Personal Health Data and Consent

By SamUpstateBrief thoughts

The Times Union published an article on Thursday about a bill passed by the New York State Legislature intended to increase protection of sensitive health data collected by consumer apps. According to the article, the bill

would prohibit the sale of health data collected by any health app (or apps that even tangentially use health-related information) to third parties unless they receive the express consent of a consumer. That can span from the amount of burned calories traced by a Fitbit to the dates of a menstrual cycle logged through a fertility app. 

While I applaud the goal, the bill suffers from a major shortcoming: it doesn’t forbid any of the problematic practices. It simply requires the companies providing the apps to get consent from the users to collect, process, and hold the sensitive data. While that seems reasonable, consider whether you actually feel you’ve ever freely given informed consent to any set of “Terms and Conditions” for an app you use regularly. Given the importance many of these apps play in our daily life and existence within society, if the alternative to consent is not using the app, are you really giving consent?

This particular problem was actually discussed in an article published by Stanford Law professor Mark Lemley a few weeks ago. He notes that

Privacy scholars are moving beyond the “notice and consent” paradigm that has dominated privacy law for a generation. They are right to do so. The evidence shows that it does very little to protect privacy.

New York’s elected officials would do well to consider that. Among the many problems with the SAFE for Kids Act that was passed over the summer, it had the same issue. It defined app behavior that it deemed problematic when done to children, but it allowed that behavior with parental consent. But the alternative to giving that consent isn’t a safer social media app experience, it’s not using the app at all. (The bill also didn’t really provide any evidence or explanation of why the behavior it addressed was bad—a classic “begging the question” falacy, nor did it attempt to explain why such behavior would be problematic for a 17yo but not an 18yo.)

This bill is certainly a step in the right direction, if only because it shows that our legislature is waking up to the threat posed by the mass collection of data by private enterprise. But it falls well short of actual protection.

One thought on “Personal Health Data and Consent

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)