Categories: privacy United States

Mozilla Supports Updates to the Health Breach Notification Rule

[Read our full submission here.]

Privacy is in our DNA at Mozilla, from our privacy-enhancing products to our support for laws and regulations that enshrine privacy for all. In line with our foundational principle that individual privacy and security on the web should never be treated as optional, we have supported a range of US action on privacy, including bipartisan Federal privacy legislative proposals and the Federal Trade Commission’s (FTC’s) Commercial Surveillance and Data Security ANPR.

This week, we submitted a comment supporting the FTC’s Notice of Proposed Rulemaking for the Health Breach Notification Rule (HBNR.) The purpose of the HBNR is to protect non-HIPAA health-related data, such as data from running apps and diet-tracking websites. It does so by requiring certain entities that share health-related information without consent, or experience a data breach, to notify individuals, the FTC, and sometimes the media of the breach of privacy.

The rule already applied to many health apps and websites, as demonstrated by a set of settlements from earlier this year, but the new proposed rule even more clearly delineates the responsibilities of companies running health-related apps or websites.

Mozilla has deep insight into the privacy practices of health-related apps, because our *Privacy Not Included research team recently did deep dives on the privacy policies and practices of mental health and reproductive health apps. They found dismal privacy practices for some of the most sensitive apps they studied. *PNI’s research demonstrates the dire need for this update to the HBNR, and allowed us to suggest two main ways in which the FTC can further strengthen its proposed rule:

  • The FTC should explicitly define consent (or “authorization”) in the context of the HBNR. We know that many companies will use deceptive designs to trick people into giving consent, for example, and the FTC should clearly state that deceptive consent flows do not count as consent.
  • We have been early supporters of browser-based privacy signals such as the Global Privacy Control, with proper enforcement; the HBNR should allow users to indicate their lack of consent using these signals. Browser based privacy signals are already recognized in a number of laws and regulations, and make privacy more consumer-friendly.

You can read our full comment here.