FTC Announces Proposed Order Against BetterHelp for Revealing Consumers' Health Data for Targeted Advertising | Practical Law

FTC Announces Proposed Order Against BetterHelp for Revealing Consumers' Health Data for Targeted Advertising | Practical Law

The FTC has announced a proposed consent order against BetterHelp, Inc. that bans the mental health counseling company from sharing personal information that reveals a consumers' health data for targeted advertising.

FTC Announces Proposed Order Against BetterHelp for Revealing Consumers' Health Data for Targeted Advertising

by Practical Law Data Privacy & Cybersecurity
Published on 07 Mar 2023USA (National/Federal)
The FTC has announced a proposed consent order against BetterHelp, Inc. that bans the mental health counseling company from sharing personal information that reveals a consumers' health data for targeted advertising.
On March 2, 2023, the FTC issued a press release announcing a proposed order that would ban online mental health counseling provider, BetterHelp, Inc., from sharing personal information that reveals a consumers' sensitive health data for advertising purposes, including online advertising that re-targets prior BetterHelp website visitors on other websites or online platforms.
BetterHelp operates a variety of websites and mobile apps that facilitate mental health counseling and match users with therapists, including specialized versions focused on sensitive audiences like the LGBTQ+ community, religious faiths, and teens.
According to the FTC, the BetterHelp websites tracked information about their unique website visitors and required potential service users to complete questionnaires with mandatory sensitive health disclosures. BetterHelp's sign-up process and intake questionnaires included multiple promises to keep the information provided private and to only use it for related referrals or treatment purposes. Despite those assurances, the FTC complaint alleges that BetterHelp shared their users' personal information—including sensitive mental health information like whether they had ever sought counseling or therapy—to Facebook, Criteo, and other similar companies to conduct online advertising campaigns, including for re-targeting website visitors, shared trait targeting, and ad optimization.
Under the proposed order, BetterHelp must pay $7.8 million to consumers who signed up and paid for its services between August 1, 2017, and December 31, 2020. This marks the first FTC action that returns funds to consumers whose health data was compromised. Along with the targeted advertising ban and restitution, the proposed order also requires BetterHelp to:
  • Obtain affirmative express consent before disclosing personal information to certain third parties for any purpose.
  • Put in place a comprehensive privacy program, including strong safeguards to protect consumer data.
  • Direct third parties to delete the consumer health and personal data revealed by BetterHelp.
  • Create a data retention schedule to limit how long it can retain health and personal information.
The draft order is subject to public comment for 30 days after the FTC publishes the full settlement package in the Federal Register. The FTC will decide whether to finalize the proposed consent order after the public comment period closes.
An FTC blog post published with the proposed order provides important additional guidance on how businesses should handle sensitive health information falling outside the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including that:
  • Context can change the sensitivity of personal information. For example, when a health-care service shares a customer's email address, it also reveals the sensitive fact that the person sought health care-related information or treatment.
  • Consumers must provide affirmative express consent to share their personal health information.
  • Failing to establish written policies, practices, and procedures to protect health information or to train employees on their requirements can lead to unfair and deceptive practices that violate the FTC Act.
  • Hashing emails addresses does not protect a consumer's privacy when the third-party recipient can un-hash the data or connect it to similarly hashed email addresses. Matching hashed personal information results in third-party disclosures.
  • Website disclosures must avoid deceptive, misleading, or confusing designs, such as prominently providing privacy-reassuring statements like promises not to sell, rent, or share information or to only use it in specific ways, while putting detailed privacy disclosures that qualify or limit those promises behind hard-to-find or hard-to-read links.
  • Any logos present on a website, such as a HIPAA logo, must not mislead visitors about the website's privacy practices or who regulates or reviews the company's activities.
  • Website and mobile app operators should carefully monitor all technologies capable of sending information to a third-party, such as web beacons, pixels, or other tracking technologies, to ensure that privacy disclosures match actual practices.