Regulatory and Privacy Concerns Related to Mental Health and Wellness Apps During COVID-19 and Beyond

It’s no surprise that in the last few years startups have been keen to cash in on the burgeoning consumer demand for mental health and wellness apps, but what are the regulatory and privacy concerns that users should be aware of? Marketplace Tech recently came out with a podcast highlighting how COVID-19 has opened the flood gates to consumer demand for remote online therapy. Mobile app analytics companies report that downloads of mental health and wellness apps are up almost 30% since COVID-19. However, what are the privacy and regulatory concerns related to the use of these apps? There are thousands of mental health apps for consumers to download. For example, there are apps where you can engage in therapy with a robot or download an app that can help monitor your side effects to particular medications. How should these apps be regulated? Should we care that these apps are effective before they’re allowed to be put out on the market? And what privacy rights have users relinquished by using these wellness apps?

Many apps related to health and wellness do not require pre-market review because they are not categorized as “medical devices,” as determined by the Food and Drug Administration (FDA). Rather, they are categorized as “general wellness products” that are seen as low-risk products that promote a healthy lifestyle are not deemed to be a “medical device.” However, the Federal Trade Commission (FTC) has recently issued warning letters to apps that made false advertising claims related to their products’ effects on preventing or treating COVID-19. Section 5 of the FTC vests in the FTC the authority to ensure that business practices are free from unfairness, deception, unsubstantiated claims, false advertising, and anti-competitive activities. Under the FTC, any and all health-related claims an app makes must be substantiated by “competence and reliable scientific evidence.” Testimonies from consumers who have used the app will not qualify as a substantiated claim. Recently, the FTC issued forty-five letters to companies making COVID-19 prevention, treatment, or cure claims. For example, Musical Medicine received a letter requiring that it immediately cease making claims that its use of music at a specific frequency range would help consumers resist the Coronavirus, while boosting consumers’ immune systems. All general wellness apps, as well as wellness products, must substantiate their claims. Testimonies and user ratings will not meet the “competent and reliable scientific evidence” standard.

In addition to the general efficacy of these health and wellness apps, the privacy rights consumers give up when they use these apps are equally concerning. A study published in March of 2019 in the British Medical Journal revealed that nineteen out of twenty-four of the most popular health apps in the Google Play marketplace transmitted user data to at least one third-party recipient. Woebot’s privacy policy, the app mentioned above where an individual can engage in therapy with a robot, admits that in addition to the information provided by a consumer, it also may obtain information about that consumer from third-party services, including social networking sites. Woebot also discloses that they may use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on the app. While the app confirms it does not sell consumers’ personal information to third parties, absent special circumstances, it does acknowledge that users who access Woebot through Facebook Messenger are subject to Facebook’s privacy policy too.

Some apps that collect personal information from users and sell it to third parties include this disclosure in their Privacy Policies. However, such disclosures are usually written in size eight font, buried amidst paragraphs upon paragraphs, written in jargon that the average user would not understand. Apps also need to consider whether this type of disclosure will hold up against the California Consumer Privacy Act (CCPA), which goes into effect July 1. Under the CCPA, apps that interact with California residents must clearly disclose in their privacy policy the fact that they transfer consumers’ data to third parties, and that the purpose of this transfer is for marketing purposes. Below is an example of Amazon’s explicit provision related to third-party advertisers, from Amazon’s Privacy Notice.

Third-Party Advertisers and Links to Other Websites: Amazon Services may include third-party advertising and links to other websites and apps. Third-party advertising partners may collect information about you when you interact with their content, advertising, and services. For more information about third-party advertising at Amazon, including interest-based ads, please read our Interest-Based Ads policy. To adjust your advertising preferences, please go to the Advertising Preferences page.

Users should question the extent to which the use of certain health and wellness apps is worth the trade off in which they give up their personal, and sometimes even sensitive health information, to marketing and pharmaceutical companies. Moreover, the regulations under the Health Insurance Portability and Accountability (HIPAA) that require patient-doctor confidentiality do not extend to general health and wellness apps. This is even more concerning because if an insurance company, for example, pays for data from an app developer, the insurance company could deduce whether a user is eligible for insurance or poses too great of a risk depending on the amount of personal and sensitive information a user discloses. The bottom line is that individuals who use certain health and wellness apps should think twice before disclosing their medical and mental information. And, at the very least, it is a best practice for individuals to comb through an apps’ privacy policy to ensure their personal information is not sold to third parties.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

Will New York be Next to Enact a Robust Privacy Law?

Technology has driven disruption in virtually every industry and created an opportunity for businesses to compete in manners previously thought impossible but, with such opportunities, new regulations have emerged at both the state and federal level. Specifically, most businesses have elected to implement new policies, procedures, and safeguards to ensure compliance with the California Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation (“GDPR”). However, one more law that might be added to the list is the New York Privacy Act, currently under consideration by the New York State Legislature.

