FTC threatens fines for health apps that fail to report compromised data

The consumer protection agency clarified a 2009 rule meant to help Americans understand when their data is shared improperly.
Lina Khan, nominee for Commissioner of the Federal Trade Commission (FTC), testifies during a Senate Committee on Commerce, Science, and Transportation confirmation hearing on Capitol Hill in Washington, DC, April 21, 2021. (Photo by SAUL LOEB/POOL/AFP via Getty Images)

App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.

The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.

“The global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health,” FTC chair Lina Khan said in a statement. “As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ health information susceptible to hacks and breaches.”

Unauthorized access to personal data, such as an app developer sharing user information without their consent, as well as data breaches constitute grounds for notification. Failure to comply with the regulation will trigger fines of up to $43,792 per violation, per day.


The update comes after the FTC voted to ban SpyFone, a so-called stalkerware app that enabled snoops to monitor an individual’s phone usage, online activity and physical movements, and prohibited the company’s owner from participating in similar ventures. Along with marketing itself as a surveillance device, the FTC said, SpyFone also failed to enact basic security measures.

“This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security,” Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection said at the time. “We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts