II. Scoping

The variety of technologies, platforms, apps, and Direct-to-Consumer (DTC) business models and the emerging use of these for unregulated or underregulated research pose an initial scoping question. It is insufficient to merely point to unregulated conduct or an unregulated space. What, therefore, are the narrowing criteria? Are all technologies included or only “devices”? Do the issues arise within the traditional healthcare system or only outside it in “disruption” space?

The answer seems to be twofold. First, the technologies of concern are consumer-facing. Second, they rotate in some way around consumer-generated or -aggregated data. As to the first, the technologies include not only mobile platforms and their native apps but also web apps, social media platforms, and their apps. Because of the likely technological mediation and data models, the products of interest extend to DTC diagnostic or genetic data devices.

Because data are non-rival, they can exist in more than one place. For example, clinical data held by a health care professional generally would not be viewed as consumer data. However, that same data, once accessed by the data subject through an app or device, would be included as patient-curated. Similarly, health, wellness, or research data generated by a patient’s mobile platform or by a wearable device would be included.

III. Analytical Model

This brief article limits its analyses to the two regulatory systems of greatest importance regarding current consumer-facing health technologies: data protection and safety.^{Reference Terry, Gunter, Huckvale, Torous and Larsen1} To better understand existing regulatory models, their deficiencies, and how they should be reformed, it is helpful to explain these regulatory systems across two axes. The vertical axis describes the quantity or depth of regulation, such as, for example, the strictness of the rules imposed by the regulatory model. The horizontal axis describes the reach of the regulation, the behaviors, products, or industries to which the regulation applies.

First, take data protection (Figure 1). Rather than all industries being covered by a single data protection regime (as is the case with the European General Data Protection Regulation, or GDPR²), in the U.S., different sectors have their own rules. For example, the Gramm–Leach–Bliley Act (GLBA) governs consumer privacy in the financial sector³ while the HIPAA Privacy, Breach Notification, and Security rules govern patient privacy in most traditional health care settings. However, these rules apply only to HIPAA-covered entities or their “business associates.”⁴ In contrast, the HIPAA rules seldom will apply to consumer-facing health technologies enabling patient-generated orcurated data as they will be provided by mobile platform manufacturers or sourced from online app stores.

Figure 1.

Absent specific sectoral data protection, industries such as those that supply consumer-facing web or device apps, are not subject to any robust form of federal data protection. While the Federal Trade Commission (FTC) has overarching jurisdiction, even overlapping with HIPAA in some health care cases,⁵ its prohibitions on “unfair or deceptive acts or practices in or affecting commerce”⁶ are thin and limit agency actions to parsing privacy policies or other representations by sellers^{Reference Tressler7} or, occasionally, pushing back against repeat offenders.⁸

Even where the HIPAA rules do apply, they are somewhat limited on the vertical axis. Those rules only regulate downstream, post-collection interactions with patient data such as unauthorized disclosure (The Privacy Rule), not upstream, collection-limiting interactions such as the data minimization or purpose limitations required by the GDPR^{Reference Terry9} or the somewhat exceptional U.S. prohibitions on the collection of genetic data provided for in the Genetic Information Nondiscrimination Act of 2008.¹⁰

Similar limitations play out regarding the safety of consumer-facing web or device apps (Figure 2). Most health-related drugs and devices will be regulated by the FDA. However, the overwhelming majority of consumer-facing products will be regulated separately by the U.S. Consumer Product Safety Commission (CPSC)¹¹ while some FDA or non-FDA devices may be subject to other (and narrow, domain-specific) regulatory requirements such as the Federal Communications Commission’s rules on devices emitting radio frequencies.¹² On the vertical axis of product safety, and stated in broad terms, FDA drug regulation is arguably the strongest (and stronger than its regulation of devices or food). The CPSC has a relatively shallow safety jurisdiction; although it does exercise regulatory powers to ban some products or their components,¹³ most of its jurisdiction is reactive, banning or recalling products proven to be dangerous.¹⁴ In this regard, the CPSC’s role in product safety somewhat resembles the FTC’s role in the data protection space.

Figure 2.

Overall, although somewhat fragmented, the regulation of products is less susceptible to regulatory arbitrage¹⁵ than current U.S. data protection laws. This is because the regulatory touchstone is a product type (for example, a device or a drug) rather than a type of data custodian (for example, a HIPAA-covered entity).

