Clarifying Requirements in Digital Health Technologies Research:
End-User License Agreements (EULAs) and Terms of Service (ToS) and Their Relation to Study Consent and to IRB and Investigator Roles
I. Research Using Digital Health Technologies and the Ubiquity of EULAs/ToS
As recognized in the preamble to the Revised Common Rule, “[T]he volume and landscape of research involving human subjects have changed considerably” and now includes “the growing use of electronic health data and other digital records to enable very large datasets to be rapidly analyzed and combined in novel ways.” Digital health technologies – including mobile applications on smartphones and watches, and wearable devices such as fitness trackers – can collect extensive data about individuals for the advancement of science. However, a lack of clarity around whether and how to apply the Common Rule and FDA Protection of Human Subjects regulations to research involving digital health technologies is causing delays, inconsistent practices in human subject protection, and questions among IRBs, research institutions, and sponsors. Absent regulatory guidance, stakeholders have been addressing this on their own, leading to inconsistent and varying application of regulations to these matters. Although that approach sometimes can give rise to shared best practices, preliminary discussion in the SACHRP Subcommittees has led to the view that, as explained below, regulatory guidance by HHS is needed on core issues of how digital technology affects IRB scope of review, informed consent, and privacy.
Some of the most pressing human subject protection questions arise from the fact that in research involving mobile applications and/or wearable devices (collectively, for the purpose of this document, “apps” ), the user is usually required to accept “end-user license agreements” (EULAs) or “terms of service” (ToS) in order to use the app, regardless of whether the use is for research or not. The EULA/ToS document is separate from the informed consent form for the research, and gives individuals permission to use the app, provided they agree to many conditions of use, disclaimers of liability, and other legal terms and conditions. These terms typically also require acceptance of a separate privacy policy that almost invariably permits broader uses of the subject’s data than the confidentiality section in the research consent form. Further, typical terms include a blanket statement that the app owner can unilaterally change any aspect of the EULA/ToS at any time, in many cases without affirmative notice to those who have consented to an earlier version. The fact that the subject must individually agree to the EULA/ToS is distinct from most medical scenarios, where the purchaser of the device or software is the hospital or physician practice rather than the individual patient, and in which the hospital or practice group therefore stands between the research subject and the device manufacturer. In the individual’s consenting to a EULA/ToS, it is the individual alone who enters into an agreement with the app owner, without any effective intermediary.
The challenges that we describe are arising in a wide range of research, including studies that use an app that is already on the market and over which the research parties have no control. There are also studies designed to evaluate an app that is being developed by the research team itself, either for or in collaboration with a commercial entity that owns the app. These studies may be conducted under an IRB at the institution where the research is conducted, or can be multi-site and therefore possibly under the jurisdiction of multiple IRBs or a single IRB. Because the single IRB mandate is already in effect for domestic multi-site studies under both NIH guidance and the Revised Common Rule, uniform regulatory direction is needed to ensure appropriate human subject protection and to avoid unnecessary delays and complexities in research due to regulatory uncertainty. This recommendation focuses on research that is subject to the Common Rule or FDA Protection of Human Subjects regulations.
II. Applicable Principles
In regard to the effect of EULAs on human research using the applications to which the EULAs are attached, certain primary principles may be identified relating to human subjects protections, and the roles of the researcher, IRB and institution hosting the research. It should be noted that an IRB’s or researcher’s review of a EULA and its effects on subjects’ interests does not imply that the IRB or investigator has approved the EULA or is satisfied with any risks identified.
The operative principles include:
A. In research using mobile applications, there are both the “regular” risks of research, including privacy risks, as well as additional, incremental risks that relate to the use of the application and the subject’s consent to the related EULA. Both sets of risks should be considered by the researcher and the cognizant IRB(s)
B. In many of these studies, the app manufacturer or controller has a fundamental interest in the design, conduct and/or results of the study, including as possible sponsor/funder of the study. In general, the more that the interest of the manufacturer/controller is presented in the context of the study, the more closely the researcher and IRB should scrutinize and understand that interest, because the subject is being asked to consent not only for the study, but also to a EULA that the manufacturer/controller has created and implemented. Moreover, the more deeply the app manufacturer/controller is involved with the study and/or the more directly and significantly the app manufacturer/controller will directly benefit from the study, the greater may be the researcher’s ability to negotiate modifications to the EULA to protect subjects’ interests and/or reduce risks; such efforts should be made by the researcher, insofar as reasonably possible.
