Federal Trade Commission

On January 23, 2017, the FTC released a long-awaited report regarding the increased incidence of cross-device tracking.  The report, which follows a November 2015 FTC workshop on cross-device tracking, sheds light on the privacy concerns raised by the practice and alerts companies engaged in cross-device tracking of certain best practices for avoiding potential violations of applicable law and regulations.

Background

Cross-device tracking is the practice of using deterministic and probabilistic techniques to associate multiple devices with the same consumer.  Deterministic techniques are used to track consumer behavior based on the affirmative use of a common identifying characteristic, such as log-in credentials.  For example, when a consumer enters his or her log-in credentials to access an online platform on a number of devices, the consumer’s behavior on one device can be used to inform targeted advertising through the same platform on the consumer’s other devices.

By contrast, probabilistic techniques are used to draw inferences about consumer behavior. As noted in the FTC report, a common probabilistic technique is IP address matching, through which devices using the same IP address at the same time—e.g., a smart television, mobile device and tablet on the same local network—are presumed to belong to the same consumer.  Because probabilistic tracking does not involve affirmative consumer action, and may not involve any direct relationship between the consumer and the company engaged in the tracking activity, the practice is less transparent for consumers than deterministic tracking.

The FTC report is based, in part, on a prior FTC staff study on cross-device tracking trends which involved the testing of 100 popular websites on two separate devices. The study found, among other things, that 96 of the 100 websites reviewed collected log-in or other authentication credentials from consumers, the domains of 87 companies known to use cross-device tracking technologies were embedded, directly or indirectly, in such websites, and that 861 third parties were observed connecting to both devices.

Findings and Recommendations of the FTC Report

The FTC report acknowledges that cross-device tracking can produce benefits for both businesses and consumers.  These benefits include enhanced fraud detection and account security (e.g., by requiring additional authentication when a new device is used to access a consumer’s account), an improved consumer experience on online platforms, the use of more targeted, less saturated advertising, and a more equal competitive arena for companies that do not have access to large amounts of deterministic tracking data.  However, notwithstanding these benefits, the FTC report expresses serious concern about risks to consumer privacy associated with such activities.  For example, the FTC found that:

  • Cross-device tracking is employed by a growing number of companies (including both consumer-facing and third-party tracking and analytics companies);
  •  Very few companies using such techniques have disclosed both the fact and scope of their tracking activities;
  •  Many consumers may be unaware that their activities on certain platforms are being tracked, while some consumers may have knowledge of companies’ tracking practices, but little to no ability to limit or opt-out of tracking and data collection;
  •  Data collected through cross-device tracking may include highly-private personal information which, if exposed through a security breach, could result in considerable consumer harm and could reduce the efficacy of knowledge-based authentication (e.g., answering pre-selected security questions); and
  •  Self-regulatory initiatives have improved transparency and consumer choice in the cross-device tracking arena, but many existing practices are not fully disclosed to consumers and may implicate the FTC Act.

Based on these findings, the FTC report makes a number of recommendations to companies engaged in cross-device tracking, including that:

  • Consumer-facing companies should disclose to consumers, fully and truthfully, their use of cross-device tracking practices and the extent of those practices, including the nature of any data collected;
  •  Third-party tracking companies should provide their tracking disclosures both to consumers and to the first-party companies with whom they transact;
  •  Companies should consider providing consumers with clear and conspicuous opt-out mechanisms or other means to limit how their activities are tracked;
  •  Companies should refrain from tracking sensitive information, such as financial, health, or children’s information or precise geolocation data without first obtaining the express consent of the consumers to whom the information belongs; and
  • Companies should track and collect only information that is necessary for their business purposes to reduce the risk of a security breach resulting in significant consumer harm.

Considerations for Companies Engaged in or Considering Undertaking Cross-Device Tracking

Companies engaged in or considering undertaking cross-device tracking—whether consumer-facing or without a direct consumer relationship—may wish to review their tracking and information-collection activities in light of the FTC report. In particular, such entities may wish to examine their practices involving information that is viewed as “sensitive” or which can be reasonably linked to consumer or his or her device(s), even if the information is hashed or is otherwise protected. Companies should also consider reviewing their privacy policies and relevant consumer disclosures to ensure that any cross-device tracking activities, as well as any related opt-out procedures, are described accurately and conspicuously therein.  As the FTC report highlights, consumer-facing companies, such as application developers and website operators, can be exposed to liability for allowing third parties to install tracking technology in their applications and platforms without providing notice to consumers (see our previous Seller Beware post for further reading on prior FTC action in this area).  Similarly, third-party tracking companies may be held liable for misrepresenting the nature or the extent of their tracking techniques to the consumer-facing companies on whose platforms those techniques are deployed.  These reminders of potential liability should not be overlooked by consumer-facing and third-party tracking companies. It can be helpful to review existing and future agreements, as well as all representations made to consumers, to limit the potential for claims of misrepresentation regarding tracking practices, policies and procedures.