The regulatory touchstone for the regulation of health-related product safety is a subset of product: “device” as defined in the Federal Food, Drug, and Cosmetic Act.¹⁶ On the horizontal axis, albeit already one limited to the medical domain, “device” has had an expansive meaning within that domain. It applies to software (software as medical device or SaMD) as well as hardware¹⁷ and is not limited by market, applying equally to products distributed directly to consumers and through health care providers.¹⁸

Recently, however, that conception of medical device has begun to shrink. This may be a function of the FDA and Congress believing that large swathes of consumer-facing devices are very low risk or that overregulation was stifling innovation.¹⁹ Whatever the reason, the FDA first started to shrink the products it would regulate by issuing sub-regulatory guidances noting that it would exercise regulatory discretion with regard to certain types of products.²⁰ In 2016 Congress went further in the 21st Century Cures Act (Cures), excluding “a software function that is intended … for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition”²¹ (Figure 3)..

Figure 3.

The FDA’s Digital Health Innovation Action Plan²² likely will result in still more consumer-facing devices being removed from direct regulatory scrutiny. The Action Plan’s centerpiece is the agency’s Precertification (Pre-Cert) Program that certifies manufacturers and their safety-testing protocols that evidence “excellence.”²³ The internal processes of these certified manufacturers are then used as a surrogate for traditional agency review.²⁴ Manufacturers who have been certified in the Pre-Cert pilot program include several manufacturers of consumer-facing platforms and apps such as Apple, Fitbit, and Samsung. The devices that are no longer subject to traditional FDA processes either, as is the case with Pre-cert products, will attract reduced regulation (for example, post-marketing surveillance only) or with “devices” exempted by the Cures Act, henceforth will be subject to the reduced protection offered by the CPSC or ex-post state products liability law.^{Reference Terry, Wiley and Steinberg25}

Device regulation is also limited on the vertical axis. Historically, the FDA has approved devices that are reasonably safe and “effective for a particular use”²⁶ or efficacy. These are relatively limited criteria given that, increasingly, consumer-facing health and wellness devices are viewed as substitutes for aspects of clinical care, such as preventative care, physical surveillance, and chronic disease management. Contemplation of such substitutions suggests that consumers would benefit from information not only about a device’s safety and efficacy but also its comparative effectiveness or cost effectiveness with regard to other devices or treatments.^{Reference Drummond, Tarricone and Torbica27} The FDA also is noticeably reticent about reviewing devices for data protection risks. The FDA has partially recognized these and has issued sub-regulatory guidances to device manufacturers about security risks,²⁸ and advanced device cybersecurity is one of the pillars of the agency’s Medical Device Safety Action Plan.²⁹

There have been a small number of attempts to patch, or at least better explain or clarify, the fragmented nature of both regulations and regulators. Sub-regulatory guidances issued by the FDA are examples. Further, in 2016 the Office of the National Coordinator, the FTC, and the FDA jointly issued an interactive tool to advise health app developers to the potential applicability of HIPAA, the FDA’s device regulation, the FTC’s jurisdiction over deceptive or unfair acts, and the FTC’s Breach Notification Rule for personal health records.³⁰

Overall, however, the data protection and safety regulatory models applicable to health or health research consumer-facing technologies exhibit critical levels of underregulation and considerable fragmentation at both the regulation and regulator levels. Their under-regulation is most obvious on the vertical axis, with U.S. models applying quite low levels of protection for consumers, particularly given the sensitive nature of health and wellness information and the potential for surveillance and discriminatory misuse.

Fragmentation is most obvious on the horizontal axis, engendering consumer confusion as to what regulation or which regulator applies to a technology or, worse, encouraging businesses to exploit differential regulatory models through arbitrage. The most obvious example of the latter is the ability of data brokers to essentially recreate clinical records (that, in identified form, are protected by HIPAA) outside HIPAA-regulated space with social media and other types of medically inflected data.^{Reference Terry31}

A broader question about regulatory fragmentation also is emerging: are questions about data protection and safety sufficiently separate (witness the concerns over the security of medical devices^{Reference Van Wagenen32}) to justify discrete regulatory systems or — and this seems to be even more crucial at the data-product intersection — would a more holistic model be preferable? This is a question that appears particularly critical as data and device merge such as in products that make extensive use of artificial intelligence.^{Reference Terry33}

IV. Legislative Models

The obvious but politically unlikely model for reforming the regulatory models applicable to consumer-facing technologies is twofold. First, the regulatory frameworks should be far more inclusive as to the producers or products they pertain to (the horizontal axis). Second, they should be more robust in their substantive regulation (the vertical axis).

