In a continuation of the trend of regulatory guidance and actions on online advertising, the FTC issued a proposed order against online counseling service, BetterHelp, alleging that BetterHelp unlawfully shared consumers’ health data for advertising purposes. The complaint treated consumers’ registration for BetterHelp’s services as health information, and emphasized that disclosing such information requires consumers’ affirmative express consent. The order follows the Commission’s recent enforcement action against GoodRx, further warning the online health industry on compliance obligations for disclosing health data for advertising purposes.
FTC’s Allegations Against BetterHelp
In its complaint, the FTC alleged eight counts of unfair and deceptive business practices against BetterHelp. To access its services, BetterHelp required consumers to fill out a questionnaire on their mental health status and represented that consumers’ information would be kept private. The FTC alleged that despite these claims, BetterHelp disclosed consumers’ email addresses, IP addresses, and health data—including whether they are seeking or receiving mental health treatment—to third-party advertising platforms. Additionally, because no government agency or third party reviewed the service’s practices for compliance with HIPAA, the complaint alleged that BetterHelp deceptively placed a HIPAA compliance seal on its website from September 2013 to December 2020.
Proposed Consent Order
The proposed order includes several remedial measures, including a novel requirement for an order involving health data, to return funds directly to consumers.
The order prohibits BetterHelp from sharing past, present, or future physical or mental health or condition(s) for advertising purposes. BetterHelp also cannot share personal information for re-targeting. Except for a limited carveout that includes service providers that process personal information solely on behalf of BetterHelp, the company may not otherwise disclose or share personal information unless it first:
- obtains consumers’ affirmative express consent,
- informs them of the information to be disclosed,
- informs them of the third parties that will receive the information, and
- informs them of how the information will be used.
BetterHelp must also instruct all third parties that received consumers’ personal information to delete the information and obtain written confirmation of such deletions, pay $7.8 million in monetary relief, and undertake an initial and biennial privacy assessments by an independent, third-party assessor for 20 years.
Takeaways
As mentioned in our previous blog on the FTC’s GoodRx decision, the risks of firing third-party pixels, SDKs, or similar technologies in the health space remain significant. When integrating such technologies, businesses must also be mindful of regulations governing the use of sensitive personal information. Indeed, the BetterHelp complaint suggests that mere interest in mental health services may be sensitive health information subject to heightened compliance.