In our previous blog, we talked about the nearly half a billion dollar fine Meta received for violating the European data privacy and security law known as GDPR. Meta’s operational policy, which did not allow users to opt-out from targeted advertising, violated the law in Europe, and may be a violation of future U.S. laws. In the United States, we have state-level laws that substantially replicate GDPR provisions and we are rapidly moving towards a comprehensive national-level data privacy law in the near future. In the meantime, enforcement of current state and federal privacy laws is increasing and can have monumental consequences for health tech businesses that store and process user data. Read on for a synopsis of the top five you need to know about.
- HIPAA → Everyone knows that HIPAA relates to privacy and security of health data. The biggest HIPAA loophole is that it only applies to a few, very specific types of entities (like care providers, payors, and clearinghouses), and most health tech/tech companies are excluded. Social media companies like Meta and many health tech apps, like fitness or reproductive health trackers, are not subject to HIPAA rules and therefore can’t be punished for violating them. HIPAA also has no private cause of action attached to it, so individuals cannot sue businesses for HIPAA violations.
- Information Blocking → Like HIPAA, the relatively new Information Blocking regulation only applies to a few, very specific entities and providers – care providers, health information networks/exchanges, and health IT developers/certified health IT. If your business falls into one of these categories, it is imperative that you work towards compliance with this rule immediately, as the fines for non-compliance can be up to $1 million per infraction.
- FTC Act + FTC’s Health Breach Notification Rule → The FTC Act authorizes the agency to prevent, investigate, regulate, define, and punish “unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.” In other words, the FTC has broad powers over essentially every business in America, and if they don’t like the privacy practices your company is engaging in, they can declare them unfair, which has the effect of making them illegal. The FTC is actively enforcing its Health Breach Notification Rule, recently settling a claim against GoodRx for $1.5 million and proposing another settlement with BetterHelp for $7.8 million. In both cases, the tech giants are accused of selling health data to big tech companies like Meta and Google after telling their customers that they would not do that. Although these are the first two cases of their kind, the FTC is sending a clear message that they will not tolerate tech companies violating their own privacy policies, particularly where health data is involved.
- State-level laws modeled after GDPR → While the federal government moves towards a national-level data privacy standard akin to GDPR, many states have already enacted or proposed laws fortifying consumer protections for their residents and creating more comprehensive data privacy obligations for tech businesses. The first and strongest among these is California, with Colorado, Virginia, Connecticut, and Utah close behind. At least a half-dozen other states are posturing to join this list, creating a patchwork of state-level laws and regulations to adhere to. If your business has users in any of those states, your privacy practices are subject to the corresponding legal obligations.
- COPPA (Children’s Online Privacy Protection Rule) → If your tech company offers services focusing on children under 13 OR has actual knowledge that you’re collecting data on children under 13, you have a slew of additional obligations with respect to data collection, retention, use, and consent. The FTC is vigorously enforcing this rule, so if it applies to your business, it is imperative that you take steps to be in compliance.