The top antitrust enforcers in the U.S. — the Department of Justice Antitrust Division (“DOJ”) and the Federal Trade Commission (“FTC”) — are tasked with preserving competition in the marketplace, including the market for health care products and services.  Competition benefits consumers through lower prices, increased availability of products and services, higher quality, and greater innovation.  The DOJ and FTC pursue their competition missions by investigating potentially anticompetitive conduct, reviewing mergers and acquisitions, and advocacy before states and other federal agencies.

Last week, DOJ and FTC commented on the potential competitive effects of telehealth related regulations proposed by Michigan and Delaware.  The DOJ commented on a bill working its way through the Michigan legislature that would expand the scope of health care authorized to be provided through telehealth services.  The FTC submitted comments on regulations proposed by the Delaware Board of Speech/Language Pathologists, Audiologists and Hearing Aid Dispensers that would permit these service to be provide via telehealth, but would require initial evaluations be done in person.

Michigan

A bill introduced in the Michigan legislature, SB 753, would broaden the services health care professionals can provide remotely using telecommunications technologies to include not only direct clinical services, but also health education and administration.  The bill would also permit health care professionals to obtain consent for treatment via telehealth directly or indirectly, and would permit prescribing drugs through telehealth if the health care provider is authorized to proscribe drugs in person and the prescribed drug is not a controlled substance.

The DOJ supported all three proposals as having “the potential to facilitate more robust use of telehealth services and expand health care competition by limiting or avoiding certain unnecessary barriers.”  Specifically, by lowering barriers such as health care access and cost, consumers may be more likely to seek out care sooner and obtain care faster through telehealth.  Expanding the services that can be provided via telehealth “may facilitate more diverse and innovative uses of telecommunications technologies to improve health care offerings beyond direct clinical services.”  By giving health care providers flexibility in how they obtain consent for treatment, without changing the underlying consent requirement, the bill would “help health professionals compete to improve access and provide health care services to patients.”  Finally, authorizing health care providers to prescribe certain drugs would make telehealth a more competitive option versus in-person visits.

Delaware

Delaware’s Board of Speech/Language Pathologists, Audiologists and Hearing Aid Dispensers proposed changes to their regulations that would allow licensed practitioners to deliver speech/language pathology, audiology, and hearing aid services remotely using telecommunications technologies — “telepractice” under the proposed regulation.  The proposed regulations would ensure that telepractice meets the in-person standard of care.  However, the initial evaluation could not be done by telepractice.

The FTC generally supported the authorization of telepractice to deliver these services because it would likely “increase[e] competition, consumer choice, and access to care.”  Its comments detailed the shortages of speech/language pathology and audiology services in certain parts of Delaware and research showing that these services can be effectively provided via telepractice.  The FTC encouraged the Board to reconsider the in-person initial evaluation requirement because it “may restrict entry of qualified telehealth practitioners, potentially decreasing competition, innovation, and health care quality, while increasing price.”  Instead, the FTC recommended that the Board allow licensed practitioners to use their professional judgment to determine whether an initial evaluation through telepractice is appropriate, consistent with the in-person standard of care and the patient’s health and safety, just as they can do for subsequent sessions.

*          *          *

The agencies’ comments reveal a consistent approach to telehealth competition issues at the federal level.  Both agencies encouraged the states to reduce regulatory burdens on telehealth so that consumers can enjoy its potential benefits, including reduced health care costs and increased access to health care services.  Furthermore, in order to encourage the expansion of telehealth services, the agencies recommended that states narrowly tailor their regulations to directly address the regulation’s legitimate purposes, such as delivering the appropriate level of care and protecting patients’ health and safety.

We recommend that you read a recent post from Arnold & Porter’s Seller Beware blog on the FTC’s announcement last week that the developers and marketers of the LearningRx “brain training” programs agreed to stop making false and unsubstantiated claims related to their programs as well as pay a monetary settlement with FTC. This governmental enforcement is an important reminder of the scrutiny that is provided to any product promoted with claims that it can improve cognition, including the promotion of such products with ads that target search terms related to brain-related diseases or injuries.

In prior blogs, we’ve discussed the “team” approach being used by federal agencies to regulate consumer products. Last week, the FTC provided further evidence of the government’s collaborative spirit, through the release of a web-based tool designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to their apps.

According to its press release, the FTC developed this guidance tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights, and the Food and Drug Administration, with consideration of the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act  and the Federal Food, Drug and Cosmetics Act.

