On March 23, New York Attorney General Eric Schneiderman announced settlements with three health-related applications sold in Apple’s App Store and Google’s Play Store. The settlements arose from allegations of misleading claims and irresponsible privacy practices. Under the terms of the settlements, the developers agreed to provide additional information about how the apps were tested, to change their ads to eliminate allegedly misleading content, and to pay $30,000 in combined penalties to the Office of the Attorney General.
According to the A.G.’s press release, two of the app developers, Cardiio and Runtastic, claimed that their apps accurately measured heart rate after exercise using only a smartphone camera and sensors. A third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor that could be used to play an unborn baby’s heart rate, even though the app was not a fetal heart monitor approved by the Food and Drug Administration. The A.G. alleged that the three developers marketed these apps without sufficient information to back up their marketing claims.
In addition to the settlement payment, the app developers must post clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA. The developers also were required to make changes to protect consumers’ privacy. According to the A.G., the developers are now required to obtain affirmative consent from consumers to the developers’ privacy policies, and the developers must disclose that they collect and share information that may be personally identifying. This includes users’ GPS location, unique device identifier, and “de-identified” data that third parties may be able to use to re-identify specific users.
As we have discussed previously, Schneiderman’s office has been active in privacy enforcement matters in the past year. For example, the New York A.G. recently reached a settlement with Acer for $115,000 over a data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents. Last year, the A.G. settled a case against then–presidential nominee Donald Trump’s hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months. The A.G. also settled a case against EZcontactsUSA, alleging that the online contact lens retailer misrepresented the security of its website, failed to secure customers’ payment information, and neglected to report a data breach once discovered.