November 18, 2021
Bloomberg Law interviewed McGuireWoods partners Andrea Lee Linna and Jonathan Ishee for a Nov. 16, 2021, article on a new Federal Trade Commission (FTC) policy statement requiring developers of health apps — including apps on smartphones and fitness devices — to inform users about data and privacy breaches and if they have used their customers’ health data without authorization.
The FTC issued the policy statement on Sept. 15, 2021, emphasizing that developers of health apps and other connected devices and their service providers have breach notification requirements under the Health Breach Notification Rule. The breach notification requirements include a rapid 10-day notice period to the FTC, and a 60-day notice period to individuals and the media, with violations potentially resulting in significant civil penalties of $43,792 “per violation,” “per day.” How the FTC will enforce the policy statement, including when the clock starts ticking to determine compliance, is an open question.
“It is unclear at this time how the FTC will enforce the policy statement,” Linna said. “We do not know whether the FTC will attempt to apply the policy statement retroactively or how it will calculate fines if a company discovers that it has a historical practice of disclosing health information without users’ authorization.”
According to Ishee, the lack of clarity suggests the commission should have considered a more deliberate process for rolling out the new policy. It also could lay the groundwork for legal challenges.
“Aggressive enforcement will invariably lead to ligation,” Ishee said. “Litigants will argue that the statement expands the scope of the underlying rule in a manner that does not comply with notice and comment rulemaking, and before the agency reached a final disposition on the comments received from the 2020 Request for Public Comment.”