Continue Reading Federal Agencies Collaborate to Forewarn Mobile Health App Developers of Potentially Applicable Regulations

On March 22, 2016, the FTC called for Congress to pass legislation to deter fraud and medical identity theft in the rapidly growing health IT sector. This suggested legislation is likely the swan song of FTC Commissioner Julie Brill, who will resign from her position at the end of the month.  The FTC has been very aggressive in using its existing authority to initiate  enforcement actions regarding data security breaches and related privacy and security issues, but it is now calling for legislation that will strengthen its ability to protect consumers’ privacy by seeking civil penalties for all data security and breach notification violations “in appropriate circumstances.”

In support of such legislation, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, presented testimony before the House Oversight and Government Reform Subcommittees on Information Technology and Health, Benefits, and Administrative Rules, in which she outlined the FTC’s current efforts to protect consumers’ medical data in an increasingly digitized health industry. According to the FTC, many of the entities involved in digitizing healthcare through consumer-facing health products and services are not covered by the Health Insurance Portability and Accountability Act (HIPAA).  However, the FTC has been able to use Section 5 of the FTC Act, which prohibits certain unfair and deceptive practices, to attempt to regulate the data security practices of some of  these entities.

The FTC highlighted multiple enforcement actions it has taken against companies that gather, use, and share consumers’ medical data outside of traditional healthcare situations. Specifically, the FTC has successfully prosecuted entities that give consumers’ medical data to third parties without their informed consent, that fail to maintain reasonable and appropriate data security practices, and that falsely represent that their data security practices are secure.

Continue Reading FTC Calls for Congress to Pass Legislation to Address Data Security in the Health Tech Industry

Last week, the FTC issued another reminder of its intent to closely scrutinize the novel technologies embedded in apps and other consumer products to ensure that any data collected by the products is covered by the privacy policy provided with the products to consumers. On March 17, 2016, the FTC issued warning letters to twelve application developers regarding their use of software that monitors a device’s microphone for audio signals in television advertisements.  According to the FTC, the use of such software to collect information about the television-viewing habits of consumers without providing notice or obtaining their consent could constitute an “unfair or deceptive act or practice” in violation of Section 5 of the FTC Act.  Accordingly, companies that elect to use this or similar technologies in the future, without obtaining the requisite consent from consumers, could — under the agency’s theory — be found in violation of the FTC Act and, subsequently, subject to civil and criminal penalties.

The software at issue in the FTC’s recent letters was developed by Indian technology company SilverPush. When installed, the software enables application developers to access SilverPush’s “Unique Audio Beacon” technology, which allows mobile applications to listen to ultrasonic “audio beacons” embedded in television commercials through the device’s microphone — even when the consumer is not actively using the application.  At present, SilverPush claims that its “audio beacons” are not embedded in television advertisements targeting U.S. consumers; nevertheless, the FTC notes that the application developers to whom it sent  warnings offer mobile applications containing SilverPush software that appears similar to that which is described above.  According to the FTC, upon downloading the application, the consumer receives no disclosure about the functionality of such software.  The FTC cautions the developers against allowing third parties to monitor the television-viewing habits of consumers through use of the developers’ mobile applications — particularly if a developer’s user interface or privacy policy fails to disclose this information or states or implies the opposite.

The FTC’s action follows on the heels of several other privacy developments related to  the use of interconnected smart televisions and mobile devices.  For instance, within the past year-plus, multiple television manufacturers and entertainment companies have been sued in class actions under the Electronic Communications Privacy Act, the Video Privacy Protection Act, and state privacy statutes for the alleged collection and disclosure of consumer viewing habits and other sensitive personal information without consumers’ knowledge or consent.  In one such case, a class of consumers accused a television manufacturer of installing software on its smart televisions — without notice or consent — that tracks and records consumer viewing data, pairs the data with the consumer’s IP address, and transmits the packaged information to a third-party advertising company so it can be sold for marketing purposes.  In other cases, television manufacturers were accused of capturing voice commands through a smart television’s voice recognition software, storing the information, and later transmitting it to third-parties.  In each instance, it was alleged that the companies’ had engaged in “deceptive” acts and practices in violation of Section 5 of the FTC Act because their privacy policies supposedly did not make clear that such information would be collected, stored, and shared with third parties.

Continue Reading FTC to Companies: Inadequate Consumer Privacy Protections Will Be Silver Bullet to SilverPush Technology

We recommend that you read a recent post at Arnold & Porter’s Sellers Beware blog on the FTC’s settlement with Carrot Neurotechnology, Inc. (in the matter of UltimEyes) concerning allegations that Carrot deceived consumers about their games’ ability to improve vision.  This enforcement actions illustrates the FTC’s continuing aggressiveness against misleading health-benefit claims, particularly those involving medical apps and video games.

