When health tech companies change their terms of service

Consumers might choose a company based on its privacy and data sharing policy, only to have that company change its policy unilaterally.

PHOTO: WESTEND61/GETTY IMAGES

Digital health technology companies, such as health-related apps and websites, handle unprecedented amounts of highly sensitive user data, including information about a person's genetics, the timing and duration of her periods, her self-reported mental state, and the dates she sees a given health care provider. Although they collect these intimate data and provide users with health-related information, most digital health tech companies are not actually health care providers; thus, laws and regulations that typically govern the collection and use of health data often do not apply to these companies in the United States. Many of these companies reserve the right to unilaterally change their terms of service (ToS), often without users' consent. Users have little legal recourse if they feel a company has violated their privacy or inappropriately shared their data through unilaterally amending the ToS. We explore how legislators could limit the ability of companies to change key aspects of their ToS unless consumers opt in to adopting the changes. These and similar legislative innovations could offer needed consumer protections in the context of digital health tech—and beyond.

Many types of companies collect, warehouse, and commercialize all kinds of data from consumers. However, in the context of digital health tech, consumers—many of whom don't read the fine print—may assume that privacy safeguards are in place, on the basis of their previous experiences with health care and biomedical research. Despite the limited regulation of digital health tech relative to formal health care providers, users could rely on these services when making important decisions such as those related to mental health, genetic risk, or procreation. And some companies may cultivate that reliance, blurring the line between what is and isn't health care. For example, Clue, a period-tracking app, promises its users “predictions you can trust” that are “based on the most up-to-date science” and that the company “collaborate[s] with scientists and universities to ensure continuous improvements” (1). Users may then reasonably believe they are receiving something on par with medical care, with all of its ensuing protections, despite disclaimers on the part of the companies that they are not health care providers.

ToS outline users' rights and companies' obligations regarding data collection and protections for privacy. When something goes wrong with a product, the company's ToS govern the dispute. Generally, by purchasing and using the product, the consumer agrees to the company's terms. Consumers might select one company over another based on its vow to secure their data, only to have that company change its policy unilaterally and share its users' information in a way that is objectionable to the consumer.

Moreover, unilateral amendments could diminish the value of information produced by digital health tech companies. For instance, consumers agreeing to terms that are less protective of privacy may differ from consumers who agree to strong privacy terms. This difference could introduce consent bias, rendering data produced from the product less reliable.

Some companies promise to notify consumers of changes to their ToS. The online therapy service TalkSpace informs its users that “from time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice” but promises its users that “we will contact you before we use your data for these new purposes to notify you of the policy change and to provide you with the ability to opt out of these new uses” (2). Other digital health tech companies take a different approach. AncestryDNA's ToS provide that the company maintains “the right to modify these Terms or any additional terms that apply to a Service at any time, including to reflect changes to the law or changes to our Services” (3). Users who do not wish to consent to the new terms are invited to stop using AncestryDNA's services.

Whereas AncestryDNA promises to inform its users of any “material changes” through posts or by email, one of its competitors, 23andMe, explains that “23andMe may make changes to the TOS from time to time” but makes no promise to notify users by email (3, 4). Instead, it simply agrees that it will “make a new copy of the TOS available on its website” and that “any new additional terms will be made available to you from within, or through, the affected Services” (4). MyFLO, another period-tracking app, is even more ambiguous, stating in its privacy policy that “this policy may be changed at any time at our discretion” (5). These policies appear to be the norm. A recent study of the privacy policies of 90 consumer genetics companies revealed that all of the companies surveyed included unilateral amendment provisions, whereas only a handful promised to inform individual users (6).

Thus, even responsible users who completely read and understand the applicable ToS may find themselves subject to unwanted uses of their sensitive data. Because certain traditional health privacy laws and regulations do not apply, consumers deserve legal protections against unilateral changes to ToS.

Many countries have substantially limited businesses' power to unilaterally amend consumer contracts. In the European Union and the United Kingdom (UK), many unilateral amendment provisions in existing digital health tech contracts may be unenforceable—for example, those that violate the UK's Competition and Markets Authority guidance on unfair contract terms (7). The Court of Appeal of Quebec prevented an internet company from reducing consumers' bandwidth access through a unilateral amendment, ruling that it violated provincial law (8). It is likely that consumers in these countries who challenge unilateral amendments to digital health tech contracts would succeed.

