IDC Names Securiti a Worldwide Leader in Data PrivacyView
Lately, the Federal Trade commission (FTC) has taken an increased interest in protecting the consumers’ digital health information by cracking down on companies deploying unfair and deceptive practices to share user health data with third parties for marketing. Through its recent enforcement actions, the FTC has highlighted the need for companies working in the digital health space to prioritize the protection of consumer data privacy.
The FTC is an independent federal agency of the US government responsible for promoting consumer protection and preventing anticompetitive business practices. The agency investigates and prosecutes companies and individuals that engage in fraudulent or deceptive business practices, including false advertising, deceptive pricing, unauthorized billing, etc.
In the past three months, the FTC has brought enforcement actions against two companies dealing with the personal health data of consumers based on their unauthorized use of health information for marketing purposes.
On February 1, 2023, a telehealth and prescription drug discount provider platform became the target of the FTC's first enforcement action under the Health Breach Notification Rule for failing to inform consumers and other individuals of its unauthorized disclosures of consumer personal health information to Facebook, Google, and other companies. As per the proposed federal court order, the company has agreed to pay a $1.5 million civil penalty and will not be allowed to share user health information with applicable third parties for advertising purposes.
The proposed order further prohibits the company from engaging in deceptive marketing practices detailed in the complaint and calls for the company to abide by the Health Breach Notification Rule. The proposed order:
A month later, on March 2, 2023, the FTC announced another proposed action banning an online counseling service from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising purposes. As per the proposed order, the company is fined $7.8 million, which it must pay to consumers to settle claims for sharing their sensitive data with third parties such as Facebook and Snapchat for advertising despite agreeing to keep such information private.
In addition, the proposed order requires the company to:
Following the enforcement actions, the FTC Office on Technology released a new guidance emphasizing the dangers of using pixel technology to track individuals' online activities and collect personal information. The FTC has determined that “companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and [their] privacy promises to consumers.”
The FTC’s enforcement actions set a strong precedent for the digital healthcare companies and other organizations in control of consumers’ personal health data to safeguard the information and not endeavor to leverage the data in violation of their legal obligations as well as representations being made to the consumers.
The enforcement actions also highlight the FTC’s commitment to go against the corporations that violate their data privacy obligations, lack the data security infrastructure, and deceive customers by utilizing their personal data without obtaining their express consent for purposes other than its initial intended purpose.
Companies dealing with health data have a legal obligation to protect the privacy and confidentiality of this sensitive information and ensure compliance with relevant laws and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC’s Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.
Ensuring compliance fundamentally comes down to implementing best practices such as:
Organizations should create a risk management strategy to identify and mitigate any risks to health data's availability, confidentiality, and integrity.
Organizations should implement security measures such as access controls, encryption, and regular data backups to protect health data from unauthorized access or disclosure.
The company's policies and procedures for protecting health data should be made clear to all personnel who handle it. Employees are at the forefront of a business and hence must be aware of standard operating procedures when handling data.
In the event of a data breach or other security issue involving health data, organizations should have a mechanism in place for handling it, including notifying affected individuals and regulatory authorities as required by law.
Organizations should routinely review and audit their compliance with regulations and, if necessary, take corrective action to resolve any deficiencies or vulnerabilities.
Section 5 of the FTC Act prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. Businesses dealing with personal data, including the health information of the consumers, can avoid FTC’s enforcement actions by complying with the applicable laws and regulations as well as adopting the following general guidelines::
Establish, implement, and monitor compliance programs. Document compliance with applicable laws and rules as appropriate documentation can be helpful in an investigation and litigation.
Monitor your affiliates and partners to ensure that they comply with FTC guidelines and do not engage in deceptive marketing or fraudulent business practices. Establish policies for compliance for third-party lead generators and affiliate marketers. Implement onboarding scanning procedures, monitor third parties’ activities, and take remedial action when necessary.
Obtain consent from customers before collecting or using their personal data, and provide them with clear options to opt-out if they do not wish to share their data. Companies may use cookie consent pop-ups to inform consumers about the usage of cookies and other tracking technologies on their websites and obtain explicit consent.
Protect the data you collect by implementing appropriate security measures, and notify customers and the regulatory authority immediately if a data breach occurs.
Honor the commitment made to customers, including what’s mentioned in the privacy policies, refund policies, and guarantees.
Identify trends in customer complaints, respond promptly and professionally to customer complaints and data subject requests, and take appropriate action to resolve any issues. Liberally refund dissatisfied customers, and make dissatisfied customers satisfied.
Stay on top of new developments in the law, industry standards, and the FTC’s guidelines and expectations by regularly visiting their website, and ensure that your business practices comply with these evolving changes.
Compliance with the FTC and evolving data privacy laws that regulate business practices is essential to building trust with your customers, avoiding legal issues such as penalties, and ensuring the long-term success of your business. In today’s data-driven age, honoring data obligations necessitates using automation to handle the vast amounts of data being collected, processed, shared, and sold.
Securiti, by harnessing the power of automation, enables organizations to leverage its Data Command Center and overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128