Quiero saber acerca de...

Federal Register / Vol. 86, No. 17 / Thursday, January 28, 2021 / Notices the illegal behavior and would not know to take remedial action.9
Using these guidelines, the Commission has found consumer notice appropriate in some privacy and data security cases as well, such as when there was a need to inform consumers about ongoing data collection and sharing 10 or to correct a deceptive data breach notification.11 On the data security front, where it can be critical that consumers know sensitive information has been breached or exposed, a panoply of state breach notification laws require notice to consumers.
When warranted, notice to consumers can be an important tool. But neither the Commission, nor any of the 50 states with data breach notification laws, have taken the position of requiring consumer notice for the mere sake of the notice itself.
Commissioners Chopra and Slaughter stress that notice is warranted especially where redress is not paid to consumers.
How consumer notice substitutes for redress, an equitable mechanism to return to consumers what they have lost, is not clear. Nor is it clear what, if anything, limits this approach to notice to data security and privacy cases. To the extent notice is intended as a penalty, I disagree. My view is that we should target notice as a means to help consumers take action to protect themselves. Contacting consumers when there is no remedial action that they can take runs the risk of undermining consumer trust and needlessly overwhelming consumers.12
Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter Concurring in Part, Dissenting in Part Today, the FTC is ordering Flo Health, Inc. Flo to notify consumers 9 For example, in Oracle Corp., No. C4571 Mar.
29, 2016, https www.ftc.gov/enforcement/casesproceedings/132-3115/oracle-corporation-matter, the settlement required Oracle to notify consumers about certain data security risks and explain how to protect their personal information by deleting older versions of Java.
10 Unrollme Inc., No. C4692 Dec. 17, 2019, https www.ftc.gov/enforcement/casesproceedings/172-3139/unrollme-inc-matter.
11 Skymed International, Inc., File No. 1923140
Dec. 16, 2020, https www.ftc.gov/enforcement/
cases-proceedings/1923140/skymed-internationalinc-matter.
12 I am also concerned about the possibility of notice fatigue. For example, in the context of security warnings on mobile devices, there is evidence of a decreased neurological response after repeated exposure to warnings. See, e.g., Anthony Vance et al., Tuning Out Security Warnings: A
Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments, 42 MIS
Quarterly, No. 2, June 2018, at 1, https misq.org/
skin/frontend/default/misq/pdf/appendices/2018/
V42I1Appendices/14124_RA_VanceJenkins.pdf.

VerDate Sep<11>2014

17:16 Jan 27, 2021

Jkt 253001

that it has been charged with sharing consumers menstruation and fertility information without their consent. This proposed settlement is a change for the FTC, which has never before ordered notice of a privacy action. We commend the agencys staff for securing this relief and for addressing Flos concerning practices.
While we are pleased to see this change, we are disappointed that the Commission is not using all of its tools to hold accountable those who abuse and misuse personal data. We believe that Flos conduct violated the Health Breach Notification Rule, yet the Commissions proposed complaint fails to include this allegation. The rule helps ensure that consumers are informed when their data is misused, and firms like Flo should not be ignoring it.
Importance of Notice Flo Health is the developer of a popular mobile app that collects menstruation and fertility information from millions of users worldwide. As detailed in the Commissions complaint, Flo promised these users that it would not disclose their sensitive information to third parties, but did so anyway sharing it with Facebook, Google, and others.1 This alleged conduct broke user trust, and it broke the law.
In addition to requiring Flo to improve its privacy practices, the FTCs proposed order directs Flo to notify its users of this serious breach. Notice confers a number of benefits in cases like this one. Consumers deserve to know when a company made false privacy promises, so they can modify their usage or switch services. Notice also informs how consumers review a service, and whether they will recommend it to others. Finally, notice accords consumers the dignity of knowing what happened. For all these reasons, the Commission should presumptively seek notice provisions in privacy and data security matters, especially in matters that do not include redress for victims.2
1 Compl., In the Matter of Flo Health, Inc., Docket No. 1923133, 1324.
2 In a separate statement, Commissioner Phillips argues that notice should be limited to circumstances under which it can help consumers take action to protect themselves. See Separate Statement of Commissioner Noah Joshua Phillips In the Matter of Flo Health, Inc. Commn File No.
1923133 at 2 Jan. 13, 2021. In our view, the notice requirement here squarely meets that test, as consumers can switch to more privacy-protecting services or adjust their data-sharing behavior with companies that act unlawfully. Commissioner Phillips further suggests that notice is no substitute for redress. We agree. But when redress is not ordered, notice at least ensures consumers are aware of the FTCs action, which might otherwise be achieved through a redress check. Finally,
PO 00000

Frm 00033

Fmt 4703

Sfmt 4703

7385

Health Breach Notification Rule The Commission must also ensure it is vigorously enforcing the laws on the books. Congress has entrusted the FTC
with promulgating and enforcing the Health Breach Notification Rule, one of only a handful of federal privacy laws protecting consumers. The rule requires vendors of unsecured health information, including mobile health apps, to notify users and the FTC if there has been an unauthorized disclosure. Although the FTC has advised mobile health apps to examine their obligations under the rule,3
including through the use of an interactive tool,4 the FTC has never brought an action to enforce it.5
In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule. Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization.6 Flo Commissioner Phillips argues that consumers may not read all notices. This is a valid concern, and notice is no substitute for other remedies, such as admissions of liability or substantive limits on the collection, use, and abuse of personal data.
3 Mobile Health App Developers: FTC Best Practices, Fed. Trade Commn, https www.ftc.gov/
tips-advice/business-center/guidance/mobilehealth-app-developers-ftc-best-practices last visited on Jul. 31, 2020.
4 Mobile Health Apps Interactive Tool, Fed. Trade Commn, https www.ftc.gov/tips-advice/businesscenter/guidance/mobile-health-apps-interactivetool last visited on Jul. 31, 2020.
5 Commissioner Phillips suggests that enforcing the rule against Flo would be novel. Phillips Statement, supra note 2, at 1. But, this could be said of any enforcement action in this context, since the Commission has never enforced the Health Breach Notification Rule. If there is concern that Flo did not know it was violating the rule, that would be relevant to the question of whether Flo is liable for civil penalties. See 15 U.S.C. 45m1A. Flos lack of knowledge about the rules requirements would not be relevant to the question of whether the Commission could charge Flo with a violation.
6 See Compl., supra note 1, 1824. The FTCs Health Breach Notification Rule covers a health care providers that b store unsecured, personally identifiable health information that c can be drawn from multiple sources, and the rule is triggered when such entities experience a breach of security. See 16 CFR 318. Under the definitions cross-referenced by the Rule, Flowhich markets itself as a health assistantis a health care provider, in that it furnishes health care services and supplies. See 16 CFR 318.2e; 42
U.S.C. 1320d6, d3. Additionally, Flo stores personally identifiable health information that is not secured according to an HHS-approved method, and that can be drawn from multiple source. See 16 CFR 318.2i; Fitness Trackers and Apps, Flo Health, https flo.health/faq/fitness-trackers-andapps last visited on Jan. 6, 2020 instructing users on how to sync Flo with other apps. When Flo, according to the complaint, disclosed sensitive health information without users authorization, this was a breach of security under the rule 16
CFR 318.2a defining breach of security as acquisition of PHR identifiable health information without the authorization of the individual..

E:FRFM28JAN1.SGM

28JAN1