 

The New York State Senate, not to be left behind California and the EU, has been actively discussing the New York Privacy Act, which proposes to be the most robust consumer privacy and data protection regulation passed in the United States. The proposed law will regulate any use, storage, or disclosure of personal data of a consumer, and will apply to anyone that does business in New York. These principals are similar to those included in the GDPR and CCPA, however, New York intends to bolster these rules by adding a fiduciary duty, further transparency, and additional notice obligations.

 

The latest hearing by the New York State Senate in November of 2019 suggested the legislature would be reluctant to pass the legislation if the United States Congress ultimately passes federal legislation, but noted that failure to move at a federal level will result in state legislation. For businesses, this would mean further adjustments to privacy, data security, and technology policies and procedures. Given the myriad of regulations and their evolving nature, each business will need to evaluate how they intend to comply with the regulations and monitor new obligations. As always, the attorneys at Vandenack Weaver are available to provide assistance with these matters.

VW Contributor: Alex B. Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

U.S. Supreme Court to Decide Whether a Software Interface is Protected under Copyright Law

In a case that pertains to technology originally developed in the 1990s, the United States Supreme Court has granted certiorari in Google LLC v. Oracle America, Inc. The dispute between these two technology giants focuses on application programming interfaces (API) that Oracle developed through its predecessor, Sun Microsystems, Inc. At issue for the technology industry is whether an API is copyrightable and, therefore, protected.

The API is critical to most technology companies, especially those with complex and multi-layered tech stacks, because it allows the company to integrate and communicate with other software developers. By way of example and at issue in the case, the Android operating system uses the API originally created by Oracle to allow third-party developers to integrate into the operating system. Although most consumers will not understand how the API works, the use of third-party applications in the Google owned Android operating system is made possible through the API. As a result of its importance in modern commerce, many technology companies protect the structure, sequence, and organization of the API, even if they share how to connect to it.

Regardless of the decision by the Supreme Court on whether the API is protectable under copyright law, the ramifications will be significant. In fact, most of the prominent global technology companies have filed briefs in this case to voice their opinion on the matter. When the Supreme Court decides the case in 2020, every company that interfaces and integrates into the software of another company will need to re-evaluate their intellectual property protection strategies.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

 

Domain Names and Trademarks: Enforcing Trademark Rights Against Domain Name Owners.

In the era of modern commerce, the success of a business is often driven by technology and its web presence, and it has become easier than ever to purchase a domain name from an internet domain registrar, making ownership available to the masses. This has increased the number of disputes that arise between an owner of a registered trademark and an owner of a domain name. While many of these disputes are in good faith and resolved through a negotiated settlement, many are arising because individuals are intentionally trying to “ransom” these domain names to the highest bidder. In these situations, it is important to know your rights under the Anti-Cybersquatting Consumer Protection Act (“ACPA”) and the Uniform Domain Name Dispute Resolution Policy (“UDRP”).

The ACPA was enacted in 1999 and designed to protect trademark owners from domain name cybersquatters, but it requires the trademark to be distinctive and/or famous prior to the purchase of the domain name, and the purchase to be in bad faith. Although the distinctiveness and fame element is governed by traditional trademark rules, courts haven’t isolated exactly what constitutes bad faith in this context. By way of example, in ZP No. 314, LLC v. ILM Capital, LLC, No. 1:16-cv-00521-B (S.D. Ala. Sept. 30, 2019), the court decided that bad faith did not include “parking” on the domain name. In this case, the infringing business purchased the domain name with the sole intent of profiting from the other businesses distinctive mark. However, since the mark did not become “distinctive and famous” until after the infringing business stopped actively using the domain name, the court determined that this was not bad faith, despite being critical of its own opinion on the matter.

An alternative remedy for a trademark owner is to seek protection through the UDRP, which is run by the Internet Corporation for Assigned Names and Numbers (“ICANN”). Similar to the ACPA, to obtain relief, the trademark owner must follow a specific process and meet the required elements. The process and the elements are different than the ACPA, but have significant overlap. For a business seeking to enforce its trademark rights against the owner of a domain name, the path to obtaining relief requires careful analysis and planning, especially because the courts continue to adjust to modern commerce.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

Copyright Infringement: Will Congress Make it Easier to Obtain a Remedy?

On October 22, 2019, the United States House of Representatives passed H.R. 2426, The Copyright Alternative in Small-Claims Enforcement Act of 2019. The intent of the legislation is to make it easier for copyright owners to seek enforcement of their rights in situations where the overall damages to the copyright owner are minimal. Essentially, the Copyright Office would create a Copyright Claims Board that would adjudicate infringement claims with damages under $30,000.

