App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.
The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.
“The global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health,” FTC chair Lina Khan said in a statement. “As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ health information susceptible to hacks and breaches.”
Unauthorized access to personal data, such as an app developer sharing user information without their consent, as well as data breaches constitute grounds for notification. Failure to comply with the regulation will trigger fines of up to $43,792 per violation, per day.
The update comes after the FTC voted to ban SpyFone, a so-called stalkerware app that enabled snoops to monitor an individual’s phone usage, online activity and physical movements, and prohibited the company’s owner from participating in similar ventures. Along with marketing itself as a surveillance device, the FTC said, SpyFone also failed to enact basic security measures.
“This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security,” Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection said at the time. “We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”