New US Privacy Enforcement: What to Know
The US Federal Trade Commission recently took action against a mobile app for data privacy abuses. Here's what to know.
The US Federal Trade Commission (FTC) recently charged that fertility tracking app Premom shared hundreds of thousands of users’ information with third parties, including in unencrypted and weakly encrypted forms. Its proposed enforcement action would fine the company for its practices ($100,000 under the current proposal) and place restrictions on its future data collection and data-sharing. Here’s what to know — including how it fits into US privacy enforcement actions. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
The FTC acted against fertility tracking app Premom for engaging in unfair and deceptive practices and for abusing data that it gathered on consumers.
US Privacy Enforcement Targets Data Sharing
I recently wrote about this development in an article for Lawfare, where I am a contributing editor. Here are some key excerpts from the piece:
For the second time ever, the FTC is enforcing its Health Breach Notification Rule (16 C.F.R. Part 318), a regulation that requires personal health record vendors to notify consumers of a “breach involving unsecured information.” The FTC’s proposed order, filed on its behalf by the Department of Justice, would bar Easy Healthcare Corporation—the Illinois-based company that operates Premom—from sharing users’ health data with third parties for advertising. It would also require Easy Healthcare to inform consumers of this activity and first obtain their consent to share any data for non-advertising purposes in the future. Under the proposed order, the company would pay a $100,000 penalty—on top of another $100,000 it has agreed to pay in total to the District of Columbia, Connecticut, and Oregon for violating their laws.
Deception, allegedly, was a core problem with Premom’s business practices:
According to the FTC’s complaint, Premom told users that it would not share their health data with third parties, that it collected and shared only “non-identifiable data,” and that collected data was used only for the company’s own analytics or advertising. But this was not true. The Premom app allegedly integrated software development kits (SDKs), or prepackaged code used to build apps, from Google and AppsFlyer. In doing so, Premom would transfer data from app users to both Google and AppsFlyer. The FTC gives a disturbing example: "[W]hen a user uploads a picture of an ovulation test, Defendant records the user’s interaction with that feature as a Custom App Event that is shared with Google and AppsFlyer."
There was also an element related to national security risk to the US. It was not framed as national security per se, but it underscores that US companies might want to consider how their products’ and services’ data flows, particularly with respect to sharing individuals’ data, fit within broader geopolitical concerns and risks:
Premom also shared US consumers’ health data with two companies located in China. The first company, Umeng, is a Chinese mobile analytics company owned by Alibaba, the Chinese technology giant; it makes an SDK called U-Share. The second company, Jiguang, is a Chinese mobile developer and analytics provider that makes an SDK called JPush. Premom used both SDKs in its mobile app. By integrating the SDK from Umeng (owned by Alibaba), the Premom app shared users’ social media account information with the company. In addition, both SDKs collected “extensive amounts of other identifiable data on Premom’s users and transmitted it to Umeng and Jiguang,” including precise geolocation information, Wi-Fi media access control (MAC) addresses for devices, Android ID and Android Advertising ID (used for targeted advertising), and numerous identifiers that cannot be changed (such as Hardware Identification and International Mobile Equipment Identity numbers, router addresses, and router Service Set Identifiers, or SSIDs, that name wireless networks).
The problems, allegedly, did not end there:
The privacy abuses do not end there. When Premom used the SDKs from Umeng and Jiguang, the FTC said, it agreed to their privacy policies. Jiguang said in its policy that it collected Wi-Fi MAC addresses, even though Apple prohibits developers from collecting non-resettable device identifiers and Google restricts access to MAC addresses. Sharing this data with a third party thus violated Apple and Google app store policies. In fact, in a move that might shock many policymakers, Jiguang’s JPush SDK “circumvented Android’s privacy controls and exploited a known bug in order to acquire Premom users’ Wi-Fi MAC addresses” anyway. Further, both Umeng and Jiguang said in their privacy policies that they were free to use the data for their own purposes, including advertising, and to share the data with third parties.
I ended the Lawfare article by recommending that Congress evaluate how the Health Insurance Portability and Accountability Act (HIPAA) no longer holds up in the modern age and how new privacy legislation, and more funding for the FTC’s privacy enforcement activities, could help to tackle the harms facing Americans.
In short:
The FTC is doing more important work lately to protect consumers’ privacy.
Companies that share data about individuals need to evaluate their data-sharing practices — including in the context of data brokerage, national security harms, and privacy harms to vulnerable populations — through technical, policy, and legal assessments.
The FTC is demonstrating an increased focus on data brokerage and on companies engaged in deceptive uses of data about consumers.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.