US Warnings on Health Tracking, Altman's Worldcoin, Meta's Fine, and more

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter covers:

• Another warning from US regulators about online tracking tools.
• A new biometrics venture from OpenAI’s Sam Altman.
• Meta’s latest fine—issued for misusing data collected from its VPN app.
• What we’re reading: Three of the best privacy-related reads published in the past week.?

US Regulators Warn Healthcare Companies of Tracking Violations

The US Office for Civil Rights (OCR) and Federal Trade Commission (FTC) have written to 130 healthcare providers and telehealth companies regarding their use of tracking tools.

• The regulators’ letter warns that online tracking tools could violate of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Breach Notification Rule (HBNR).
• The warning follows several years of rulemaking, policy positioning, and enforcement activity under these two laws.
• The regulators warn against using tools such as the Meta Pixel and Google Analytics, which can result in the prohibited disclosure of sensitive health information.

Are health-related companies still tracking people?

That’s right—tracking tools like the Meta Pixel and Google Analytics apparently still occupy websites and apps operated by hospitals, healthcare facilities, and other health-related services.

This is despite tracking-related FTC actions against a discount drug provider (GoodRX), a remote therapy service (BetterHelp), and an ovulation-tracking app (Premom) already this year—plus various warnings and policies issued since 2022.

But HIPAA covers disclosures of protected health information, and the HBNR covers security incidents. How are these laws relevant?

Whether or not HIPAA and the HBNR were intended to cover stuff like cookies, pixels, and APIs, that is how these regulators are interpreting these laws.

The OCR and FTC are clear that using such tools could result in “impermissibly disclosing consumers’ sensitive personal health information to third parties”—an activity that is forbidden under both laws.

So is using these tools illegal for health-related companies?

Not necessarily. In their letter, the regulators “strongly encourage” health-related companies to review the relevant laws and check if their use of tracking tools is legal.

A major problem seems to be that many companies do not realize they are using tracking tools or—if they do realize these tools are installed on their properties—what such software actually does.

It’s possible that, with proper notice and consent, using a tool like the Meta Pixel might not violate these regulations—although many health-related companies might prefer to play it safe.?

As always, the starting point is understanding what data you’re collecting, what data you’re sharing, and why you’re collecting or sharing it.

OpenAI CEO Launches Worldcoin Project, Exchanging Biometrics for Cryptocurrency

OpenAI CEO Sam Altman has launched a new project, Worldcoin, which provides a digital identity service together with a cryptocurrency and app.

• Worldcoin derives a “World ID” digital identifier from iris prints collected in person via “Orbs” located in several cities.
• The company claims that biometric information is quickly deleted once a World ID has been generated.
• On Monday, individuals in London were offered ￡40 (around $51) in Worldcoin’s cryptocurrency (WLD) after submitting their iris prints to the Orb.

What is Worldcoin?

There seem to be three strands to Altman’s new Worldcoin project: a digital identity product, “World ID”, a cryptocurrency, “Worldcoin” (WLD), and the “World App”, which holds the World ID and provides a wallet for WLD tokens.

Why is Altman doing this?

Worldcoin is not alone in offering biometric digital identification services. This market is growing, and several companies are vying to become the provider of a digital ID that can be used across different contexts (such as accessing online services, buying certain goods, and banking security).

What about the cryptocurrency?

For now, it appears that the Worldcoin currency, WLD, is being used as a sweetener to encourage people to gaze into an “Orb”, a device designed to scan people’s irises and derive biometric information.

If both the digital identity and cryptocurrency aspects take off, however, that is a recipe for some serious financial gain.

“Submitting an iris print to the Orb” sounds worthy of deep GDPR compliance consideration…

Yes, this. Worldcoin says your iris print never leaves the Orb—only the World ID derived from it is sent to Wordlcoin. Nonetheless, creating the World ID from an iris print is processing biometric information—a type of “special category data” under Article 9 GDPR.

What’s Worldcoin’s legal basis for processing under Article 9 GDPR?

It appears from this privacy notice that Worldcoin is relying on “explicit consent” to process biometric information and store the resulting World ID on the blockchain.

There might be issues here. Is consent “freely given” if people are only submitting an iris print to get crypto coins? How can people withdraw consent if the data is stored on the supposedly immutable blockchain?

The UK Information Commissioner’s Office (ICO) is reportedly looking into Worldcoin—but other providers of biometric services have come out of ICO investigations intact, such as facial recognition firm Facewatch.

Meta Fined By Australian Regulator Over VPN Privacy Violations

Meta has received an AUD 20 million ($13.5 million) fine from the Australian Competition and Consumer Commission after the company allegedly surveilled Australians via a VPN app.

• Meta acquired the VPN provider Onavo Protect in 2013.
• The Australian regulator found that Meta used Onavo to track Australians’ device activity and share the data with Facebook Israel (now Meta Platforms Israel).
• The AUD 20 million fine is split equally between Onavo and Meta Platforms Israel.

How did Meta use this VPN app?

When a person uses a VPN, the app routes the user’s data through the VPN provider’s servers.?

In theory, this means requests for online resources (such as a webpage) come from the VPN provider’s IP address rather than the user’s—shielding the user’s identity from everyone except the VPN provider.

In this case, though, it appears that Onavo was sharing data about people’s online activity with its sister company, Meta Platforms Israel.

Why is the Australian consumer protection regulator dealing with this?

According to the Australian Competition and Consumer Commission, Onavo Protect was downloaded 270,000 times between February 2016 and October 2017.

Australia’s Privacy Act is somewhat weak compared to the data protection laws of countries with similarly-sized economies. As such, the consumer protection angle is sometimes more effective for tackling privacy-related issues.

The Commission criticized Onavo Protect’s privacy promises and general marketing approach—the app, of course, was offered as a way to enhance people’s privacy rather than diminish it.

There seem to be competition concerns here, too.

What are the competition concerns?

Leveraging the Onavo Protect app to gain insight into people’s device activity, Meta appears to have observed in 2013 that users were leaving its Facebook Messenger app in favor of WhatsApp.

The next year, Meta bought WhatsApp— just one of nearly 100 acquisitions the company has made since it was founded in 2004.

What We’re Reading

Here are some recommendations for the best privacy-related reading published this week.

• How Data Brokers Profile, Segment, and Score Us: Tom Kemp looks at what a “data broker” is and why such companies are the target of various new US privacy laws.
• Should UK intelligence agencies get easier access to “low-sensitivity” datasets?: Ian Brown looks at UK intelligence services’ latest plea for more of our data.
• Apple officially under investigation by French regulators over App Tracking Transparency: 9-5 Mac’s Zac Hall looks at a French competition investigation into Apple’s App Tracking Transparency (ATT) framework.