Bloomberg Law
Nov. 16, 2021, 10:36 AM

Data Breach Rule for Health Apps Leaves Developers in the Dark

Christopher Brown
Christopher Brown
Staff Correspondent

Makers of health apps are scrambling to understand the extent of their legal liability after a divided Federal Trade Commission announced they’re now required to inform users about data and privacy breaches—and if they have used their customers’ health data without authorization.

The commission approved 3-2 a policy statement that the makers of health apps, including apps on smartphones and fitness devices, must comply with the FTC Health Breach Notification Rule. The rule had previously applied to a much narrower set of health-information software, primarily apps used to collect and store health records from doctors and other health-care providers.

Supporters say it’s a welcome attempt to extend privacy protections to health data being gathered and stored by a new generation of health and fitness apps that hadn’t been imagined when the breach notification rule was issued in 2009. These apps gather such information as menstrual cycles, fitness and sleep patterns, and blood-glucose levels.

But app developers say the September statement leaves them in the dark about crucial questions, including which apps and app makers are included under the rule, and how big the fines could be for violations, especially in cases where an app maker has been sharing users’ health information without authorization.

“App developers are a pragmatic bunch who are very willing to follow the rules, but they do want to make sure they understand the rules that they are trying to follow,” said Bruce Gustafson, president and CEO of the Developers Alliance, which lobbies for app developers in Congress.

“And the problem and challenge with what the FTC put out is that, rather than clarifying things, it made them more complicated in a way that seems to contradict what they said before,” he said.

Companies that fail to comply with the rule could be subject to fines of up to $43,792 per violation per day, according to the FTC.

Data Privacy

The Health Breach Notification Rule was promulgated by the FTC under the 2009 American Recovery and Reinvestment Act. Its goal was to ensure that companies beyond the reach of the Health Insurance Portability and Accountability Act—which has its own breach notification requirements for providers, hospitals and other covered entities—were subject to similar notification obligations after breaches involving health data.

The importance of these obligations has only increased as health apps have become more popular, and internet behemoths such as Google, Amazon and Facebook have become voracious consumers of the resulting data, privacy advocates say.

“It’s been a longstanding problem that these big internet companies have been harvesting all of this information and using it to create marketing profiles for us so they can target ads at us,” said Jeff Chester, executive director of the Center for Digital Democracy. “And now they’re making use of our health data to target people with ads based on their health conditions—and rarely with any kind of meaningful consent.”

The FTC has allowed a “Wild, Wild West” to develop in the sharing of health information, but that appears to be coming to an end, Chester said. “This is a shot across the bow of the app developers,” he said. “It’s letting them know that the FTC is now going to start protecting consumers’ health data.”

The FTC has been “pretty quiet” about the breach notification rule since it was issued a decade ago, but this announcement will likely have an impact among developers, said Deven McGraw, co-founder and chief regulatory officer at Ciitizen Corp., a consumer health-technology company.

“Publicizing this the way they did with the recent announcement is a way of letting regulated entities know that there’s now a spotlight on this particular aspect of the commission’s authority,” she said. “You have to comply with all the law and regulations, of course, but you’re really going to pay attention to the ones where the commission says, ‘This is important to us.’”

The FTC said in its policy statement that the rule “is more important than ever” as Americans are increasingly turning to apps to track diseases, medications, fitness, fertility, and other vital areas.

Enforcement Questions

But the FTC announcement created ambiguity for developers around some key questions, by stretching the existing rule to apply to technology for which it wasn’t written, said Morgan Reed, president of Act | The App Association, an association of app developers.

The policy statement stretches the definition of “breach” beyond recognition to bring apps and app developers within its reach, Reed said. Before, the term “breach” was understood to mean a security-related incident in which the company’s data was exposed.

Under the FTC policy statement, the term now applies to a company’s business practices in sharing information and getting authorization for that sharing from users, Reed said.

A similar objection was raised by Commissioner Noah Joshua Phillips in a statement explaining his “No” vote on the new policy.

This puts app developers in a tough situation because the measures they need to undertake to keep data secure “are fundamentally different from the measures you take to make sure you’re respecting customers’ expectations about what you’re doing with their data,” said Graham Dufault, Act’s senior director of public policy.

It also brings up some important questions about how the FTC will enforce the policy statement, said Andrea Lee Linna, partner at McGuireWoods LLP in Chicago.

One such question is when the clock starts ticking for determining compliance. Under the ordinary understanding of the term “breach,” the countdown for compliance purposes begins when an intrusion is discovered by the company.

But will the FTC impose the statutory penalties—$43,792 per day per violation—for every day that a company has been sharing information without authorization from its customers?

The FTC confirmed to Bloomberg Law that sharing of health information without proper authorization would trigger notification obligations under the policy statement, and said the commission considers “several factors” in determining an appropriate penalty, including “history of prior such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require.”

“It is unclear at this time how the FTC will enforce the policy statement,” Linna said. “We do not know whether the FTC will attempt to apply the policy statement retroactively or how it will calculate fines if a company discovers that it has a historical practice of disclosing health information without users’ authorization.”

The lack of clarity suggests that the commission should have considered a more deliberate process for rolling out the new policy, said Jonathan Ishee, also a partner at McGuireWoods.

It also could lay the groundwork for litigation over the rule.

“Aggressive enforcement will invariably lead to ligation,” he said. “Litigants will argue that the statement expands the scope of the underlying rule in a manner that does not comply with notice and comment rulemaking, and before the agency reached a final disposition on the comments received from the 2020 Request for Public Comment.”

To contact the reporter on this story: Christopher Brown in St. Louis at

To contact the editors responsible for this story: Alexis Kramer at; Karl Hardy at