Federal Trade Commissioner Julie Brill, right, dicusses privacy concerns about consumer health information at an Internet Week event in New York. (Insider Images/Andrew Kelly)
Brill prodded companies building best practice frameworks to look at examples such as Apple's HealthKit, which allows health and fitness apps to share data with each other but not with outside parties.
"I think Apple has done a really good job by saying, 'OK, app developers, here's the HealthKit and we're going to be allowing this kind of information to be used, but you can't send it to third parties, you can't send it to data brokers, you can't send it to analytics firms,'" the commissioner said. "Those are the kind of privacy success stories that I think are incredibly important."
Brill stressed the importance of having a "strong framework" in place to guard against the misuse and abuse of growing consumer data sets, and urged companies to take it upon themselves to "be a lot more creative and really think about how from a consumer perspective we're going to inform them about what's going on" with their data.
"We need to think about consumer attention as a precious resource, and we don't want to overtax them," Brill said. "We don't want them to have to make choices about every time their information is being collected and used. It's when it's being collected out of context and they wouldn't understand that it would be used for a particular purpose that we have to let them know."
While the growing web of connected devices known as the Internet of Things and the increasing prevalence of data brokers that compile reports on consumers are contributing to concerns over data misuse, Brill noted that the collection and use of consumer health and fitness data by apps and other entities that are not covered by the Health Insurance Portability and Accountability Act also should not be discounted.
"One of the reasons I'm deeply concerned about health information is that we as a society have already decided that health information is going to be protected," Brill said, referring to the enactment of HIPAA in 1996.
However, while the federal health privacy statute requires strong protections for consumer data, it does not apply to wearable devices, apps and other nontraditional actors who are collecting this information outside of the traditional medical setting, leaving a significant regulatory gap that needs to be addressed, according to Brill.
"We need best practices, and I've been calling for stakeholders to come together and say, 'OK, in the absence of getting baseline privacy legislation that would deem health information as one category of information that requires robust protections, here's what we're going to do: When we're in context, we'll let the mobile app use the information, but once we're outside of context, we're going to require more robust information protections,'" she said.
In support of her push, Brill pointed to a wearable device study recently conducted by the FTC that concluded that 12 health apps were collecting and sending sensitive medical information to 70 third parties.
“This from my perspective is a concern,” she said. “It's one thing if the information is going where the consumer expects it to go — that is, to the app provider itself for the purpose of giving consumers more information about what their condition or blood pressure is — but when it's going to third parties, that's where it's outside the context of what the consumer thinks is happening, and that's where I think much more information needs to be going to the consumer.”
Being more transparent about where exactly the information is going is likely to make companies more accountable to consumers, according to Brill, who compared the disclosure to telling "Aunt Emily" about what you're doing.
"If Aunt Emily is going to have a problem with it, maybe you don't want to do it, and that kind of feedback loop with transparency I think is very important from a company's perspective," Brill said.
While the commissioner stressed that there are steps that companies can take now to increase transparency and consumers' control over their data, she continued to voice her long-running support for the enactment of both baseline federal privacy legislation as well as federal data broker and data security legislation to set clearer rules of the road for these growing industries.
"We've got very good sectoral laws when it comes to children's information, credit reporting information, health information and financial information, but information [today] doesn't honor those sectors anymore and information is flowing outside those silos," Brill said. "So that's why I think baseline privacy legislation is important."
--Editing by Katherine Rautenberg.
