether recent FTC enforcement actions have provided sufficient guidance to put companies on notice about their obligations for obtaining consumer authorization before disclosing sensitive health information. 


The Premom settlement is the third recent enforcement action by the FTC regarding sensitive data collection by health apps, following actions against online mental health counseling service Betterhelp and telehealth company GoodRx, and they likely won’t be the last.

In its press release about changes to the HBNR, the FTC made clear that “protecting the privacy and security of personal health data is a high priority for the FTC”. 


CNIL Reports on the Impact of Its Cookie Plan, And Issues A Cookie Fine

The French data protection authority, CNIL, made two announcements regarding cookies this week:

reporting the impact of the CNIL’s 2020-2022 action plan on cookies, according to its recent evaluation;

reporting a €380,000 fine regarding website‘s infringement of the GDPR and non-compliance relating to the use of cookies.

The CNIL’s cookie report revealed that, according to analysis of 1,000 websites with the highest audience in France, the proportion of sites depositing more than 6 third-party cookies before any action by the user fell from 24% to 12% from January 2021 to August 2022.

They also observed an overall reduction of the average number of third-party cookies deposited per site during that period.

However, the report noted that the tracing of browsing data by targeted advertising players, without people’s consent, remains potentially significant. As a result, the CNIL will maintain its compliance efforts on sites with large audiences in France. 

As part of the investigation of, the CNIL observed the deposit of an advertising cookie on the users’ terminal without consent as soon as the users arrived on the website, as well as the deposit of two advertising cookies after clicking on the button “REFUSE ALL”, which the CNIL found to violate Article 82 of the French Data Protection Act.


 The CNIL issued 8 sanctions from 2020 to 2022 on the theme of cookies, with sanctions totaling 421 million euros.

The reasons for those fines included lack of information, the deposit of cookies without prior consent, the failure of the refusal mechanism, or the impossibility of refusing cookies as easily as accepting them.

The CNIL’s recent report and fine of over cookie violations indicate that their focus and enforcement efforts will continue for the foreseeable future. 


Google to Require Publisher Adoption of IAB TCF

Google announced that, later this year, the company will require all publishers using AdSense, Ad Manager or AdMob to adopt IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK.

Google will make available in the coming weeks a list of Google certified consent management platforms that have integrated with the TCF that publishers can use. 


Google’s announcement follows shortly after IAB Europe’s launch of TCF v2.2, a new iteration of the TCF designed “to better meet the expectations of regulators and needs of end-users”.

CMPs and vendors will be required to implement the new policies and specifications by 30 September 2023. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]