Digital data collection tools, such as small wearable devices (think FitBits or Apple Watches) and apps downloaded onto a subject’s phone, are becoming increasingly common in human subject research. Some projects are testing the products themselves, while others use them merely to collect research data.
You know that giant document that you never actually read that pops up every time you log on to some new app or online service that requires you to click “I agree” before continuing? Well, many of these wearables/apps have similar documents, referred to as “end user license agreements” (EULAs) or “terms of service (TOS),” that subjects must sign to be able to use the wearable/app and, by extension, participate in the study. EULAs and TOS can address things such as who owns the data collected via the product, what might be done with the data in the future, and the user’s rights regarding the data.
These agreements cause a bit of a dilemma for the IRB, and also potentially impact data confidentiality and subject rights. First, the IRB usually wants to review all study documents a subject sees. However, EULAs and TOS are essentially contracts between the wearable/app user and the wearable/app provider, so the IRB doesn’t have the same authority to require changes to them as it does for, say, consent form language. Second, EULAs and TOSes may include language that ordinarily would not be allowable in a research context. For example, wearable/app developers may own the data collected by their products, giving them the right to us the data later for any purpose. We have seen one EULA that specifically stated subjects could not sue even if the app developer lost their data or if an unauthorized party accessed the data in the developer’s control. As you’re probably aware, the IRB typically does not allow a dataset to be used for any purpose whatsover, unless such future use is specifically described in the consent form, and certainly does not allow language giving up the right to sue.
BUT — What happens when study participation is contingent upon agreeing to the EULA/TOS’s terms? The Secretary’s Advisory Committee on Human Research Protections, SACHRP (pronounced “SAC-harp”), has issued some guidance on precisely this issue. The guidance at the link describes different scenarios and proposes different recommendations for each. For example, an app or device being used in research may be one the subject has previously used for their own purposes. Therefore, any risks associated with the item are not research risks and don’t need to be mentioned in the consent form. In the other scenarios, SACHRP recommends things like having the IRB review the EULA/TOS and ask that any language it finds objectionable be changed. If the wearable/app provider declines to change the EULA/TOS (and it probably will), the IRB must then determine if the research’s risk/benefit ratio is still acceptable, and ensure any risks to confidentiality posed by the EULA/TOS are addressed in the consent materials.
So what does all of this mean for researchers? Study teams need to be cognizant of the considerations surrounding EULA/TOS agreements, and to ensure consent forms adequately describe any risks associated with wearable/app use. Note that at UAMS, the legal office can help you review EULA/TOS agreements. You can include comments about this review, any associated risk identified, and measures to mitigate that risk in the CLARA new submission form’s “Risks” section. The IRB will take these issues into consideration during its study review.
If you’re doing research involving wearables or apps, we encourage you to read the SACHRP guidance and apply its information to your consent process description and consent forms. If you decide not to include discussion of any EULA/TOS in your consent process, we encourage you to indicate in the submission why you decided not to inform your subjects about these agreements.