May 19, 2023 - Health

FTC signals tougher rules for health companies' use of data

Illustration of a health plus made of binary code slowly fading.

Illustration: Maura Losch/Axios

The Federal Trade Commission issued a warning Thursday about companies' use of consumers’ biometric information such as facial recognition technology, saying it raises "significant consumer privacy and data security concerns."

Why it matters: The warning comes as a growing number of companies amass data based on individuals' physiological features which could be used to infer consumers' health or other personal information.

What they're saying: "We view this policy statement as an important way to put companies on notice about the obligations they have under existing laws," Lina Khan said.

Catch up quick: The FTC has already been cracking down on the industry. For instance, on Thursday, the agency charged the developer of period tracking app Premom with deceiving users by sharing their health data with third parties, including Google and two China-based firms. Axios' Erin Brodwin wrote.

  • But the nearly three-decade-old Health Insurance Portability and Accountability Act, or HIPAA, has grown less effective over time as the nature of information sharing has changed, Axios has previously reported.
  • The FTC also proposed changes Thursday to the Health Breach Notification Rule, including modifying the definition of personal health record (PHR) identifiable health information and adding new definitions of health care provider and health care services.
  • The throughline between PreMom, as well as GoodRx and Better Help "underscore how seriously we take protecting Americans' privacy, especially when it relates to people's most sensitive information," FTC chairwoman Lina Khan said.
  • "Business models that are based on monetizing people's data can lead to situations where companies Americans are trusting with their sensitive data are then exposing that information for the sake of targeted advertising, analytics and engagement," Khan said.

Zoom in: It's not hard to imagine the possibility of a gaming VR headset collecting biometric data that indicates a kid's likelihood of developing dementia in older age, then selling that data to an insurance company, R.J. Cross, director of the Don't Sell My Data campaign at the organization U.S. PIRG, said during the public comment portion of an FTC meeting on Thursday.

  • "Right now there are very few rules protecting our data," Cross told Axios, saying the FTC biometric policy statement is "a nice start" but will need to go bigger.
  • "Every single one of us has data ricocheting around the databases of companies we’ve never heard of, used for all kinds of purposes we had no idea are happening," Cross said. "The problem only gets worse when you add sensitive physiological data into the mix."
Go deeper