C. The researcher who designs and proposes a study using a mobile app must take note of the related EULA and how those terms may affect study subjects. The complexities inherent in most EULAs (due to opaque and detailed drafting, and due to future unilateral changes in terms) may not be readily understandable to researchers, and this requires institutions to assist in reviewing and explaining them to researchers. In any event, the researcher has a plenary obligation to understand any applicable EULA consent to which is required by the research, and to design the protocol and consent accordingly.
D. If consent to a EULA is required for a study, subjects should be informed of this in the consent process, as should IRBs in the proposed protocol. Any significant risks presented by use of the app (and by consent to its EULA) in the research must be identified to subjects and the cognizant IRB(s). Privacy risks, and the autonomy interests involved in allowing broad or unlimited future uses, commercial or academic, of personal data, and provisions for unilateral future changes to EULA terms, should be identified, for the subjects and for the cognizant IRB.
E. In circumstances in which an app must be acquired or given to the subject for the research, and the subject has not previously acquired the app for personal use, these obligations on the researcher and the cognizant IRB(s) to identify risks to subjects are enhanced, because but for the study, the subject would not be exposed to the risks inherent in the app and its EULA.
F. To the extent that the consent form contains references to a EULA’s terms, the text should be as simplified and straightforward as possible, avoiding jargon and complex terminology not generally understood by subjects.
III. Issues Needing Regulatory Clarification
A key question presented by the principles above is when and how the IRB has an obligation to review the EULA/ToS based on those regulations and associated guidance. We consider several arguments regarding this issue.
First, some have argued that IRBs should review the EULA/ToS on the theory that it is an extension of, or a foundational part of, the study’s informed consent. As a baseline, we note that the Common Rule and FDA regulations do not expressly require that documents other than the consent form receive IRB review. The regulations require that the elements of consent be addressed in the consent form, and that certain requirements must be met, such as conducting the consent process without undue influence. Through guidance, most particularly the FDA Guidance document “Recruiting Study Subjects,” the agencies have also required that the IRB review recruitment materials, based on the theory that these are the start of the informed consent and subject selection process. As noted in that guidance, “FDA expects IRBs to review the advertising to assure that it is not unduly coercive and does not promise a certainty of cure beyond what is outlined in the consent and the protocol.” Because this guidance is centered on recruitment processes, it is not directly applicable to the question of whether a EULA/ToS needs IRB review.
Second, if the EULA/ToS is an extension of the study’s informed consent, the Common Rule and FDA regulations prohibit that the consent process involve subjects’ agreement to any exculpatory language and provides a list of those parties that cannot be released from liability:
No informed consent may include any exculpatory language through which the subject or the legally authorized representative is made to waive or appear to waive any of the subject's legal rights, or releases or appears to release the investigator, the sponsor, the institution, or its agents from liability for negligence.
45 CFR 46.116(a)(6) (emphasis added). Notably, this provision focuses on the obligations of those who have responsibility for the design and conduct of the research (i.e., the investigator, the sponsor, the institution, or their agents). Exculpatory clauses are often embedded in a EULA/ToS. If the EULA/ToS is considered part of the consent process, and it involves exculpatory language, then this represents a violation of the consent regulations.
Third, ICH E6 section 3.1.2 is often cited as applicable FDA guidance that requires the IRB to review a EULA/ToS of an app used in a study. According to section 3.1.2:
The IRB/IEC should obtain the following documents: trial protocol(s)/amendment(s), written informed consent form(s) and consent form updates that the investigator proposes for use in the trial, subject recruitment procedures (e.g., advertisements), written information to be provided to subjects, Investigator's Brochure (IB), available safety information, information about payments and compensation available to subjects, the investigator’s current curriculum vitae and/or other documentation evidencing qualifications, and any other documents that the IRB/IEC may need to fulfil its responsibilities.
(emphasis added). The argument here is that a EULA/ToS is “written information …provided to subjects” as part of the research. On the other hand, a EULA to which the subject consented prior to and independent of the study is not, strictly speaking, “written information … provided to subjects” as part of the study. Similarly, a EULA attached to an app that is required for study participation but that is not the focus of the study itself arguably no more represents “written information … provided to subjects” than do parking terms and conditions (“contracts of adhesion”) applicable to use of the parking lot adjacent to a study site and utilized by all study subjects for their study visits.
