The Department of Health and Human Services’ Office for Civil Rights is the enforcer of the HIPAA Rules, restricting HIPAA-covered entities and business associates of those entities in their uses and disclosures of healthcare information. The Federal Trade Commission (FTC) polices the entities that are not under HIPAA, privacy violations, and illegal uses and disclosures of sensitive consumer data. The FTC lately made an announcement that it will totally enforce the law to stop illegal uses and disclosure of highly sensitive information.
A person’s distinct location and data regarding their health are common types of sensitive data that are collected by connected devices like smartphone applications, fitness trackers, and browsers. These sensitive data are then combined with other information, monetized and bought by third parties, usually without the persons who own the data knowing about it.
Acting Associate Director Kristin Cohen of FTC Division of Privacy & Identity Protection states that the highly personal data that people don’t want to share even with family, co-workers, or friends is what is disclosed to total strangers. These strangers often use shadowy ad tech and data broker systems to profit from the sharing of data at an unparalleled scale.
Location data can be collected by connected devices, even if not in use. Data about a person’s work, sleep, social whereabouts, worship, and medical appointments can be obtained. Although many people may agree to give their location information in order to get real-time crowd-sourced information about the quickest way home, they likely would not want to share their online identity linked to the frequency of their consultations with a doctor or therapist. Once a company has obtained such information, consumers usually don’t know who has it or how it was used. After collection, data goes to a big and intricate marketplace frequented by many sellers, buyers, and sharers.
Because of the SCOTUS ruling that changed Roe v. Wade, many have scrutinized the data collection and sharing practices because of the potential for collected location data and information associated with personal reproductive data, including those considering abortion, to be misused.
According to Cohen, Copley Advertising, LLC settled a case in 2017 regarding its usage of geolocation technology that detected people passing through a digital fence around an abortion clinic. The identified persons were then targeted with ads about alternatives to abortion. The FTC likewise recently resolved a case against Flo Health because of its disclosure of the sensitive information of people who used its period and fertility tracking application. The company did not do as it said that the collected information by the app would be kept private and confidential.
Cohen stated that the wrong use of location and health information puts consumers at risk. They could suffer harm from phishing attacks, physical and emotional injury, extortion, stigma, discrimination, and mental anguish.
Cohen said the FTC will use all its legal authorities to protect the privacy of consumers. The law will be enforced on those who illegally exploit the location, medical, or other sensitive information of Americans.
The FTC will enforce laws, such as the FTC Act that forbids unfair and fràudulent trade practices; the Safeguards Rule, the Children’s Online Privacy Protection Rule, and the Health Breach Notification Rule.
The FTC will also go after organizations that state they anonymize or aggregate consumer informàtion but do so only to deceive. They are in violation of the FTC Act. The FTC has already taken action against companies that use location information without permission, improperly get and store sensitive data, and do not respect individual requests to remove sensitive data.