By contrast, in the United States, courts have given companies substantial power to change their ToS if those terms originally included the right for the company to amend the terms unilaterally. This is especially true if consumers have the option to cancel their services after the company notifies them of the change in terms [e.g., (9)]. There are some limits on companies' power to unilaterally amend ToS, but these exist more in theory than in fact. Some courts say companies cannot use favorable contract terms as bait and then switch to less favorable terms (10). And, theoretically at least, an amendment could be so unfair that a court refuses to enforce it because it is unconscionable (11). But in reality, these sorts of legal actions are very difficult to establish, and most consumers simply will not have the resources or the patience to assert them.

Instead, U.S. consumers could be stuck with new terms from a company that unilaterally amends the terms. The consumer may switch to a new company, but the transaction costs of terminating services can be high. Unilateral changes to ToS give consumers an either-or decision: Agree to the new terms or no longer use the company's services. But presenting consumers with a take-it-or-leave-it choice—either consent to the ToS or delete your data from the platform—puts users in a challenging position. For better or worse, people increasingly depend on these technologies to manage their health, particularly if they are priced out of traditional health care (12). Ending services could mean losing access to valuable existing data, as well as forgoing new insights when the company updates its technologies and refines its results. It might seem that a market could develop for digital health tech services offering more reliable ToS. However, complicating matters further, the high costs of switching actually undermine a robust, competitive market of products offering different ToS, leaving users with limited options for taking their business elsewhere. And even if users decided to switch to a company with more favorable ToS, they would have to leave all of their previous data behind.

There is, however, a possible solution to presenting consumers with a Hobson's choice, “take it or leave it,” in the wake of unilateral changes to ToS. In the United States, where this problem is most pronounced, Congress can address this issue, as it has in other contexts. For example, lenders who offer open-ended home equity loans generally cannot unilaterally change the price of the loans (13). Legislators could limit the ability of digital health tech companies to change key aspects of their terms unless consumers affirmatively opt in to those changes. Rather than forcing consumers to take their business elsewhere if they don't like the new terms, firms would be required to continue service under the originally agreed terms for those who do not approve of the new terms.

Such a law would not need to prevent changes to every single term of the contract. Prohibitions on unilateral modifications should only apply to any “substantial” terms—a purposefully vague notion that would encompass a variety of the most salient terms to which the consumer originally consented. For terms that are of marginal importance, companies should be free to unilaterally amend the contracts as they currently do. Using a vague standard such as “substantial” creates uncertainty for companies, but companies regularly confront similar standards throughout their business planning (such as requirements to perform “due diligence” and assess only “reasonable” fees). A vague standard offers policy benefits because it keeps regulatory interventions relevant in rapidly changing markets such as digital health tech. Moreover, to the extent that companies require certainty to operate, a regulator could introduce a more specific definition of “substantial” terms. For instance, the Consumer Financial Protection Bureau has offered guidance to companies seeking to ascertain whether amendments to credit card agreements are “significant changes,” requiring the companies to provide 45 days' advance notice to cardholders of the change (14).

Companies could also still amend the substantial terms of their contracts, but they would need to do so in the same way that most commercial contracts are amended—through actual consent. Although it may seem complicated to have different terms for different users, digital health tech companies already give their customers certain options, such as whether to be included in the company's database or to participate in research. They could use similar mechanisms to obtain consent for substantial changes to their ToS.

Additionally, although many other countries currently offer more consumer-friendly laws, these countries may wish to modify existing legal rules to address unilateral amendments in the digital health tech arena. Consumers are then not dependent on generic provisions or court opinions. That said, limiting the ability of companies to unilaterally change their ToS won't solve all the possible issues that consumers may face. In fact, too rigid a prohibition on unilateral amendments could impede valuable innovation in ToS, and even in products and services, as companies respond to changing norms, new technologies, and opportunities. Nonetheless, both in the United States and internationally, efforts to hold companies accountable for their ToS and to limit their ability to unilaterally change those terms without notifying users could offer consumers much-needed protection in digital health tech and related industries.