FTC Speaks Out On Mobile App Advertising and Privacy
- Do not make false or misleading claims, or omit important information;
- Support objective claims with competent and reliable scientific evidence;
- Disclose key information clearly and conspicuously.
Fortunately for medical device manufacturers, the labeling and promotional requirements imposed by the FDA and FTC as they relate to medical devices are largely complimentary. For example, the FTC requires manufacturers of mobile apps to support claims of health-related benefits with “competent and reliable scientific evidence.” FDA requires similar substantiation of medical device claims.
While from a marketing perspective the new FTC guidance may not throw any real curve balls at the medical device industry, the guidance also discusses privacy issues that arise from the use of mobile apps. Privacy issues are particularly acute for mobile medical apps, which may collect, store and transmit sensitive medical information. The guidance recommends that, prior to collecting medical information, mobile apps should obtain affirmative consent from the user to collect that data. In addition, app developers should be aware that apps that collect personal information from or about children under age 13 may be subject to additional requirements under the Children’s Online Privacy Protection Act (COPPA) and FTC’s COPPA Rule. In general, the guidance advises that privacy practices should be transparent to mobile app users, who should be made aware of what information the app collects and what the app does with that information. The key privacy guidelines FTC has idenitfied include:
- Be transparent about data practices;
- Obtain user consent for any collection or sharing of information that is not apparent;
- Obtain user consent prior to collecting sensitive information, such as medical, financial, or precise geolocation information;
- Offer privacy choices that are easy to find and use;
- Honor privacy promises;
- Protect the privacy of children;
- Keep user data secure by:
- Collecting only the information needed;
- Taking precautions against well-known security risks to secure the data that is retained;
- Limiting access to a need-to-know basis; and
- Safely disposing of unneeded data.