The FTC Weighs in With Mobile App Advice

September 24, 2012

Those of us engaged in medical devices and their connectivity often (or perhaps not often enough) look to the FDA for regulation and guidance.

Those of us engaged in medical devices and their connectivity often (or perhaps not often enough) look to the FDA for regulation and guidance. In these pages there has been discussion of FDA regulation generally (here), as applied to Medical Device Data Systems (MDDS) (here), medical device mobile apps (here and here), and clinical decision support systems (here)

We sometimes remember that there are also other government agencies that may have impact on what we do. For examples the role of  the FCC has been discussed here with respect to medical device wireless applications, and more recently the prospect of the FCC taking away part of the Wireless Medical Telemetry Spectrum (WMTS) has received attention in clinical engineering circles (while no one else seems to care). CMS is always of interest with respect to medical device reimbursement, and more recently with respect to meaningful use of electronic health records (EHR), which may or may not be medical devices. Advertising of medical devices is regulated by both the FDA and the FTC, and some over-the-counter devices bridge the FDA and Consumer Products Safety Commission divide. The FTC (but curiously not the FDA) has previously gone after smart phone  acne treatment apps because of their “baseless claims.”  When there is dual authority and a need for regulatory action I have wondered if having two responsible agencies is worse than having just one (leading to some new math such as 1+1 < 2, and might even be <1).

This month the FTC has weighed in on mobile apps in general with a brief guidance document entitled Marketing Your Mobile App: Getting it Right From the Start. This guidance is not aimed specifically at the medical arena, but such apps are not excluded. The broad topics covered by the FTC are truth-in-advertising and privacy. The specific topics are (1) truthfulness about what the app can do, (2) disclosing key information clearly and conspicuously, (3) built-in privacy protection, (4) transparency about data practices, (5) clear privacy choices, (6) actually following stated privacy practices, (7) attention to specific privacy practices for children as required by law, and (8) data security.

Certainly truthfulness about what an app can do (and not do) is an important issue for medically oriented products. When apps purport to  provide diagnostic results or “advice” it is important for the claims to be based on “competent and reliable evidence” and for the user to understand  the basis for asserting the claims including the underlying science and population to which it applies. Wrong advice can clearly be harmful if it leads the user to undertake an unnecessary treatment, or to forgo seeking medical attention. Apps that rely on user specific data rather than just being an electronic book are probably of greater concern  because of their perceived relevance and authority, but even simple look-up information can be dangerous if incorrect. These issues were the substance of the FDA’s mobile app actions cited above.

The second point on clear disclosure is the first cousin of truthfulness. Such disclosure takes on particular relevance when claims are made boldly but disclaimers (e.g. do not rely on this app) are hidden away. Hyperlinked disclaimers are of particular interest here in the sense that if the user has to virtually go somewhere else to get the information, has that information been adequately disclosed?

Data collection, data security and secondary data uses (e.g. marketing) also has particular resonance for medical apps in that the data may include personal medical information rather than the usual panoply of location, financial details, address book, etc. Here the FTC suggests that information collection be associated with an affirmative agreement and that what is collected, how it will be used, and how to opt out should be “clear and conspicuous”. This should include information that the user actively provides as well as information that the app can collect on its own.

While the FTC has addressed apps in general in this guidance, the principles are straightforward, and proper consideration of these principles must be added to concerns about whether an app is or is not a medical device subject to FDA regulation. Moreover, I can find a modernized version of the golden rule here: Don’t have your app do to others what you don’t want their app to do to you.