Industry Groups Critique FTC’s Mobile Health Research
Industry groups criticized FTC research presented at the commission’s consumer-generated health data workshop, in comments filed to the FTC after the workshop. The research, a preliminary look into the data sharing practices of mobile health apps, had a flawed premise and relied on flawed assumptions, said several groups. Industry associations also pushed back against the risks of re-identifying health data as presented at the workshop, encouraging the FTC to take a more tangible economic cost-benefit analysis when considering further actions regarding consumer-generated health data. No privacy advocates submitted comments to the FTC following the workshop (CD May 8 p22).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
At the workshop, the FTC presented its initial findings from a limited study of health app data sharing practices. The commission looked at 12 free health apps -- ranging from wearable device apps to daily activity diaries to symptom input apps -- and found they shared information with 76 third-party companies.
This sample size was “far too small to get the full view of the mobile health app industry,” said the Association for Competitive Technology (ACT) in its comments. NetChoice concurred: “FTC Staff Observations were both undersized and skewed, and should not have been the basis for so much of the Workshop’s discussions,” it said in comments. ACT helps small- and mid-sized app developers comply with government regulations and NetChoice represents ecommerce companies including Facebook and Google. NetChoice also criticized the FTC for treating all apps the same and always choosing to opt in to any sharing option. Some health apps collect and share innocuous data, while others collect sensitive information that should be held to different security and consent standards, NetChoice said.
During the event, FTC Mobile Technology Unit attorney Jared Ho said the FTC’s research built off a 2013 Privacy Rights Clearinghouse (PRC) study, which found popular health apps lacked privacy policies and maintained insufficient encryption standards (http://bit.ly/1bJSxON). Industry groups took similar issues with the PRC study. “By flooding its study with apps collecting less sensitive information, the PRC Report results skewed to make apps appear less privacy-sensitive than they are otherwise,” NetChoice said. These flawed conclusions might “lead the FTC into improper regulation and/or discourage evolution of useful tools for consumers."
FTC Chief Technologist Latanya Sweeney presented her research at the event, showing that health data -- once collected, de-identified and shared -- can often be re-identified using basic information. But this re-identification is often reliant on publicly available datasets, said the Future of Privacy Forum (FPF) in its comments. “We believe that the risk of re-identification has been overstated in instances where de-identified data sets will not be made publicly available,” FPF said. FPF is an industry-backed privacy advocate group supported by companies including Google, Facebook, Microsoft, Apple and Amazon, and data brokers such as Acxiom. The FTC’s own de-identification standards presented in its 2012 privacy report (http://1.usa.gov/1cPhLc0) are a robust model for consumer-generated health data, FPF said. The report recommends companies publicly commit to not re-identifying data and contractually prohibits any “downstream recipients” from doing so as well.
The FTC currently shares some health data oversight jurisdiction with the Health and Human Services Department (HHS). Several commenters stressed the need to retain the existing balance, which has historically leaned more heavily on HHS and its Food and Drug Administration (FDA). “Any further regulatory initiatives in this area should be led by the FDA,” said the Medical Device Privacy Consortium (MDPC), which represents medical device manufacturers. The FDA’s definition of medical device is already “broad” enough to cover this new industry, MDPC said. The FDA recently released a health IT framework to clarify which types of Internet-enabled healthcare devices it will closely scrutinize (CD April 4 p8). “If the Commission wishes to distinguish uses and disclosures of ‘health’ data from other types of data, the Commission needs to clearly define this term,” MDPC said. The FTC’s Sweeney has said the commission is in a good position to lead on health data privacy and privacy advocates have pushed for the FTC to gain more jurisdiction in the area.
If the FTC’s role in health data privacy does increase, the commission should consider using a stricter economic cost-benefit approach, said James Cooper, director-research and policy at Law and Economics Center at George Mason University School of Law. “Such harms can be measured objectively with metrics like fraudulent charges, inconvenience costs associated with identity theft, or lost marketplace opportunities due to stigma,” he said. The free-market U.S. Chamber of Commerce, and trade group Computer and Communications Industry Association (CCIA), stressed the same points in their comments.
The most consistent theme among commenters: health data is big business. Personal health and wellness devices are expected to generate more than $8 billion in revenue by 2018, up from $3.3 billion last year, said the CEA. And it has the potential to save the country billions of dollars -- CCIA cited McKinsey research estimating up to $450 billion in savings to annual healthcare costs from using expanding health datasets. The FTC must be careful to not hinder the “foregone benefits” by encouraging “poorly targeted regulations,” CCIA said. -- Cory Bennett (cbennett@warren-news.com)