The GDPR data protection framework is most typically favored by pro-privacy reformers seeking to improve the data protection applicable to consumer-facing health technologies in the U.S. In broad terms, the GDPR increases data protection and minimizes regulatory arbitrage by using broad inclusive language such as “personal data,” “data subject,” and “processing” to define the regulation’s horizontal scope.³⁴ On the vertical axis, it sets out clear principles by which to limit data collection and processing, such as transparency, a purpose limitation, and data minimization.³⁵

In the United States, the closest analogue to the GDPR is California’s Consumer Privacy Act of 2018, effective in January 2020.³⁶ That statute promotes (initially at least) broad applicability on the horizontal axis by establishing “consumer” rights and “business” duties (rather than protecting only narrow domains) and expressly including biometric and health insurance information.³⁷ On the vertical axis, the statute primarily relies on a transparency model requiring data custodians to disclose what information they hold about a data subject and whether it is being sold or otherwise disclosed. The data subject can stop the sale of the information and cannot be discriminated against in service or if they exercise their rights.³⁸ However, domain carveouts for HIPAA entities and human subjects research data³⁹ derogate somewhat from what at first sight seemed domain agnosticism. As a result, the statute perpetuates some data protection fragmentation on the horizontal axis. Notwithstanding, even with that flaw, the statute dramatically increases the protection of data collected or generated by consumer-facing health technologies as evidenced by the attempts of Google and other consumer-facing technology companies to weaken the legislation before it can take effect.^{Reference Lindsey40} Not surprisingly, the California statute has been viewed as a possible model for enactment by other states.^{Reference Murphy41} The California statute also seems to have engendered corporate support for increased federal data protection.^{Reference Lapowsky42} However, once scrutinized, those interests actually favor a series of lesser protections that, crucially, would be accompanied by a provision preempting the California statute and any state laws that may mimic it.⁴³

There is legislative interest in extending data protection. It finds expression either in general statutes such as California’s or enactments that protect, for example, narrower slices of data such as biometric data.⁴⁴ However, the same cannot be said of device safety. Indeed, all indications are that the FDA remains committed to its existing model and its Pre-cert carve-out, notwithstanding questions that have been raised as to both its functioning and its statutory basis.⁴⁵ For example, the FDA has not only released an upgraded framework for Pre-cert but also indicated that it may adopt a similar structure for other challenging SaMD products such as “unlocked” AI/ML algorithms.⁴⁶

V. Policy Frameworks

In the absence of broad protections that feature domain agnostic applicability (horizontal axis) and robust, multi-factor protections (vertical axis), policy-makers need to concentrate on more specific problems and solutions. One way to prioritize and calibrate regulatory and non-regulatory interventions is through examining the extent to which market or similar relationships can achieve at least basic protections.

Thus, regulatory priority should be given to situations where there is no direct or market relationship between the consumer and the data custodian such that questions of consent to collection or processing could be negotiated (Figure 4). This is most clearly exemplified by the data-broker industry that is collecting both deidentified clinical data and identified or identifiable consumer-generated health or research data.^{Reference Melendez and Pasternack47} Other than the specific authority enjoyed by the FTC under the Fair Credit Reporting Act to regulate some data brokers who are also consumer reporting agencies,⁴⁸ the only meaningful data-broker legislation is Vermont’s: a 2018 statute requires data brokers to register with the state (over 120 have so far^{Reference Melendez49}) and to note whether they permit consumers to opt-out of data collection.⁵⁰

Figure 4.

