Mozilla Supports Updates to the Health Breach Notification Rule

[Read our full submission here.]

Privacy is in our DNA at Mozilla, from our privacy-enhancing products to our support for laws and regulations that enshrine privacy for all. In line with our foundational principle that individual privacy and security on the web should never be treated as optional, we have supported a range of US action on privacy, including bipartisan Federal privacy legislative proposals and the Federal Trade Commission’s (FTC’s) Commercial Surveillance and Data Security ANPR.

This week, we submitted a comment supporting the FTC’s Notice of Proposed Rulemaking for the Health Breach Notification Rule (HBNR.) The purpose of the HBNR is to protect non-HIPAA health-related data, such as data from running apps and diet-tracking websites. It does so by requiring certain entities that share health-related information without consent, or experience a data breach, to notify individuals, the FTC, and sometimes the media of the breach of privacy.

The rule already applied to many health apps and websites, as demonstrated by a set of settlements from earlier this year, but the new proposed rule even more clearly delineates the responsibilities of companies running health-related apps or websites.

Mozilla has deep insight into the privacy practices of health-related apps, because our *Privacy Not Included research team recently did deep dives on the privacy policies and practices of mental health and reproductive health apps. They found dismal privacy practices for some of the most sensitive apps they studied. *PNI’s research demonstrates the dire need for this update to the HBNR, and allowed us to suggest two main ways in which the FTC can further strengthen its proposed rule:

The FTC should explicitly define consent (or “authorization”) in the context of the HBNR. We know that many companies will use deceptive designs to trick people into giving consent, for example, and the FTC should clearly state that deceptive consent flows do not count as consent.
We have been early supporters of browser-based privacy signals such as the Global Privacy Control, with proper enforcement; the HBNR should allow users to indicate their lack of consent using these signals. Browser based privacy signals are already recognized in a number of laws and regulations, and make privacy more consumer-friendly.

You can read our full comment here.

Open Policy & Advocacy

Mozilla Supports Updates to the Health Breach Notification Rule

Work Gets Underway on a New Federal Privacy Proposal

Mozilla Weighs in on State Comprehensive Privacy Proposals

Mozilla’s Comments to FCC: Net Neutrality Essential for Competition, Innovation, Privacy

Global Privacy Control Empowers Individuals to Limit Privacy-Invasive Tracking

Mozilla applauds CFPB for taking on the Data Broker Ecosystem

Mozilla Mornings: Choice or Illusion? Tackling Harmful Design Practices

Mozilla Asks US Supreme Court to Support Responsible Content Moderation

The Revival We Need: The FCC Takes On Net Neutrality

Mozilla Meetups – Code to Conduct in AI: Open Source, Privacy, and More

Mozilla Meetups with CDT: Talking Tech Transparency

Continuing to Protect our Users in Kazakhstan

Continuing to Protect our Users in Kazakhstan

It’s time for the G20’s first digital agenda

Mozilla provides feedback to ACM’s DSA Guidelines

Global Network Fee Proposals are Troubling. Here are Three Paths Forward.

Mozilla Mornings on addressing online harms through advertising transparency

The EU’s Current Approach to QWACs (Qualified Website Authentication Certificates) will Undermine Security on the Open Web

Mozilla files comments with the European Commission on safeguarding democracy in the digital age

Mozilla applauds CFPB for taking on the Data Broker Ecosystem

Mozilla Weighs in on Accountability Legislation: Public policies like PATA can help to keep the Internet in the public’s best interest.

Open Fibre Data Standard: Understanding the True Extent of the Internet

Mozilla Meetups: The Building Blocks of a Trusted Internet

The FTC and DOJ merger guidelines review is an opportunity to reset competition enforcement in digital markets

Mozilla submits comments to the California Privacy Protection Agency

European Parliament’s version of the CRA threatens cybersecurity and open source development

Mozilla weighs in on the EU Cyber Resilience Act

Enhancing trust and security on the internet – browsers are the first line of defence

Working in the open: Enhancing privacy and security in the DNS

The Van Buren decision is a strong step forward for public interest research online