Add a bookmark to get started

7 March 20238 minute read

FTC orders BetterHelp to pay $7.8 million and limit information disclosures

Consent agreement settles allegations of improper disclosures of consumer health data for advertising

The Federal Trade Commission (FTC) has announced an administrative complaint and proposed consent agreement against the online counseling service BetterHelp over allegations that the company unlawfully monetized consumer health data by sharing it with Facebook and other online marketing providers in violation of its privacy promises to consumers.

In addition to imposing a 20-year period of monitoring by the FTC, the FTC’s proposed order, announced on March 2, requires the company to pay $7.8 million to consumers. The proposed order also imposes strict limitations on the company’s future usage and disclosure of consumer data, including an outright prohibition against the disclosure of consumer health data for advertising purposes.

Coming on the heels of the GoodRx action, the case emphasizes the FTC’s increased focus on how companies handle consumer health information and in particular, the disclosure of consumer information for online advertising. Unlike the GoodRx case, which included alleged violations of the FTC’s Health Breach Notification Rule and Section 5 of the FTC Act, the BetterHelp complaint focuses solely on alleged unfair or deceptive practices in violation of Section 5. Below, we set forth FTC’s allegations against BetterHelp. In light of these recent enforcement actions, companies that offer health or wellness applications to consumers should closely examine their uses and disclosures of health information in conjunction with their privacy policies, particularly if they disclose any identifiable information for advertising purposes. They should also consider whether and how to secure affirmative express consent from consumers prior to processing their health information.

According to the FTC’s complaint, consumers had to complete an intake questionnaire to register for the BetterHelp service, which included a number of questions about the individual’s mental health status, medications, and prior use of counseling or therapy as well as provide their email and other identifying information. The complaint alleges that despite multiple statements on the company’s website promising not to sell or share information, BetterHelp shared email addresses, IP addresses and certain information about consumers’ health status and histories – including the fact that they are seeking or are in therapy, and whether they have previously been in therapy – with Facebook, Snapchat, Pinterest and Criteo, among others, to target advertising about the company’s services.

Among other claims, the Commission alleges that BetterHelp:

  • Engaged in unfair privacy practices by failing to employ reasonable measures to protect consumers’ health information, including failing to provide adequate employee training on privacy, which resulted in unauthorized disclosure of the information to third parties for advertising and other purposes. Under the FTC’s broad articulation of harm, the mere fact that someone seeks therapy is highly sensitive and in the wrong hands, such information could cause stigma, embarrassment and/or emotional distress and impact a consumer’s ability to obtain or retain employment, housing, or certain forms of insurance.
  • Failed to obtain affirmative express consent before collecting, using and disclosing consumers’ health information, which caused or was likely to cause substantial harm to consumers.
  • Failed to disclose or failed to adequately disclose to consumers that it disclosed health information to third parties, including Facebook, for advertising as well as for third parties’ own uses, which was deceptive in violation of Section 5 of the FTC Act.
  • Disclosed consumer health information in violation of statements made in the company’s privacy policy or other assurances on company websites, which was deceptive in violation of Section 5; and
  • Represented, expressly or by implication (by including a “HIPAA Certified” stamp on its websites), directly or indirectly, that a government agency or other third party had reviewed the company’s privacy and information practices and determined that they met HIPAA’s requirements.

Some of the key takeaways from the agency’s action that deserve particular attention include the following:

  • The FTC takes an extremely broad view of what information constitutes health information. According to the agency, even an email or IP address constitutes health information when coupled with the fact that a consumer has created an account for use of a healthcare service.
  • The order requires BetterHelp to pay $7.8 million to a consumer redress fund. We first saw this framing of a monetary penalty as a redress payment in the CafePress enforcement action nearly a year ago and it appears to be developing into a regular feature of FTC actions. While the FTC is limited in its ability to demand monetary penalties under Section 5, the agency appears to be further pushing its claim of authority to demand restitution for impacted consumers.
  • The order requires BetterHelp to send a template notice concerning the settlement to every customer who created an account between August 2017 and December 31, 2020. Typically, such notices are reserved for circumstances in which a company does not properly or timely notify affected individuals of a data breach. This element of the proposed order, in conjunction with the redress fund, highlights a trend where the FTC treats allegedly unauthorized disclosures as data breaches, even where the disclosure is to an authorized vendor as opposed to a bad actor.
  • As part of BetterHelp’s obligations under the order, BetterHelp must identify both the third parties to whom it disclosed information and the information disclosed to those parties. The company must then demand those third parties delete the data received from BetterHelp.
  • The order broadly enjoins BetterHelp from disclosing any consumer information to certain third parties in the absence of the consumer’s affirmative express consent. Consent is defined narrowly as clearly demonstrated affirmative action by the individual and requires disclosure of details of the information processing, including the categories of information collected, the purposes for uses or disclosures, the identities of the third parties to whom the information may be disclosed as well as a mechanism to withdraw consent. “Third Party” in this instance exempts certain service providers, including those who are contractually limited in their ability to further disclose the information. This very restrictive structure borrows elements from HIPAA, CCPA and the EU’s GDPR. Notably, affirmative express consent as contemplated by the proposed order must be separate from any privacy policy, terms of use or similar document.
  • The FTC made specific mention that BetterHelp delegated most decision-making authority over its use of Facebook’s advertising services to a Junior Marketing Analyst who did not have experience or training in safeguarding consumers’ health information. Specifically, FTC stated that BetterHelp gave such individual “carte blanche to decide which Visitors’ and Users’ health information to upload to Facebook and how to use that information.”
  • Finally, it is worth noting FTC’s statement concerning the use of hashing of email addresses. The FTC notes that although BetterHelp applied a hash to consumer email addresses, the practice was done to prevent a security breach, not to conceal identities from Facebook and other third-party recipients. According to the FTC, the company knew that third parties such as Facebook would be able to connect the hashed emails with user profiles and would reveal that those individuals were seeking or receiving treatment through BetterHelp.

The full press release is available here.

This continues to be an evolving area in health privacy law that we will monitor. For instance, this latest action followed closely behind the FTC’s enforcement against GoodRx last month with respect to its alleged disclosure of consumer information for online advertising and the Department of Health and Human Services Office for Civil Rights’ Bulletin regarding the applicability of HIPAA to the use of tracking technologies by covered entities and business associates. Collectively, these actions indicate the federal government’s strong interest in how companies use and disclose information about their consumers, particularly for advertising purposes and most notably, in relation to health information that it deems to be sensitive.

Healthcare companies using online tracking technologies and engaging in digital advertising should take note and consider whether their privacy policies adequately disclose their use and disclosure of consumer health information, evaluate whether and to what extent sensitive information is shared with third parties, ensure that privacy training is routinely provided to individuals in positions to access or determine access to sensitive information, and, if applicable, ensure that use of any such tracking technologies by a HIPAA covered entity or business associate, complies with regulatory requirements.

For any questions, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our privacy or healthcare industry groups.

Print