The conventional wisdom these days is that rigorous health data privacy laws protect your sensitive health data from being shared without your consent. And, certainly, that’s the case with hospitals, insurers and employers. But there might be a very grey area when it comes to consumer-facing health apps and fitness tracking devices. As long as these apps and devices are not directly partnering with a hospital or insurance company, then they are able to share data and information with third parties. Put another way, if you are using apps to count your steps, measure your caloric intake or monitor sensitive health information, then you might be unknowingly sharing all of that information with marketers and data brokers.
The legal case against health apps and fitness trackers
Already, there have been cases of apps coming under legal and regulatory scrutiny from both the Federal Trade Commission and state attorneys general. For example, the Flo app (which tracks menstrual cycles for women) was found to be sharing data with Google and Facebook, even though it told users that it would never share their information. And the fertility app Glow was recently fined $250,000 by the state of California for divulging private health information.
With so many health apps launching these days, and with so many people using Fitbit-like fitness trackers to measure their body’s health, it’s a no-brainer that this problem is only going to get worse. A person who starts out by tracking their daily runs will likely expand his or her use to include counting calories. And, if that goes well, it could well expand into tracking all sorts of bodily functions. Imagine now if all that information ended up in the wrong hands – or, at least, in the hands of people that you never knew had that information. All of a sudden, if an app thought you were pregnant, you might start getting ads for maternity clothes or baby strollers.
Granted, these apps and devices are not broadcasting your data in every direction. And they are not intentionally revealing the name and identity of the person. But they may be handing over “de-identified” data for targeted promotions. A marketer getting access to this data, for example, might not know the exact identities of people who could become potential prospects or customers, but would presumably know enough to send out geo-targeted promotions to people in a certain area or certain demographic group.
The impact of COVID-19
Why all this matters, too, is because of what might be happening with the COVID-19 pandemic. With all the talk about “contact tracing” and “vaccine passports,” it’s highly likely that sensitive health information might get shared with a lot more people than you ever expected. Download a contact tracing app, for example, and who knows who would ever have the ability to track your every step. Download a vaccination passport app, and you might find your vaccination status being used for far more than just travel. Imagine walking into a restaurant where you’ve booked a reservation in advance and being turned away at the door, “I’m sorry, sir, but we are only serving guests who have positive proof of vaccination tonight…”
Consumers left with few options
For now, unfortunately, consumers have little or no recourse. They don’t have legal standing now to sue any consumer app maker for privacy violations – right now, only state attorneys general can do that. And even the FTC, usually viewed as a strong bulwark against unscrupulous marketers, can’t do much when it comes to these apps. The FTC can open up a case, but can’t levy any financial penalties unless an existing agreement between the company and the FTC has been broken. This suggests that the nation’s health data protection are, in fact, weaker than they might seem. They were designed for hospitals and insurers, and not for the new wave of health apps and fitness trackers.