FTC wants Congress to protect consumer health information
The Federal Trade Commission is recommending that Congress enact legislation to make data broker practices more visible to consumers and to give consumers greater control over their personal health information.
FTC conducted its own study of nine data brokers, who obtain and share vast amounts of consumer information, typically behind the scenes and without consumer knowledge. What the commission discovered was that these data brokers collect and store billions of data elements covering nearly every U.S. consumer. One data broker alone holds information on more than 1.4 billion consumer transactions and 700 billion data elements, while another data broker adds more than 3 billion new data points to its database each month, according to an FTC report issued on May 27.
A few of the data brokers in the study obtain aggregated transaction data from financial services companies including more sensitive information such as certain health-related purchases. However, as the FTC points out, data brokers are not covered entities under HIPAA. As a result, FTC is urging Congress to protect sensitive health information by requiring that consumer-facing sources obtain consumers’ affirmative express consent before they collect sensitive information.
"Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data," states the report. "Allowing consumers to access data about themselves is particularly important in the case of sensitive information--and inferences about sensitive consumer preferences and characteristics--such as those relating to certain health information."
There are a number of potential risks to consumers from data brokers’ collection and use of consumer data. As an example, the FTC said while data brokers have a data category for “Diabetes Interest” that a manufacturer of sugar-free products could use to offer product discounts, an insurance company could also use that same category to classify a consumer as higher risk.
"Allowing consumers the ability to exercise control over the use of sensitive information is particularly important," concludes the report. "There appears to be widespread agreement on certain core sensitive categories of data--such as whether a consumer has AIDS, diabetes, or depression--while the sensitivity of other information may lie in the 'eye of the beholder.' For categories that some consumers might find sensitive and others may not (e.g., visually impaired, balding, overweight), having access to this data, along with the ability to suppress the use of it for marketing, will improve the transparency of data broker practices and allow consumers to control uses of the data about which they care the most."
Earlier this month, FTC revealed that it tested 12 health and fitness apps and found that information was transmitted to their developer websites and to 76 third-party companies. In the case of one particular app, they sent information to 18 different third parties who received information that fell into five categories: device information, device-specific identifiers, third-party specific identifiers, consumer-specific identifiers, and consumer information (dietary and workout habits).
Eighteen of the 76 third parties collected "persistent device identifiers" and 14 of them also collected consumer-specific identifiers including usernames and email addresses. Twenty-two of the third-party companies received additional data about consumers such as exercise/diet information, medical symptoms search information, zip code, gender, and geolocation.