Regulatory and Privacy Concerns Related to Mental Health and Wellness Apps During COVID-19 and Beyond

It’s no surprise that in the last few years startups have been keen to cash in on the burgeoning consumer demand for mental health and wellness apps, but what are the regulatory and privacy concerns that users should be aware of? Marketplace Tech recently came out with a podcast highlighting how COVID-19 has opened the flood gates to consumer demand for remote online therapy. Mobile app analytics companies report that downloads of mental health and wellness apps are up almost 30% since COVID-19. However, what are the privacy and regulatory concerns related to the use of these apps? There are thousands of mental health apps for consumers to download. For example, there are apps where you can engage in therapy with a robot or download an app that can help monitor your side effects to particular medications. How should these apps be regulated? Should we care that these apps are effective before they’re allowed to be put out on the market? And what privacy rights have users relinquished by using these wellness apps?

Many apps related to health and wellness do not require pre-market review because they are not categorized as “medical devices,” as determined by the Food and Drug Administration (FDA). Rather, they are categorized as “general wellness products” that are seen as low-risk products that promote a healthy lifestyle are not deemed to be a “medical device.” However, the Federal Trade Commission (FTC) has recently issued warning letters to apps that made false advertising claims related to their products’ effects on preventing or treating COVID-19. Section 5 of the FTC vests in the FTC the authority to ensure that business practices are free from unfairness, deception, unsubstantiated claims, false advertising, and anti-competitive activities. Under the FTC, any and all health-related claims an app makes must be substantiated by “competence and reliable scientific evidence.” Testimonies from consumers who have used the app will not qualify as a substantiated claim. Recently, the FTC issued forty-five letters to companies making COVID-19 prevention, treatment, or cure claims. For example, Musical Medicine received a letter requiring that it immediately cease making claims that its use of music at a specific frequency range would help consumers resist the Coronavirus, while boosting consumers’ immune systems. All general wellness apps, as well as wellness products, must substantiate their claims. Testimonies and user ratings will not meet the “competent and reliable scientific evidence” standard.

In addition to the general efficacy of these health and wellness apps, the privacy rights consumers give up when they use these apps are equally concerning. A study published in March of 2019 in the British Medical Journal revealed that nineteen out of twenty-four of the most popular health apps in the Google Play marketplace transmitted user data to at least one third-party recipient. Woebot’s privacy policy, the app mentioned above where an individual can engage in therapy with a robot, admits that in addition to the information provided by a consumer, it also may obtain information about that consumer from third-party services, including social networking sites. Woebot also discloses that they may use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on the app. While the app confirms it does not sell consumers’ personal information to third parties, absent special circumstances, it does acknowledge that users who access Woebot through Facebook Messenger are subject to Facebook’s privacy policy too.

Some apps that collect personal information from users and sell it to third parties include this disclosure in their Privacy Policies. However, such disclosures are usually written in size eight font, buried amidst paragraphs upon paragraphs, written in jargon that the average user would not understand. Apps also need to consider whether this type of disclosure will hold up against the California Consumer Privacy Act (CCPA), which goes into effect July 1. Under the CCPA, apps that interact with California residents must clearly disclose in their privacy policy the fact that they transfer consumers’ data to third parties, and that the purpose of this transfer is for marketing purposes. Below is an example of Amazon’s explicit provision related to third-party advertisers, from Amazon’s Privacy Notice.

Third-Party Advertisers and Links to Other Websites: Amazon Services may include third-party advertising and links to other websites and apps. Third-party advertising partners may collect information about you when you interact with their content, advertising, and services. For more information about third-party advertising at Amazon, including interest-based ads, please read our Interest-Based Ads policy. To adjust your advertising preferences, please go to the Advertising Preferences page.

Users should question the extent to which the use of certain health and wellness apps is worth the trade off in which they give up their personal, and sometimes even sensitive health information, to marketing and pharmaceutical companies. Moreover, the regulations under the Health Insurance Portability and Accountability (HIPAA) that require patient-doctor confidentiality do not extend to general health and wellness apps. This is even more concerning because if an insurance company, for example, pays for data from an app developer, the insurance company could deduce whether a user is eligible for insurance or poses too great of a risk depending on the amount of personal and sensitive information a user discloses. The bottom line is that individuals who use certain health and wellness apps should think twice before disclosing their medical and mental information. And, at the very least, it is a best practice for individuals to comb through an apps’ privacy policy to ensure their personal information is not sold to third parties.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

The CCPA is Here to Stay; Now What?

The California Consumer Privacy Act (“CCPA”), signed into law in 2018, will become effective on January 1, 2020. Many organizations hoped that the California legislature would narrow the scope of the CCPA prior to its effective date, but the legislature adjourned without taking action to narrow its scope. For businesses, this means that preparations should be underway to comply with the CCPA before the California Attorney General has statutory authority to enforce the law on July 1, 2020.

The initial step for a business to develop a CCPA compliance program is to understand what personal information it collects and determine what it does with this personal information. Similarly, the business should review its policies and procedures regarding its collection and processing of this personal information, then conduct a gap analysis between its written procedures, actual procedures, and the CCPA. Understandably, this gap analysis will be challenging, given that the California Attorney General is expected to promulgate regulations under the CCPA this fall and several potential amendments are awaiting the California Governor’s signature. However, the substance of the CCPA should remain the same and actions should be taken to prepare.

For businesses outside of California, much like the GDPR, the CCPA is designed to be extra-territorial. This means that businesses outside of California that conduct business within the state, or with residents of the state, need to take steps to comply with the CCPA, or at least mitigate its risks. The time for a business to prepare for the CCPA is now, even though the law itself will continue to evolve.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us