Consumers have no relationship with such data custodians and, in all likelihood and unless they live in Vermont, do not know their identity, whether they have data relating to them, or how they can be contacted. Notwithstanding the many earnest government reports noting the problems associated with an unrestrained data broker industry, there has been no meaningful federal response.^{Reference Terry51}

At the other extreme, of course, there will be situations where there is a direct (and likely market) relationship between the consumer and the data custodian or device/service distributor. In such cases, a rational expectation would be that, for example, consumers will be attracted to platforms that espouse greater privacy and security or at least make rational tradeoffs between data protection and other features. This is certainly the bet that Apple is making to differentiate their products and services from other technology companies interested in the health space such as Facebook and Google.⁵² For example, Apple has introduced an email relay that lets users receive email from third parties while keeping their actual email addresses private.⁵³ Similarly, Apple Pay and Apple Card enable privacy and security seldom seen in the financial services space.⁵⁴

The consumer-facing health app space provides an opportunity for developers to differentiate themselves on the basis of data protection. However, few do. Fertility or menstrual cycle tracking apps are a good example with the leading apps selling deidentified, aggregated data not only to researchers and marketing companies but also employers and health insurers.^{Reference Harwell55} In contrast, “Euki,” an app developed by the Women Help Women non-profit organization keeps all the data the user generates on-device not in the cloud such that only the user and neither the platform owner nor the developer has access.⁵⁶

Of course, some consumers (perhaps undereducated as to the seriousness of the tradeoff) may place a high value on “free” services that are provided in exchange for personal information. At the extreme, this conjures up the dystopian idea of “surveillance capitalism” whereby businesses provide free access to social interactions, search, or even healthcare in exchange for untold amounts of consumer, including health, data.^{Reference Zuboff57} The dominant data protection model in the direct relationship scenarios remains bankrupt notice and consent, which provides at best illusory “protection.”^{Reference Sloan and Warner58} Although some more privacy-protective companies have begun to use opt-in⁵⁹ rather than the usual opt-out version, overall, even where there is some direct relationship, some additional data regulation will still be required to correct market failure. The regulatory priority in such cases should be to consign notice and comment to history and impose a California-like “right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”⁶⁰ Additionally, some data minimization based on a purpose limitation should be considered.

In between these two extremes (market/no market relationship) are situations where the relationship between consumer data subject and business data custodian is mediated in some way by a powerful or responsible infomediary or intermediary, enabling private ordering or soft law. As to the former a recent example is Google’s decision to stop taking ads for “unproven or experimental medical techniques,” specifically targeting ads for stem cell therapy.⁶¹

Platform owners are also market-aligned regulators, particularly powerful intermediaries capable of imposing technical barriers to curtail abusive behaviors of businesses using their platforms. For example, both Google and Apple have introduced software on their platforms to intercept robocalls made to consumers.^{Reference Purdue62}

Additionally, some market-dominating platforms require that all apps must be distributed from app stores controlled by the platform owners. Thus, Apple’s App Store rules prohibit developers from using “data gathered in the health, fitness, and medical research context … for advertising or other use‐based data mining purposes other than improving health management.” The Apple App Store also requires that developers of apps that use the HealthKit framework publish privacy policies and imposes additional restrictions on developers whose apps use HealthKit to support clinical research.⁶³ The credibility of such intermediaries in protecting consumers data and safety can be increased when the businesses have strong internal ethics boards or similar machinery, although the opposite is also true and credibility is lessened when such boards fail.^{Reference Piper64}

In the healthcare space, IRBs have long been the quintessential intermediaries, protecting research subjects from overreaching by researchers and some consumer-facing technologies leverage IRBs by requiring their participation in technologically-mediated research.^{Reference Comstock65} However, the majority of the citizen research considered herein will take place without IRB approval or the participation of other professional intermediaries by approaching consumers directly, as in the case of DTC genetic testing.

Traditionally physicians have played an important role in mitigating the risks suffered by patients. Not only do they owe duties of confidentiality regardless of the HIPAA rules and are required intermediaries in the distribution of prescription devices, but they are also important infomediaries with regard to over-the-counter drugs, devices, and increasingly apps. As such, there are some opportunities for healthcare providers to reassert their role by curating or recommending certain consumer-facing technologies that intrinsically or legally do not cast providers as learned intermediaries. However, the incentives are not well aligned here because healthcare professionals or institutions could face some legal jeopardy if they recommend or curate consumer-facing technologies that implicate consumer privacy or safety.⁶⁶