The Federal Trade Commission (FTC) is continuing to pursue unsubstantiated health claims and developers of healthcare-related mobile applications and other technologies need to be wary.  In its latest example, the FTC announced on January 5, 2016 that Lumos Labs, Inc. (“Lumos”), the creators and marketers of the Lumosity “brain training” program, agreed to settle charges alleging that they deceived consumers with unfounded claims that Lumosity games can help users perform better at work and in school, and reduce or delay cognitive impairment associated with age and other serious health conditions.

The FTC assessed $50 million in equitable monetary relief against the company, however, this penalty was suspended due to the company’s financial condition, resulting in Lumos agreeing to pay $2 million.  The Commission vote authorizing the filing of the complaint and proposed stipulated order was 4-0.

The settlement comes at a time when the FTC continues its focus on misleading health advertising through its membership in the National Prevention Council, which provides coordination and leadership at the federal level regarding prevention, wellness, and health promotion practices.  The FTC seems to be increasingly focused on health-related apps, games, and related software products designed for cognitive or mental issues, entering into a Consent Decree last year with Focus Education, LLC, based on Attention Deficit Hyperactivity Disorder (ADHD) improvement claims the company made about an educational software game known as the “ifocus System.”

Continue Reading FTC to Lumos: Our Substantiation Standards Ain’t a Game

Recently, FDA released a Warning Letter regarding the Quotient ADHD Systemis, a software program made by Pearson Education, Inc. that was cleared by FDA in 2002 for clinicians to use as a device to provide “objective measurements of hyperactivity, impulsivity and inattention to aid in the clinical assessment of ADHD.”

However, during routine monitoring and oversight, FDA’s Center for Device and Radiological Health (CDRH) reviewed the company’s website and identified claims that allegedly promoted the product for unapproved uses. Specifically, CDRH maintained that the website provided evidence that the software “is intended to measure motion and analyze shifts in attention state, monitor response to treatment, help to optimize treatment in weeks instead of months, and help to determine the effectiveness of a new treatment or continued effectiveness of ongoing treatment when clinically indicated.”  FDA cited statements on the website such as

  • “…monitor response to treatment …”
  • “… objectively measures micro-motion and analyzes shifts in attention state”
  • “… helps to achieve clinical efficacy sooner.”

CDRH asserted that these statements “would constitute a major change or modification to its intended use for which [the] firm lacks clearance or approval.” As a result, FDA maintained in its Warning Letter that the company caused the Quotient ADHD Systemis to be adulterated under section 501(f)(1)(B) of the Act, 21 U.S.C. § 351(f)(1)(B), because Pearson did not have an approved application for premarket approval (PMA) in effect pursuant to section 515(a) of the Act, 21 U.S.C. § 360e(a), or an approved application for an investigational device exemption (IDE) under section 520(g) of the Act, 21 U.S.C. § 360j(g) for the device as described and marketed.

Continue Reading ADHD Software Under FDA Scrutiny

Cybersecurity (or the perceived lack of it) is a growing source of anxiety for the healthcare and technology industries. A development last Friday, in which an administrative law judge dismissed the Federal Trade Commission (FTC)’s complaint against diagnostic laboratory LabMD, may be a welcome relief for companies in the healthcare sector.  The decision is the culimination of more than two years of litigation stemming from FTC’s August 2013 complaint alleging that LabMD had engaged in unfair and deceptive trade practices by “fail[ing] to provide reasonable and appropriate security for personal information on its computer networks.”  On November 13, 2015, an FTC administrative law judge found that LabMD’s conduct did not constitute an unfair trade practice under Section 5 of the FTC Act, because the FTC had not proven that LabMD’s action “cause[d] or is likely to cause substantial injury to consumers.”

For companies facing similar legal cases, this decision is an important reminder that the government must meet its burden of proof. But the unique circumstances of the case are a cautionary tale for companies.

The FTC’s case was based on two “security” incidents, one in which a spreadsheet of patient insurance information was found on a peer-to-peer file sharing network, and another where the Sacremento Police Department found LabMD documents, including names, Social Security numbers, and bank account information, in the possession of identity thieves. But the case was plagued by concerns and questions about the reliability of the evidence.  According to documents filed in the proceedings, the company that initially discovered the spreadsheet on the peer-to-peer network repeatedly solicited LabMD, offering investigative and remediation services about the data breach, and was later found to have fabricated the files that were shared with the FTC.  Moreover, the Sacramento Police Department contacted the FTC about the files it found only after learning that LabMD was under investigation already.

Continue Reading FTC Loses Case Involving Security of Laboratory’s Customer Data