On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without first obtaining affirmative consent and allegedly contrary to certain privacy representations. The proposed order requires the company to pay $7.8 million in partial refunds to BetterHelp customers. This is the first time that the FTC has required a company to return money to its customers whose personal information was shared without consent. Going forward BetterHelp is not permitted to share sensitive health information and PI without obtaining affirmative consent from the patients and customers. BetterHelp is also required to overhaul its privacy program and request that any outside parties that received the consumers’ sensitive data delete such information.
This enforcement comes only a month after the FTC announced a $1.5 settlement against prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”) for allegedly failing to notify consumers and others of its unauthorized disclosures of consumers’ Protected Health Information (PHI) to third parties for targeted advertising purposes (a notable settlement as it was the FTC’s first enforcement action in almost 15 years under its little-used Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information).
This one-two punch underscores the FTC’s position that digital health companies and mobile apps should be transparent about data collection practices, provide a proper just-in-time explanation, get consumers’ express affirmative consent before collecting, using, or sharing health information and harmonize all agreements about consumer data you reach with other companies with the privacy promises you’ve made to consumers and your actual practices.
In the BetterHelp action, the FTC alleged that during the relevant time period between 2013 and 2020 the company repeatedly coaxed consumers seeking counseling services to take an intake questionnaire and disclose sensitive health information and other personal information (e.g., email address and IP address), all the while promising to keep that information private through statements like: “Rest assured – any information provided in this questionnaire will stay private between you and your counselor,” and shrouding what the FTC considered “hard-to-find” links to its privacy policy at the bottom of web pages far from its more prominent disclosures. However, according to the FTC, BetterHelp shared such information with major advertising platforms for re-targeting users that had visited the company’s site or used the app and failed to limit how these third parties could use such data. Interestingly, the FTC also alleged that, during the relevant time period, BetterHelp deceptively displayed seals on its webpages next to other digital logos about website security provided by third parties to BetterHelp implying BetterHelp’s purported compliance with HIPAA, when in fact, according to the complaint, no government agency or other third party reviewed BetterHelp’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA. As mentioned above, BetterHelp is required under the settlement to, among other things, pay $7.8 million to consumers, ask its advertising partners to delete health data collected during the relevant time, and strengthen its privacy program and certify as such to the FTC for the next ten years.
Some Takeaways from BetterHealth and GoodRx:
- Closely follow the FTC’s recent policy statements. The FTC under Chair Lina Khan has been focused on data privacy initiatives, and has signaled its priorities with policy pronouncements that have preceded enforcements actions. For example, in September 2021, the agency published a statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. The FTC then followed that statement up with the GoodRx settlement. In July 2022, it published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog in the wake of the Supreme Court’s Dobbs decision, stressing that the misuse of mobile location and health information “exposes consumers to significant harm.” It then followed that statement up with the filing of a complaint against a digital marketing and analytics firm over alleged location data sharing, and most recently, with the settlement with BetterHelp.
- Sensitive health information and marketing practices under the microscope. Depending on the particular circumstance, consumer health apps and related digital platforms may collect health data that is not considered PHI under the scope of HIPAA. The latest enforcement actions show that, regardless of whether HIPAA applies, the FTC is closely scrutinizing digital health companies and their collection of PHI and representations related to marketing practices. Moreover, it is not only the FTC which is scrutinizing digital privacy, as the BetterHelp action was prompted by an investigative news story from Jezebel about how BetterHelp was sharing consumer health data with third parties; this is certainly not the first time that the genesis of an enforcement began with news reports.
- Multiple enforcement tools. While both enforcements concerned sensitive health data, the BetterHelp settlement was brought under the FTC Act’s dictates against unfair or deceptive business practices while the GoodRx settlement cited the Health Breach Notification Rule. As the Director of the FTC’s Bureau of Consumer Protection stated in conjunction with the GoodRx settlement: “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
- Monetary settlement is significant. The imposition of monetary relief in the BetterHelp action for allegedly deceiving consumers after promising to keep sensitive personal data private is notable, as this is the first Commission action returning funds to consumers whose health data was compromised.