FTC

On September 15, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services (“HHS”) announced an updated joint publication describing the privacy and security laws and rules that impact consumer health data.  Specifically, the “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule” guidance provides an overview of the Health Insurance Portability and Accountability Act, as amended, and the implementing regulations issued by HHS (collectively “HIPAA”); the FTC Act; and the FTC’s Health Breach Notification Rule (“HBNR”) and how they may apply to businesses.  This joint guidance follows a recent surge of FTC enforcement in the health privacy space.  We offer below a high-level summary of the requirements flagged by the guidance.

Continue Reading FTC and HHS Announce Updated Health Privacy Publication

On June 30, the FTC announced that it had issued a new notice of proposed rulemaking that addresses fake reviews and testimonials.  The rule prohibits practices the Commissioners have identified as problematic in public statements for the past several years.  For instance, when announcing the review of the Endorsement Guides over a year ago, Chair Khan noted that “consumers’ increasing reliance on online reviews can also incentivize advertisers to harness fake reviews, suppress negative reviews, and amplify positive ones.”  The proposed rule covers a variety of topics including fake reviews, review hijacking, purchasing reviews, employee reviews, review suppression, and the use of fake indicators of social media influence.  Several of the new provisions track principles set forth in prior FTC cases, or target specific practices previously identified in the Endorsement Guides.  Below we’ve summarized the requirements in the proposed rule.  The NPRM will be open for public comment for 60 days once it is posted in the federal register.  As of today, it has not yet been posted.

Continue Reading FTC Proposes New Rulemaking Focused on Reviews and Testimonials

On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”).  The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR.  The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content.  According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.”  Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.

Continue Reading FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule

On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).

Continue Reading FTC Announces COPPA Settlement Against Ed Tech Provider Including Strict Data Minimization and Data Retention Requirements

On May 17, the Federal Trade Commission (“FTC”) announced an enforcement action against Easy Healthcare Corporation (“Easy Healthcare”) alleging that it shared users’ sensitive personal information and health information with third parties contrary to its representations and without users’ affirmative express consent, in violation of Section 5 of the FTC Act.  It also alleges that Easy Healthcare failed to notify consumers of these unauthorized disclosures, in violation of the Health Breach Notification Rule (“HBNR”).  According to the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other requirements, will be permanently prohibited from sharing users’ personal health data with third parties for advertising purposes.  The FTC also noted that Easy Healthcare will pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their laws.

Continue Reading FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare

On April 25, 2023, four federal agencies — the Department of Justice (“DOJ”), Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and Equal Employment Opportunity Commission (“EEOC”) — released a joint statement on the agencies’ efforts to address discrimination and bias in automated systems. 

Continue Reading DOJ, FTC, CFPB, and EEOC Statement on Discrimination and AI

On March 23, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking that would significantly revise the legal framework governing automatically renewing subscriptions.  The proposal would amend the FTC’s existing Negative Option Rule to provide specific disclosure, consent, and cancellation requirements applicable to all negative options in all media.  The Rule would formalize many of the guidelines from the FTC’s October 2021 Enforcement Policy Statement Regarding Negative Option Marketing (“Policy Statement”) and incorporate new requirements not previously addressed at the federal level such as renewal reminders.  

Continue Reading FTC Proposes to Rewrite Negative Option Rule with Expansive Notice of Proposed Rulemaking

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.”  These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems

On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers.  According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint. 

This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement.  Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.

Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule

On January 13, the FTC announced a settlement with WealthPress, an online service provider that recommends trades in financial markets.  The settlement resolved allegations that WealthPress violated both the Restore Online Shoppers’ Confidence Act (ROSCA) and Section 5 by making false and misleading claims about how much consumers could earn with the company’s trading recommendation services.  The action is noteworthy for two reasons.  First, building upon the FTC’s prior MoviePass settlement, the FTC’s ROSCA allegations focus not on the terms of the subscription service offered, but rather on the failure to clearly disclose material information about the company’s services.  Second, this is the FTC’s first settlement imposing civil penalties for alleged earnings claims violations predicated upon a Notice of Penalty Offenses issued in October 2021.  The settlement provides for $1.3 million in consumer redress, $500,000 in civil penalties, and injunctive relief.

Continue Reading FTC Relies on ROSCA and Notices of Penalty Offenses to Police Deceptive Conduct in Settlement with WealthPress