Case study: In Re Matis

Key points:

The NY AG has taken the position that

(1) even if personal data is provided to third parties in an aggregated, non-identifiable format, a disclosure must be made in the mobile app privacy notice about the sharing if it is possible for the third party to de-aggregate and re-identify individuals based on the data tendered.

(2) when sharing anonymized data with third parties a contract forbidding them from re-identifying individuals must be in place.

Matis was an Israel-based company that selled My Baby’s Beat, an app downloaded hundreds of thousands of times. The app was designed to register fetal heartbeat sounds using only the smartphone microphone, and to isolate and amplify those sounds.

The New York Attorney General (NY AG) initiated enforcement proceedings against Matis in 2017. In its enforcement action, NY AG argued that

• The app privacy notice was not compliant: The app’s privacy policy, which, did not disclose to users that Matis collected and stored the following information: (i) a global unique identifier of the user’s device; (ii) an internal numeric score indicating how engaged the user is with the app; (iii) the user’s feedback regarding the app (such as ratings and emails); and (iv) recordings that users share via the app. Notably, Matis stated that…