Gov't Buys Data to Bypass Warrants

The Fourth Amendment Is Not For Sale Act seeks to close the loophole that allows government agencies to purchase sensitive data, including geolocation and communications information, from data brokers without a warrant. This practice has been utilized by numerous federal agencies, including the Department of Homeland Security, the FBI, and the IRS, to access personal data that would otherwise require legal due process. The National Security Agency (NSA) has also been confirmed to purchase Americans' internet browsing records from these brokers. Data brokers amass vast quantities of information from various sources like app developers, social media, and public records, creating detailed profiles on individuals. This can include highly sensitive information such as visits to medical facilities or places of worship, political affiliations, and mental health data. A Duke University study found some brokers marketing lists of individuals with conditions like depression and anxiety, sometimes with minimal vetting of the buyers. In response to these practices, states are beginning to enact their own legislation. Montana became the first state to pass a law requiring government entities to obtain a search warrant before purchasing most types of electronic data from brokers. Other states like Washington have passed broader health data privacy laws, such as the "My Health My Data Act," which requires consumer opt-in consent before their health data can be collected or shared. California's Privacy Rights Act (CPRA) also provides consumers with rights over their sensitive health data. The issue has had significant repercussions for consumer health apps. The fertility tracking app Flo Health, along with Google, agreed to a $56 million settlement over allegations of sharing sensitive reproductive health data with third parties without explicit consent. A jury also found that Meta had illegally collected data from Flo app users without their knowledge. These cases highlight the privacy risks when health data, not covered under HIPAA, is collected by consumer-facing apps and shared with data brokers or tech companies. For health tech startups, building user trust is paramount. This involves transparent privacy policies and obtaining explicit, opt-in consent, especially for sensitive health information, a requirement under new state laws like Washington's. Successful apps like Headspace focus on user retention through strategies like gamification, personalized push notifications, and exclusive content, which foster daily engagement and build long-term loyalty. The Federal Trade Commission (FTC) has also increased its enforcement against data brokers. The agency took action against companies like Gravy Analytics, Venntel, and Mobilewalla for selling sensitive location data without proper consent, prohibiting them from selling data that tracks users to sensitive locations like medical facilities and religious organizations. These actions signal a growing regulatory crackdown on the largely unregulated data broker industry. For founders in the digital health space, navigating this complex regulatory landscape is a major challenge. Beyond federal laws like HIPAA, a patchwork of state-level privacy laws is emerging, each with different requirements for consent and data handling. This environment necessitates a deep understanding of data privacy to avoid significant legal and reputational damage, as seen in the multimillion-dollar settlements involving health apps. The debate also extends to how data is collected in the first place. An investigation by Senator Ron Wyden revealed automakers were sharing driving behavior data with brokers, who then sold it to insurance companies, often without clear driver consent. This underscores the pervasive nature of data collection and the challenge for consumers to know how their data is being used, shared, and sold.