Expect Continued Enforcement of Health Ads Under Privacy Laws, Experts Say
Increased FTC enforcement and expanding state regulatory requirements mean it's crucial that advertisers ensure their consumer health data activity complies with consumer privacy laws, said panelists during a Wiley health advertising webinar Tuesday.
Sign up for a free preview to unlock the rest of this article
Given the growing list of states with privacy laws, it’s important to monitor their enforcement activities, said Joan Stewart, a partner in Wiley's FTC regulation and privacy practice. “It's just not the FTC that's active in enforcement here,” she said. “States have their own deceptive trade practices acts, and they are looking to enforce" them.
“States with comprehensive privacy laws have been giving additional protections for data that [they consider] to be sensitive, which all states today define to include some form of health data,” even if they approach it in different ways, she added. “We've seen several states enact laws specifically targeting the collection of health data,” where “they're defining consumer health data incredibly broadly … mean[ing] that companies that are not traditionally considered to be collecting health data could be swept in under these laws.” She cited Washington state’s My Health, My Data Act as an example (see 2505130056).
Wiley's Duane Pozza, a partner in the FTC regulation and privacy practice, discussed FTC enforcement of its Health Breach Notification Rule, which requires companies to notify consumers and the FTC of disclosures of health information that occur without consent.
“It's possible enforcers will take a very expansive view [of] what counts as health data," he said. "Consent needs to be informed, which means letting the consumer know not just that you're collecting data.” Above all, understanding what data your company collects and shares online is crucial for compliance with digital advertising, Pozza said.
He also offered some compliance tips. “Companies should make sure that their privacy policies align with their [data] collection, use and sharing practices, and … make sure to update privacy policies and the terms of service as data practices change."
Ian Barlow, counsel in the FTC regulation and privacy practice at Wiley, said companies should understand that every FTC settlement is public. "Unlike private litigation, where you can keep it confidential, the FTC settlements are all either in federal court, where the FTC" has to follow certain administrative processes, or "published on the FTC website and in other places," he said.
Mary Engle, executive vice president of policy at Better Business Bureau National Programs, said the content in ads is of particular concern. “It's important to understand that [health] ads can be misleading, not just for what they say, but for what they fail to say, and when they fail to include information that would be important to qualify the claim that's made.”
Advertisers must be aware of these things as we head toward a future with more enforcement and regulation, Pozza said. “Over the past few years, health care has been a priority for consumer protection and privacy enforcement, and we've seen this at both the federal and state level,” he said. As such, expect "FTC and state enforcers to remain active on health-related advertising, marketing and data privacy and security issues.”