Nothing Comes for Free

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Many websites, mobile applications, software solutions and similar solutions are offered for “free.” The services are free from the perspective that there is no cost to acquire or use the service. However, as the famous saying used commonly by the author Robert Heinlein goes “there ain’t no such thing as a free lunch” (TANSTAAFL). While a user may believe there is no cost, the provider of the service will seek to obtain a benefit in some manner.

In the context of a mobile app or software, how does that happen? The data entered into the services is where the value lies. From this perspective, understanding the Terms of Service, Terms of Use or other similar document is important. The Terms of Use is typically the very detailed document that pops up (or is linked) to before a service can be used. When it comes to digital solutions, the Terms of Use are often accepted by clicking a button or starting to use the service. Not much opportunity or encouragement is given to actually review the document. Additionally, even if the document is reviewed, there is no room for negotiation. The options are to use the service or not.

While Terms of Use are a take it or leave it proposition, it is still important to understand some of the key provisions that will often appear. Two of the most important provisions are what data will be accessed and how that data may be used. Services will seek to access a whole host of data that may not be readily apparent from the expected use. However, Terms of Use should provide insight into what will be accessed and/or collected. Permission pop-ups or other authorizations may be glossed past when trying to use the service for the first time, but having advance knowledge can or just slowing down will be beneficial. As indicated, the Terms of Use will likely inform a user as to what the service wants to access. If a user understands what is being accessed, then theoretically there should be less surprised when that data is actually used.

For web-based programs, data is very often collected in a cookie. The cookie stores information about unique users and can identify specific users. While a cookie is ostensibly only good for the website that generated it, the cookie itself is a tracking tool. Many websites now provide notification when first visiting about the use of cookies and have users acknowledge and agree that the cookie can be used.

The second component about data is how that data will be used. This is where Terms of Use can get very interesting. Arguably, there should be a disclosure as to how the provider will take advantage of data collected, potential uses and maybe that it can sell or otherwise make money from the data. As previously suggested, if the service is being offered for free, the data collected will likely be viewed as a valuable commodity and that is where the provider is generating income. While detailed, specific means of how the data will be used may not appear, including misleading or false statements would be problematic. Users should not be deceived as to how data can or will be used.

Flowing out of what and how data will be used, understanding potential remedies if something goes wrong is also helpful. In most instances, expect the provider to disclaim any and all warranties and to severely limit any available remedies. While state law may influence whether those disclaimers and limitations are enforceable, expect that they will be. Ultimately this means that the primary remedy may solely be discontinuing use of the service. Such an outcome may feel hollow or without much benefit, but it is in all likelihood a legitimate outcome.

While the Terms of Use may not offer much perceived benefit from the user’s perspective, those terms may not be the whole story. Regulations applicable to the specific use will also influence what can be contained in the Terms of Use and maybe introduce some remedies. As should be well known, if a service is targeted to the providers or other covered entities in healthcare, then HIPAA will usually apply to the service. If HIPAA applies, then all of the attendant privacy and security requirements will also apply to the service. If HIPAA applies, then there can be some comfort that data will not be freely utilized. As with every consideration though, there are nuances. For example, consider whether the Terms of Use state data can be de-identified. If data are de-identified then the data are back outside the coverage of HIPAA. Context is everything.

The Federal Trade Commission and attendant regulations covering unfair and deceptive trade practices may arguably be the most comprehensive set of protections to consider. The FTC may have purview over all services no matter the specific industry being served. The baseline expectation is that consumers should be informed as to their information will be utilized and not given false information. The requirement to not deceive was brought to the fore by recent troubles in the social media realm. Given the ease with which true intentions could be hidden, potential enforcement in this area should be tracked.

While laws and regulations may provide some protections, the protections are not absolute. As noted, providers can be open about how data will be utilized. If a user accepts those terms, then use will be fair game. That scenario is not likely to change any time soon as it is very difficult to stop using the free services and many users probably do not want to start paying for services. The key will be whether public outcry will result in a change or whether users will become better informed and push for incremental change. At the end of the day though, TANSTAAFL.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.