Smartphone apps are great at lots of things, from sending selfies, to solving late-night taco cravings. And even if they occasionally fail, the stakes are usually low—unless you consider being carnitas-less at 2 am a life-threatening situation. The exception is with apps that claim to measure your heart rate, monitor your blood pressure, and improve your memory, coordination, or vision.

These apps aren't offering diagnoses, but they do give users an impression about their health. And for the most part, the FDA lets these apps run wild, not requiring them to go through any rigorous vetting process to ensure they are both safe and effective. But that doesn't mean nobody is holding them accountable. Last week the New York Attorney General’s office settled with three mobile health apps it alleged were misleading consumers and engaging in questionable privacy practices. The apps—which include Adidas subsidiary Runtastic, MIT Media Lab spinoff Cardiio, and Matis-made “My Baby’s Beat”—all claim to monitor the human heartbeat using only a smartphone’s camera or microphone and some proprietary algorithms. Per the terms of the settlement, the developers paid a combined $30,000 in penalties and agreed to change their advertising language and update their privacy policies to more transparent, opt-in data-collection agreements. It's a relatively small sum, but the legal action sets a precedent for how states might fill in for oversight gaps at the federal level. It also exposes another potential pitfall for companies trying to cash in on the mushily regulated mobile health industry.

Are you going to die if you entrust your smartphone with monitoring your vital signs and it gets them wrong? Probably not. But the vast majority of apps that claim to do these things don't have to prove they work before they pop up in Apple iTunes or Google Play, which has led to an explosion of them in the last five years. Today you can download more than 156,000 health and wellness apps to track everything from calories to periods.

And yet, no single piece of legislation specifically regulates the mobile health industry. Instead, a constellation of laws each claim a bit of piecemeal authority. Last year the FDA tried to inject some clarity with a new guidance that breaks down health apps into three buckets. The first contains things that are clearly medical devices—like an app that analyzes the content of your urine, just by looking at a photo of a pee-soaked chemical strip, or an app that tells you if a rogue mole is actually a cancerous melanoma. These trigger a formal FDA approval process (which involves clinical trials). The second bucket contains wellness apps—products that help you track your sleep, what you’re eating, how many steps you’re getting, and what your moods are like. These are at the other end of the regulatory spectrum and require no federal clearance. The third bucket contains everything in between. These are apps that could meet the definition of a medical device, but because they don't actively market themselves as lifesaving, fall outside the (short-staffed, budget-strapped) FDA's attention span.

The FDA's position is based on a simple risk-cost analysis; an app that isn't going to kill someone isn't worth enforcing. Bradley Merrill Thompson, a partner at Epstein Becker Green, who specializes in regulatory law for digital health, says it's a reasonable strategy. Mostly. "The marketplace does quite well policing itself when the financial and public health risks are low," he says. "Consumers will shut down any business where the truth is easily discoverable, but they're never going to conduct clinical trials to figure out if something works."

Which would be great—for app makers—if the FDA were the only federal agency involved in this. But medical apps suggesting some sort of outcome could also trigger unwanted attention from the Federal Trade Commission—which protects consumers from fraud. Does this thing do what it says it does? Over the last five years the FTC investigated, fined, and barred a handful of mobile app companies from making unsubstantiated medical claims that their products could do things like Read blood pressure! Pick out cancerous moles! "Turn back the clock" on your eyesight!

So many developers got in trouble that last April the FTC released a set of best practices to help other developers avoid similar predicaments. Suggestions include minimizing data collection and investing in multifactor authentication. It also partnered with the FDA and two other Health and Human Services offices to create an interactive developer tool to help companies comply with all the different laws on the books.

But since then, the FTC has backed off. This February, the agency's director of the Bureau of Consumer Protection stepped down. Jessica Rich was adamant about pursuing health-app fraud. (She once testified in front of Congress, saying: "If consumer health data is used for unanticipated, harmful purposes, consumers could lose confidence in the health IT sector. As the nation's foremost protection agency, the FTC is committed to protecting health information collected by these entities.") It's unclear whether the 26-year agency veteran left voluntarily or was forced out. Regardless, her departure means the agency is reexamining its aggressive stance on consumer privacy, including in mobile health.

Which is what makes the New York case significant. Every state has its own rules regulating how apps collect user information, and getting onto iTunes or Google Play means having to be compliant with all of them. These laws become more relevant as the new administration rolls back the regulatory efforts of all federal agencies while Congress slashes online privacy protections for private citizens. So the battle for mobile health data looks like it will be fought increasingly in state courts, particularly in places with stricter laws, like New York and California. The key word here is increasingly. Because the one thing that's for certain, smartphones aren't going anywhere.