Fourth, it is significant to note that IRBs do not routinely review other contracts into which research subjects enter as part of a research study. For instance, when a social-behavioral study is conducted at a professional baseball game, the IRB would not typically review the ticket contract that disclaims any team and stadium liability for injuries from foul balls. Similarly, if a study is conducted of driving habits, the IRB does not review the car owner’s contract with the dealership or the terms of the car’s warranty. IRBs do not review warranties or contracts for a syringe, an MRI machine or a sleep test system when that product is being used in a study or is being studied for a new indication. In such cases, however, the hospital or physician practice is the party contracting with the external party, rather than the subject, making the researchers and/or site responsible for the full promises of the study informed consent, regardless of their own contractual obligations to the medical equipment manufacturer. In the case of a EULA/ToS relevant to a study, an IRB’s concern is based on the nature of the contract as being directly between the subject and the external entity (the app manufacturer/controller), as there may be no intermediating entity. Yet the subject still chooses: if he or she does not like the terms of the EULA/ToS, the subject can refuse to agree and thus not participate in the research, although it may be that without the researcher calling the subject’s attention to terms of the app and its inherent privacy risks, no reasonable subject would or could readily recognize those risks.
Finally, there is a practical consideration of the diminished power of researchers, research sites and IRBs in the face of technology owners and operators and app manufacturers. The number of apps is rapidly expanding, and they can be very useful across a broad range of medical and social-behavioral research endeavors. In most cases, when their apps are used, the manufacturers have very little incentive to waive or alter their EULA/ToS language for the purposes of a research study. Most apps will be of minimal risk as used in the research, and potentially of great benefit to the research, and even to study subjects themselves. Further, and significantly, a EULA/ToS is often expressed in opaque and complex language, not readily understandable by most people, including even researchers and IRB professionals. In formulating their positions on these issues, HHS therefore must, as a practical matter, consider this actual power imbalance and the complexity of the typical EULA/ToS, as well as the usefulness of apps to research endeavors and the possible remoteness and/or minimal nature of any harm to subjects.
IV. Scenarios
We will consider four different scenarios, which help to frame our recommendations below.
The first scenario occurs when a potential subject has obtained a publicly available app on his or her own initiative, prior to and independent of that person’s involvement with any research study, and the original use of the app is similar to the study use. In this scenario, the study is “piggybacking” on the use of the app by a consumer who later is recruited as a research subject, and the consumer/subject, without any request by or influence from the research team, had already agreed to the app’s terms and conditions. For instance, a study may use an already-acquired Fitbit to record basic physiologic data. In this scenario, the manufacturer of the device is not directly involved in the research as a funder, sponsor or collaborator. To ensure that a study fits in this scenario, the inclusion/exclusion section of the protocol can be written so that subjects must already be using the app for a comparable purpose in order to be included in the research. This would mirror the registry study design, where potential subjects are included in the registry only if they are already clinically using a drug or device. In registry studies, IRBs do not examine pre-study clinical consents for treatment or related terms and conditions to which patients agreed when choosing to use the drug or device. Registry studies are generally considered to be minimal risk, and the consent form does not include the risks of the drug or device. Similarly, if study participants already have already obtained an app and accepted the EULA/ToS for the same purpose outside of research participation, then that indicates personal acceptance of the terms, not conditioned on or related to later research participation.
A second scenario is when a potential subject has obtained a publicly available app on his or her own initiative, prior to and independent of that person’s involvement with any research study, and the original use of the app is significantly different from the study use. For instance, a study may use an already-acquired Fitbit to determine if it can be used to study diagnose sleep apnea, a new use of the app. As with the first scenario, the manufacturer of the device is not directly involved in the research as a funder, sponsor or collaborator.
A third scenario occurs when the research design requires the use of an app and the research enrollment process therefore includes the study subject’s acquisition of the app as a predicate condition for study participation, and the app manufacturer is not involved in the research. In this case, the research team has effectively instigated the study subject’s acquisition of the app and the subject’s agreement to the app’s EULA/ToS.
A fourth scenario is one in which the app manufacturer is involved in the design, funding, and/or conduct of the study, and the results and/or collected data are intended to be used to promote the commercial interests of that entity. In this circumstance, the commercial entity has the ability to revise the terms of the EULA/ToS for the use of the app in the study that might conflict with reasonable expectations of study subjects for the protection of their interests and privacy. In this scenario, it would ring hollow for the research team to claim that the EULA/ToS is non-negotiable.
