SCIENCE sciencemag.orgPHOTO: WESTEND61/GETTY IMAGES
By Jessica L. Roberts1,2 and Jim Hawkins1,3D
igital health technology companies,
such as health-related apps and web-
sites, handle unprecedented amounts
of highly sensitive user data, including
information about a person’s genetics,
the timing and duration of her peri-
ods, her self-reported mental state, and the
dates she sees a given health care provider.
A lthough they collect these intimate data
and provide users with health-related infor-
mation, most digital health tech companies
are not actually health care providers; thus,
laws and regulations that typically govern
the collection and use of health data often do
not apply to these companies in the United
States. Many of these companies reserve the
right to unilaterally change their terms of ser-
vice (ToS), often without users’ consent. Users
have little legal recourse if they feel a com-
pany has violated their privacy or inappropri-
ately shared their data through unilaterally
amending the ToS. We explore how legislatorscould limit the ability of companies to change
key aspects of their ToS unless consumers opt
in to adopting the changes. These and simi-
lar legislative innovations could offer needed
consumer protections in the context of digital
health tech—and beyond.
Many types of companies collect, ware-
house, and commercialize all kinds of data
from consumers. However, in the context
of digital health tech, consumers—many of
whom don’t read the fine print—may as-
sume that privacy safeguards are in place,
on the basis of their previous experiences
with health care and biomedical research.
Despite the limited regulation of digital
health tech relative to formal health care
providers, users could rely on these services
when making important decisions such as
those related to mental health, genetic risk,
or procreation. And some companies may
cultivate that reliance, blurring the line
between what is and isn’t health care. For
example, Clue, a period-tracking app, prom-
ises its users “predictions you can trust”
that are “based on the most up-to-date sci-
ence” and that the company “collaborate[s]
with scientists and universities to ensure
continuous improvements” ( 1 ). Users maythen reasonably believe they are receiving
something on par with medical care, with
all of its ensuing protections, despite dis-
claimers on the part of the companies that
they are not health care providers.
ToS outline users’ rights and companies’
obligations regarding data collection and
protections for privacy. When something
goes wrong with a product, the company’s
ToS govern the dispute. Generally, by pur-
chasing and using the product, the consumer
agrees to the company’s terms. Consum-
ers might select one company over another
based on its vow to secure their data, only
to have that company change its policy uni-
laterally and share its users’ information in
a way that is objectionable to the consumer.
Moreover, unilateral amendments could
diminish the value of information produced
by digital health tech companies. For in-
stance, consumers agreeing to terms that
are less protective of privacy may differ
from consumers who agree to strong pri-
vacy terms. This difference could introduce
consent bias, rendering data produced from
the product less reliable.
Some companies promise to notify con-
sumers of changes to their ToS. The online
therapy service TalkSpace informs its users
that “from time to time, we may use cus-
tomer information for new, unanticipated
uses not previously disclosed in our privacy
notice” but promises its users that “we will
contact you before we use your data for
these new purposes to notify you of the pol-
icy change and to provide you with the abil-
ity to opt out of these new uses” ( 2 ). Other
digital health tech companies take a differ-
ent approach. AncestryDNA’s ToS provide
that the company maintains “the right to
modify these Terms or any additional terms
that apply to a Service at any time, includ-
ing to reflect changes to the law or changes
to our Services” ( 3 ). Users who do not wish
to consent to the new terms are invited to
stop using AncestryDNA’s services.
Whereas AncestryDNA promises to in-
form its users of any “material changes”
through posts or by email, one of its com-
petitors, 23andMe, explains that “23andMe
may make changes to the TOS from time to
time” but makes no promise to notify users
by email ( 3 , 4 ). Instead, it simply agrees that
it will “make a new copy of the TOS available
on its website” and that “any new additional
terms will be made available to you from
within, or through, the affected Services” ( 4 ).
MyFLO, another period-tracking app, is even
more ambiguous, stating in its privacy policy
that “this policy may be changed at any timeDATA A N D R EGU L AT I O NWhen health tech companies
change their terms of service
Consumers may have limited control over their data
POLICY FORUM
Consumers might choose a company based
on its privacy and data sharing policy, only to have
that company change its policy unilaterally.(^1) University of Houston Law Center, Houston, TX, USA.
(^2) College of Medicine, University of Houston, Houston, TX,
USA.^3 Daniels & Tredennick LLP, Houston, TX, USA.
Email: [email protected]
14 FEBRUARY 2020 • VOL 367 ISSUE 6479 745
Published by AAAS