Jessica Roberts and Jim Hawkins, professors at the University of Houston Law Center, discuss the growing digital health-services trend, and the need for stronger consumer privacy safeguards on the personal information collected by these online companies.
CCBJ: What brought about this need for stronger consumer privacy safeguards on the personal information collected by online health-related companies?
Jessica Roberts: These digital health companies tend to collect health-related data, but they do not actually provide health care. And because they don’t actually provide health care, traditional patient protections like the Health Insurance Portability and Accountability Act (HIPAA) do not apply. When these companies get into a dispute related to an interaction with one of their customers, the thing that governs it is the terms of service agreement. This is the legal document that outlines the rights of the consumer and the obligations of the company, but what Jim and I realized is that many, if not most, of these digital health companies actually reserve the right to make unilateral amendments to their terms of service.
Jim Hawkins: Exactly, and this right to unilaterally amend the contract means that after a year of the consumer using the service, for example, and inputting their personal information, the company can change the terms in some substantial way, often to the disadvantage of the consumer – and the consumer may not even know about the change because it’s just been posted on a website or included in an email that might not have been read. And even if they do know about the change, consumers often don’t have a real ability to switch companies, because they’ve invested so much time into providing their data to that service. It’s difficult to just “start over” with a new one. So for us, it seems like there needs to be stronger consumer safeguards to make sure that companies get actual consent and give consumers the option to choose whether they really want to continue using the service.
Roberts: One of the things that concerned us the most was the lack of legal recourse available to consumers. Right now, what happens is that the company can unilaterally amend its terms, depending on its policies and the governing law, and it may or may not have to let existing customers know about the change in terms. If the customers continue to use that service, they have automatically consented to the new terms. As Jim mentioned, the only thing that customers can really do is stop using the services. That raises concerns, because imagine that I’ve accumulated a substantial amount of health data on one of these apps, and they make a privacy policy change I don’t like – I’m going to lose access to all of that valuable data. So we are advocating for stronger consumer protections that would require the consumers of digital health services to affirmatively opt in to changes to the terms of service.
Even in light of some of the increased privacy protections that have been enacted recently, consumers still may have very little legal recourse. –Jessica Roberts
How would this impact the privacy policies and terms of service listed by these companies?
Hawkins: If legislative bodies start requiring that digital health companies get actual consent from consumers, while also allowing consumers who don’t want to consent to continue to use the product, our hope is that it will empower consumers to make choices that right now they’re not able to make. It would allow consumers to opt in to the change if that’s what they want, or to continue to use the service under the old terms if they prefer. And that would restore consumer choice to the process.
Roberts: If legislatures adopt our proposal, it may encourage more transparency on the part of these companies, with respect to their original terms as well as the changes they make to those terms.
How do consumers cases fare when issues of privacy are brought to court?
Roberts: Our major concern is not only privacy but also the enforceability of these unilateral changes. Unilateral amendments allow companies to make one-sided changes, without consumer consent. For the most part, in the United States, courts will find that unilateral changes to terms of service are in fact enforceable.
Hawkins: The “consent” that is required for unilateral amendments is extremely thin. Consumers could theoretically challenge unilateral amendments as being unconscionable or unfair, but these are last-ditch efforts. Unconscionability cases are hard to win, which means that consumers don’t have many protections under the current laws.
Roberts: Even in the context of some of the newer consumer privacy laws, like the California Consumer Privacy Act (CCPA), which went into effect this year, there are potential issues. As part of those protections, the companies are supposed to give consumers notice when they change their terms. But what constitutes “notice”? Does that mean sending an email? Does it mean having the user click a box that says, “I’ve read and understood these changes”? Or does it just mean reposting the new terms on the website? And even with these increased protections, it’s not entirely clear that consumers themselves can go to court. For example, under the CCPA there is a private right of action, but it has to do with data breaches. It’s not entirely clear whether, even with the benefit of those heightened protections, someone in California could effectively sue one of these companies to stop them from enforcing the new terms. So, even in light of some of the increased privacy protections that have been enacted recently, consumers still may have very little legal recourse.
The “consent” that is required for unilateral amendments is extremely thin. –Jim Hawkins
With these digital health companies, are there any potential clues or key indicators for consumers about whether they are actually health care providers?
Roberts: Absolutely. In their terms of service documents, the companies should disclose that they are not health care providers. If you read the fine print, it tends to be clear that the services they are providing are not health care. For example, there is a digital mental health app called “Woebot” Its terms of service are very clear that it is not a therapy app. These companies tend to be explicit in the terms of service that they’re not governed by the same set of rules as doctors or other health care providers. However, part of the tension is that while these companies are clear in their terms of service that they’re not providing health care, the way they present themselves to consumers – through advertisements, etc. – might imply that what people are receiving actually is something akin to healthcare.
Hawkins: Something that we’ve found particularly troubling is that consumers may assume that they have legal protections because they’ve seen so many HIPAA disclosures at the doctor or dentist. They may believe that the same thing applies here.
Roberts: Right, someone might think, “Oh, I know when I go to the doctor, HIPAA protects my health-related information. This app is collecting my heart rate, so HIPAA must protect the data in this app.” And in most circumstances, that’s just not the case. Unfortunately, the United States is lagging with respect to this issue. Consumers in other countries have greater protections against unilateral amendments. For example, in the United Kingdom, many of the provisions in these consumer contracts would be unenforceable. We would like to see the United States take a cue from some of these more progressive countries that have limited the power of companies to unilaterally amend consumer contracts, and we really hope that Congress or state legislatures will take action on this issue.
Published March 18, 2020.