V. Recommendations
SACHRP makes the following recommendations for the four scenarios listed above. We note that these scenarios are hypothetical, and that individual research projects may implicate several different scenarios simultaneously. SACHRP believes that in all the scenarios, the EULA/ToS is not part of the consent form and does not need to be incorporated into the consent form, but is instead typically an independent legal document that governs the relationship of the subject to the app manufacturer, not to the researcher.
SACHRP also notes that researchers and IRBs are not typically skilled in understanding EULA/ToS, and researchers are not typically skilled in negotiating with app manufacturers. For these reasons, through their research administration, compliance and legal officers, research institutions should seek to assist both researchers and IRBs in understanding EULA/ToS that may affect a study and its subjects, and in necessary interactions with app owners/operators/manufacturers.
In the first scenario, the potential subject has already acquired a publicly available app on his or her own initiative, prior to and independent of that person’s involvement with any research study, and the original use of the app is similar to the study use. Furthermore, the app manufacturer is not involved in the research. SACHRP recommends that for this scenario, the risks involved with the use of the app, including issues of privacy and confidentiality, are not research risks. Likewise, any exculpatory language involves the use of the app, not the research. Therefore, the EULA/ToS does not need to be reviewed by the IRB as part of its review of the research. Nevertheless, the subjects should be notified of the use of the app and of its accompanying EULA at the time he or she provides consent to enroll in the research, even if no new risks are presented to the subject.
In the second scenario, the potential subject has already acquired a publicly available app on his or her own initiative, prior to and independent of that person’s involvement with any research study, but the original use of the app is significantly different from the study use. SACHRP recommends that for this scenario, as in the first scenario, the risks involved with the use of the app, including issues of privacy and confidentiality, are not purely research risks, although those risks may be enhanced by study participation. Although, in SACHRP’s view, the EULA/ToS does not need to be reviewed by the IRB as part of its review of the research, subjects should be informed of the existence of the EULA and of any enhanced risks due to the app’s use in the research, even if under terms to which the subject agreed independent of the study itself. Investigators therefore should consider such risks as part of study design and informed consent planning.
In the third scenario, the research design requires the use of an app and the research enrollment process therefore includes the study subject’s acquisition of the app as a predicate condition for study participation. SACHRP recommends that for this scenario, the risks involved with the use of the app are research risks, and the IRB needs to review the EULA/ToS to assess the risks involved with the use of the app. They may be, and often will be, of minimal risk. Furthermore, the IRB needs to ensure that the consent form discloses any differences between the confidentiality provisions of the app as opposed to the confidentiality provisions of the consent form as controlled by the researcher. In this third scenario, the research team, and the cognizant IRB and sites should be expected to exercise a higher level of responsibility for the subject’s agreement to the EULA/ToS. The research team (or supporting institutional offices) should identify any contradictions between study terms and subjects’ research expectations, on the one hand, and the subject’s agreement to commercial app terms, on the other. If a manufacturer refuses to change the EULA/ToS in this scenario, the IRB may determine that the risk benefit ratio is still acceptable, and let the research proceed. If the IRB does so, it should also consider whether the research informed consent form should include information about the EULA/ToS. For instance, the consent form must note that the subject will be required to agree to the EULA/ToS, and in addition must disclose any relevant differences between the EULA/ToS and the confidentiality section of the consent form, and any differences that exist in language about legal rights, including exculpatory clauses or provisions.
In the fourth scenario, the app manufacturer is involved in the design, funding, and/or conduct of the study, and the results and/or collected data are intended to be used to promote the commercial interests of that entity. In this case, SACHRP recommends that the IRB review the EULA/ToS, and that the EULA/ToS be altered as needed to meet the requirements of the research consent regulations, including understandability and the prohibition on exculpatory language. In other words, in this scenario the EULA/ToS should not be allowed to operate to exculpate the manufacturer from liability connected to its own study-related activities. In the rare case in which this is not possible or practical for some reason, then as with scenario three, the IRB may determine that the risk benefit ratio is still acceptable, and let the research proceed. If the IRB does so, it should also consider whether the research informed consent form should include information about the EULA/ToS. For instance, the consent form may note that the subject must agree to the EULA/ToS, and in addition may disclose any relevant differences between the EULA/ToS and the confidentiality section of the consent form, and any differences that exist in language about legal rights, including exculpatory research.
VI. Conclusion
SACHRP recommends that HHS issue guidance as quickly as possible on this issue, consistent with the recommendations above, to reduce the current confusion among the regulated community.
