On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device.”
The Office of Attorney General (OAG) expressed concern that growing consumer reliance on health-related apps “can be harmful” if the apps provide inaccurate or misleading results because they could cause consumers to potentially forgo necessary medical treatment, or conversely incur unnecessary treatment, in reliance on false assurances of health provided by such apps. In the settlements the OAG highlighted apparent issues it had identified with each of the developers’ apps, including:
- That both Cardiio and Runtastic created a “net impression” via claims made on their websites and in app store listings that their respective heart rate monitor apps would accurately measure and monitor a consumer’s heart rate “without providing sufficient evidence substantiating” their claims regarding the app’s accuracy; and
- That Matis made unsubstantiated claims regarding its fetal heartbeat app’s ability to monitor and play the sound of a fetal heartbeat by placing a smartphone on a woman’s stomach.
The OAG also cited deficiencies in each developer’s privacy practices as grounds for its enforcement actions. For example, the OAG cited two developers for relying on a “default consent” by users to be bound by their respective privacy policies as a condition of submitting data related to their conditions, and faulted each entity for not informing users that their personal information may not be protected under HIPAA. The OAG also found that the developers failed to fully disclose the types of information collected and stored by their apps.
This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.