The rationale behind the legislation is that cost is a significant impediment to a copyright holder bringing a claim against someone infringing on their work. To bring a claim, as recently determined by the United States Supreme Court, the underlying work must be registered with the United States Copyright Office, which takes time and includes certain expenses. Once registered, the copyright owner can only seek a remedy in federal court, since that is the exclusive jurisdiction for a copyright infringement claim. This process is expensive and, although attorney’s fees can be recovered pursuant to section 505 of the Copyright Act, the United States Supreme Court has also recently limited the scope of recovery. The end result is that many copyright owners are unable to seek a remedy.

This legislation passed with near unanimous support in the United States House of Representatives and moves to the United States Senate for consideration. Should this legislation ultimately become law, it will likely have a significant impact on how copyright owners protect their intellectual property.

VW Contributor: Alex B. Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

 

Continue to Scrape Away! Microsoft’s LinkedIn Ordered to Lift Ban on Third Party Access to Public Profile Data

In the closely followed hiQ Labs, Inc. v. LinkedIn case, the Ninth Circuit affirmed the district court’s decision holding that hiQ, a data analytics company, is entitled to a preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. hiQ had been scraping data and building products from LinkedIn public profiles. LinkedIn argued that hiQ was in violation of LinkedIn’s user agreement as well as California law and federal law, including the Computer Fraud and Abuse Act (CFAA) and sent hiQ a cease-and-desist letter.

Similarly, back in 2018, a district court in Washington D.C. ruled that using automated tools to access publicly available information on the open web is not a crime, even when a website bans automated access in its terms of service. The case, Sandvig v. Sessions, narrowly interpreted the CFAA. This federal law makes it illegal to access a computer connected to the Internet “without authorization,” but neglects to specify what “authorization” means. In pertinent part, the court reasoned that:

“Scraping is merely a technological advance that makes information collection easier; it is not meaningfully different from using a tape recorded instead of taking written notes, or using the panorama function on a smartphone instead of taking a series of photos from different positions. And, as already discussed, the information plaintiffs seek is located in a public forum.”

The Ninth Circuit decision and reasoning is in line with Sandvig. However, the court was clear not to outlaw a website owner from pursuing any recourse against wholesale appropriation of its public content. Rather, the court articulated a public policy concern if companies like LinkedIn can use sole discretion to determine who can collect and use data when that company does not own the data which they make publicly available to viewers. Read in this way, the court is mitigating the opportunity for LinkedIn to gain a monopoly on public information of the site’s 500 million member profiles.

Many view hiQ Labs, Inc. v. LinkedIn as a victory for the open source web. The internet is a critical space for researchers, journalists, businesses, and individuals who require meaningful access to collect and analyze public information. Specifically, businesses use web scraping bots to relentlessly pursue data which might help grow their business by monitoring competitor pricing. Web scraping is also integral for predictive analysis, where businesses can study and understand products and associated consumer behavior to assess their costs and benefits. Thus, web scraping provides significant business value to a multitude of companies across various sectors.

LinkedIn could appeal the 9th Circuit’s decision to the U.S. Supreme Court. Until then, data miners, researchers, and other third parties can continue to use any public online data not owned or password protected by a website owner.

VW Contributor: Skylar Young
© 2019 Vandenack Weaver LLC
For more information, Contact Us

Technology Vendor Due Diligence; Protecting your Brand

Most companies in the modern economy utilize technology to compete in an increasingly competitive marketplace. In order to utilize third-party technology, a business has to obtain a license from the technology vendor or reseller, otherwise risk intellectual property infringement. Even when using open-source software, the use is subject to licensing restrictions and other limitations. While getting the licensing correct is critical to ensuring your business obtains the most value from the technology, an often over-looked element of procuring technology is the due diligence phase.

Technology due diligence is similar to diligence performed on any vendor, such as ensuring the technology will fit your needs and obtaining favorable pricing, but the due diligence should be far more extensive in the modern technological world. By way of example, in the healthcare industry, over 25 million health records have been breached to date in 2019, many of which as a result of a third party technology provider failing to protect the health information. This means that businesses, especially those in a regulated industry where the technology vendor has access to personal information, need to perform additional diligence on third-party technology providers.

The additional diligence should focus on what the vendor is doing with the data and personal information, ensure that the vendor has protections and controls that meet the various, and often overlapping, state, federal, and international data protection rules, and ensure that their technical protections meet industry standards. Although this will likely require obtaining additional expertise from outside your organization, taking these additional steps during the diligence phase will protect your brand from a potential disruptive data breach at a vendor that results in your business being harmed.

 

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us