On March 23, New York Attorney General Eric Schneiderman announced settlements with three health-related applications sold in Apple's App Store and Google's Play Store. The settlements arose from allegations of misleading claims and irresponsible privacy practices. Under the terms of the settlements, the developers agreed to provide additional information about how the apps were tested, to change their ads to eliminate allegedly misleading content, and to pay $30,000 in combined penalties to the Office of the Attorney General.
According to the A.G.'s press release, two of the app developers, Cardiio and Runtastic, claimed that their apps accurately measured heart rate after exercise using only a smartphone camera and sensors. A third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor that could be used to play an unborn baby's heart rate, even though the app was not a fetal heart monitor approved by the Food and Drug Administration. The A.G. alleged that the three developers marketed these apps without sufficient information to back up their marketing claims.
In addition to the settlement payment, the app developers must post clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA. The developers also were required to make changes to protect consumers' privacy. According to the A.G., the developers are now required to obtain affirmative consent from consumers to the developers' privacy policies, and the developers must disclose that they collect and share information that may be personally identifying. This includes users' GPS location, unique device identifier, and "de-identified" data that third parties may be able to use to re-identify specific users.
As we have discussed previously, Schneiderman's office has been active in privacy enforcement matters in the past year. For example, the New York A.G. recently reached a settlement with Acer for $115,000 over a data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents. Last year, the A.G. settled a case against then-presidential nominee Donald Trump's hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months. The A.G. also settled a case against EZcontactsUSA, alleging that the online contact lens retailer misrepresented the security of its website, failed to secure customers' payment information, and neglected to report a data breach once discovered.
Most recently, on February 9, the A.G. announced settlements with two mobile app developers for their failure to disclose their data collection practices in a privacy policy. According to the A.G.'s Office, the two developers, AB Mobile Apps LLC and Bizness Apps LLC, lacked a privacy policy or any statement as to how AB Mobile collects, uses, or discloses a user's personal information. Interestingly, unlike in many cases that prompt regulatory action, the A.G. did not find that these developers had misused their customers' personal information or disclosed it to third parties. Instead, the A.G. indicated that the mere failure to disclose how a company collects, uses, and discloses customers' personal information in a privacy policy is a deceptive trade practice under New York Executive Law § 63(12) and New York General Business Law § 349.
The Troutman Sanders' Consumer Financial Services Law Monitor blog offers timely updates regarding the financial services industry to inform you of recent changes in the law, upcoming regulatory deadlines and significant judicial opinions that may impact your business. To view the blog, click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
