When someone downloads a new application, one of the first steps is usually agreeing to the terms of service of that app. That (usually mindless) sign-off creates a contract between the app company and the user. Usually, contracts happen when two parties sit down and agree on terms. But for consumer products like apps, companies are in control.That’s even true for health apps, which collect sensitive and personal information on their users. These apps collect health data, but often, they are not governed by HIPAA, the law that says health care providers have to keep health information private. Companies developing health apps can unilaterally decide to change their terms of service and might only post the changes to their website or let their customers know about the changes via email — without giving them a chance to agree to the new terms. That means someone might sign up when a company promises a certain level of privacy, but that policy could change after they’ve already provided months’ worth of data.
It concerns Jessica Roberts, director of the Health Law and Policy Institute at the University of Houston, and Jim Hawkins, law professor at the University of Houston. “I think people generally have no idea they might agree to one set of terms, and it could change to another set,” Hawkins says. Roberts and Hawkins recently wrote an op-ed in the journal Science encouraging Congress to require companies to allow people to opt in (or out) of major changes to terms of service on health apps. The Verge spoke to Roberts and Hawkins about their proposal and why they think things need to change.
Data brokers then aggregate this deidentified health information and sell it to third party buyers; for example Adam Tanner of the Harvard Institute for Quantitative Social Science estimates that a large pharmaceutical company might pay between $10 million and $40 million per year for data, consulting and services from Iqvia alone.
This interview has been lightly edited for clarity.
Terms of service are long and can bedifficult to read. Why do they matter?Jim Hawkins: They’re important because they govern the relationship between the consumer and the company. If the consumer is upset with something the company has done, they only have redress to the extent the law provides or the terms of service provide.
VCH declined an interview and provided an email statement that said, in part, their health authority “has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously.” They also said they recently made changes to their systems to limit patient information sent through paging broadcasts and are working with B.C.’s Office of the Information and Privacy Commissioner as they “move to alternate technologies.”.
That seems like it would be a problem for all apps. But is it more of an issue with health apps?Jessica Roberts: When you’re talking about digital health technology, that’s something different than Angry Birds. People are uniquely vulnerable when it comes to their health, with respect to intrusions on privacy. People might reasonably think, “This app is collecting my heart rate. That’s health information, so HIPAA should apply.” But that’s not the case.
Companies are explicit in their terms of service that they’re not providing health care. They’re not health care providers. So the typical legal protections don’t apply, just the terms of service.
JH: If you have a mental health app and have been tracking feelings of depression over time, you might have relied on the fact that the terms of service said your information will never use in promotional materials. And suddenly, the company changes the terms of service. You might look at the webpage one day and see that it says “Look what one user said about our service.”
What happens if I don’t agree to a company’s new terms and conditions?
JH: There’s no alternative. If you want the product, want an app, want a website, you pretty much have to agree to the unilateral amendment. A lot of times, people will pay more for privacy. But if you pay more and they change the terms, you’re still paying more. You just aren’t getting what you paid for.
JR: The customer consents to the new terms by continuing to use those services. If the consumer then discovers the change and doesn’t like it, [their] only recourse right now is to stop using that service. That’s another reason consumer health is important in this area. If I’ve been storing all of my health data in one of these apps, if I stop using it, I could also lose all of that data and the potential benefits I could gain should I choose to share it with my health care provider. The stakes are particularly high.
Is there anything that could stop this from happening?
JR: In the US, these unilateral amendments to terms of service tend to be enforceable. There is some benefit to allowing companies to unilaterally change in response to industry regulation or customer feedback. Our concern is that they could change the terms in a way that would impact consumers negatively. Consumers don’t have the opportunity to opt out.
In other countries, they regulate the ability for companies to make unilateral amendments more closely.
I like the sound of that. Could we handle this more like those countries do?JH: We’re arguing that Congress should stop in and say, “For any substantial terms that are changed, people should have the right to opt out and keep using the app under the old terms of service they signed up with.”
What would that mean for app users?
The Wall Street Journal’s Rob Copeland wrote that the data amassed in the program includes “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth,” and that as many as 150 Google employees may have had access to the data.
JR: It would require the companies to be more transparent about what’s in their terms of service and about any potential changes. Right now, to be clear, if a company unilaterally changes their terms of service, they might email you, but they might not. Our hope is that, by giving users the opportunity to actually opt in to changes, it empowers the consumer, but it also encourages companies to be more transparent.