In recent years, the FTC has increasingly focused on protecting consumers’ access to healthcare, through both its competition and its consumer protection missions. Similarly, the FTC has become a force in federal privacy regulation, second only to the Office for Civil Rights of the Department of Health and Human Services. On occasion, the FTC’s priorities in access to health care and health information privacy have come together, such as in settlements with health care companies regarding false or deceptive statements about the treatment of health data.
Since 2022, the FTC has signaled a significant increase in its focus on health privacy in general, especially related to personal health information, and rolled out significant new guidance that expanded the FTC’s authority and sets the stage for ramped up enforcement this year.
In January 2022, the FTC released two new publications regarding the Health Breach Notification Rule (HBNR) to help businesses determine whether the HBNR applies to them and to determine the steps that must be taken if a data breach occurs. In the publications, the FTC laid out an expansive approach to the definition of a data breach, expanding beyond just cybersecurity incidents to also include situations where an app developer discloses an individual’s health information without the individual’s consent.
In May 2022, the FTC published a blog post asserting that regardless of whether an entity is covered by the HBNR, Section 5 of the FTC Act “creates a de facto breach disclosure requirement” for companies to notify individuals of breaches of their personal data—even where there is no other specific breach notification requirement under a state or federal law. The post explained that failure to provide breach notifications may “increase the likelihood that affected parties will suffer harm” and that breach notifications are “essential to enabling consumers and other affected parties to take actions to mitigate harm resulting from the breach.” As a result, failing to disclose a data breach involving personal information may violate Section 5 of the FTC Act.
As the year continued, the FTC continued to release new guidance expanding the scope of what it views as unfair data breaches. In July, the FTC published another blog post warning that companies efforts “to placate consumers’ privacy concerns by claiming they anonymize or aggregate data” are often deceptive and companies that “make false claims about anonymization can expect to hear from the FTC.” Drawing on its Section 5 authority and its expansive definition of a “data breach,” again, the FTC takes the position that disclosing an individual’s health information without the individual’s consent (or through an inaccurate description of the disclosure) has the potential to cause consumer harm and will be considered by the FTC to be a violation of Section 5.
Perhaps in recognition that punishing companies for data breaches and inappropriate disclosures can go only so far to protect consumers, the FTC released in August an Advanced Notice of Proposed Rulemaking (ANPR) on its intent to limit or even prohibit commercial surveillance – the common corporate practice of collecting, analyzing, and monetizing consumers’ data. In response, 33 states, including Massachusetts, New York, and Texas, submitted a comment letter supporting the proposed rule. Among several other areas of concern, the letter heightened concerns regarding the collection of consumer medical data by applications, wearables, and devices, regardless of whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies. Ultimately, the extended deadline for comments to the FTC’s rulemaking proposal closed at the end of November and the FTC received more than 11,000 comments on the proposed rule. The proposed rule still has a way to go before it goes into effect, but the FTC clearly wants to send a message that businesses that are reckless about the collection of data will be held liable even if a data breach has not yet occurred.
Lurking in the background is the possibility (albeit unlikely) that Congress might pass the American Data Protection and Privacy Act (ADPPA) in 2023, which would be a game-changer for the FTC’s privacy authority. The 2022 draft of the ADPPA granted the FTC expanded rulemaking authority and expressly named the agency as the law’s primary privacy and cybersecurity enforcer. The ADPPA is currently being debated before the House Committee on Energy and Commerce.
The FTC has made it very clear that it does not intend to wait for Congressional approval to establish its privacy and cybersecurity authority. The FTC is likely to continue to issue additional guidance regarding unfair privacy practices that it seeks to curb or curtail, including further progress on the ANPR on commercial surveillance, but companies should expect that the FTC will also be seek to turn the guidance they issued last year into legal precedent. While the FTC has not brought any enforcement actions under the HBNR since it was issued in 2012, the FTC will not hesitate to bring that first case. Similarly, the FTC will undoubtedly be looking for a posterchild for the “de facto breach disclosure requirement” pursuant to its Section 5 unfairness authority. And in the current environment, if the FTC finds a company making false claims about anonymization of sensitive health information, the FTC will look to crack down and send a broader message to industry.