03.07.2023

|

Updates

On March 2, 2023, following a 4-0 vote, the Federal Trade Commission announced a complaint and proposed consent order with BetterHelp, Inc., an online counseling platform that allegedly disclosed consumer health data to third-party advertising platforms. The settlement requires payment of $7.8 million to be used for consumer refunds—the first time an FTC action has required the return of funds to consumers whose health data was allegedly compromised. The BetterHelp case comes just weeks after the FTC’s enforcement action against GoodRx, which was also alleged to have made unauthorized disclosure of consumer health data to third-party advertising platforms. Together, the two cases demonstrate the significant attention the FTC is paying to consumer health privacy issues.

Proposed Complaint and Order

According to the FTC’s complaint, BetterHelp shared email and IP addresses and, in some cases, intake information such as the individual’s prior use of counseling or therapy, with several advertising platforms. In particular, according to the FTC, BetterHelp disclosed this data (1) to retarget individuals with advertisements who had visited its website but did not register for its services and who had signed up for accounts but did not register for its services and (2) for “lookalike” advertising, that is, to identify characteristics and interests of website visitors or users of its services in order to show advertisements to other individuals with similar interests and characteristics.

The FTC acknowledged that BetterHelp hashed email addresses before sharing them (i.e., converted them into a string of unreadable characters), but also alleged that this act was not intended to, and did not protect, the privacy of the individuals in question because the advertising platforms linked the hashed email addresses to internal user IDs and thus, according to the complaint, could learn sensitive information about them. As it did in the GoodRx complaint, the FTC pointed in particular to BetterHelp’s failure to use generic event names tied to information about consumers (e.g., “Event 1, Event 2”) and instead disclosed what each event correlated to, such as whether the individual had been in counseling or therapy before, noting that such a disclosure allowed the recipient advertising platforms not only to know that particular users were interested in therapy but also that they had previously received therapy. Also, as it did in the GoodRx case, the FTC pointed to BetterHelp’s acceptance of the advertising platforms’ standard terms, which in many instances allow the platforms to use the data provided by advertisers like BetterHelp for the platforms’ own purposes.

Further, the FTC alleged that BetterHelp did not obtain affirmative express consent to collect, use, and disclose consumer health information for such advertising purposes or for use by the advertising platforms for their own purposes and lacked adequate written policies, procedures, and employee/contractor training regarding the processing of consumer health information. 

The FTC also alleged that the company displayed a HIPAA compliance seal when in fact no government agency or other third party had ever reviewed BetterHelp’s privacy or information security practices and determined that they met HIPAA’s requirements. The FTC alleged that HIPAA does not even govern many of BetterHelp’s therapists.

The FTC alleges that these practices were unfair or deceptive under Section 5 of the FTC Act in light of representations BetterHelp had made in its signup process (e.g., “Rest assured—any information provided in this questionnaire will stay private between you and your counselor”), privacy policy, and cookie policy, as well as in light of statements BetterHelp did not make, such as that it would use and disclose health information to third parties, which could use the data for their own purposes.

The proposed consent order (1) bans BetterHelp from disclosing personal information, including health information, to third parties for ad retargeting (regardless of whether it obtains consumer consent); (2) requires BetterHelp to obtain affirmative express consent to share personal information, including specified health information; (3) requires BetterHelp to seek third-party deletion of data and inform consumers about the FTC enforcement action; and (4) includes a mandated privacy program requirement and a data breach reporting requirement to the FTC. As noted above, BetterHelp also must pay $7.8 million to be used for consumer redress.

Takeaways 

  • This case, particularly in combination with the recent case against GoodRx, highlights the high degree of scrutiny the FTC is applying to the processing of health-related information, including by websites and mobile apps not subject to HIPAA. These cases underscore the FTC’s view that businesses should obtain affirmative express consent to collect, use, or disclose sensitive consumer health information for advertising purposes even when such information does not on its face identify a consumer.
  • This is the first case in which the FTC has focused on the role of sharing personal information for purposes of creating lookalike audiences. In such models, users whose data is used do not see ads as a result, but people with similar behaviors or characteristics do. Until now, most regulatory regimes and FTC attention have focused on models that result in the subject of the data seeing targeted ads. This may cause other regulators to scrutinize lookalike practices or cause ad platforms to rethink their contractual commitments with respect to those practices.
  • While the GoodRx case included a claim under the FTC’s Health Breach Notice Rule (HBNR) for disclosures of health information without consumer consent, as well as claims under Section 5, the claims against BetterHelp were brought entirely under Section 5. Commissioner Christine Wilson in her concurring statement in the BetterHelp case explained that this is because all the health information allegedly disclosed by BetterHelp without authorization came from a single source—the consumer—and to be a “personal health record” under the HBNR requires information that “can be drawn from multiple sources,” as required by the existing formulation of the HBNR. At the same time, her concurrence reminds us that the FTC’s 2021 Policy Statement on the HNBR took a far more expansive view of what it means to be capable of drawing information from multiple sources. Should the FTC seek to enforce that view, it would carry the risk of hefty civil penalties of up to $50,000 per violation. 
  • Finally, the BetterHelp case, like the GoodRx case, reflects the FTC’s increased willingness to bring unfairness claims. The complaint borrows from the FTC’s data security “jurisprudence” by identifying a laundry list of so-called “unreasonable” practices that it claims are unfair. In addition, through its allegations of particular data practices as unfair, the FTC is, in effect, interpreting Section 5 to impose obligations that are remarkably similar to those imposed by the GDPR and the new state comprehensive privacy laws. For example, the BetterHelp complaint suggests that the failure of businesses, or at least those that process sensitive consumer health data, to have internal written policies, employee training, and vendor contract requirements—similar to requirements imposed by the GDPR and/or new state privacy laws—can be deemed to be “unfair” acts and practices. We expect we will see more of these claims going forward and that these unfairness claims may portend the direction of the FTC’s ongoing “Commercial Surveillance and Data Security” Rulemaking, where the FTC must point to evidence, such as from its law enforcement experience, to demonstrate the prevalence of any unfair or deceptive acts or practices that are ultimately the subject of its rulemaking. 

© 2023 Perkins Coie LLP


 

Sign up for the latest legal news and insights  >