The FTC’s second comparison in just a few weeks underscores its scrutiny of companies that process health data for advertising purposes

On March 2, 2023, following a 4-0 vote, the Federal Trade Commission announced a complaint and proposed a consent injunction against BetterHelp, Inc., an online counseling platform that allegedly shared consumer health data with third-party advertising platforms. The settlement will require paying $7.8 million in consumer refunds — the first time an FTC action has required funds to be returned to consumers whose health records were allegedly compromised. The BetterHelp case comes just weeks after the FTC’s enforcement action against GoodRx, which also allegedly leaked consumer health data to third-party advertising platforms. Together, the two cases demonstrate the close attention the FTC pays to consumer health protection issues.

Proposed Complaint and Order

According to the FTC’s complaint, BetterHelp shared email and IP addresses, and in some cases intake information such as the individual’s previous use of counseling or therapy, with multiple advertising platforms. Specifically, according to the FTC, BetterHelp disclosed this information (1) to retarget advertising to individuals who visited its website but did not register for its services and who signed up for accounts but did not register for its services, and (2) for “lookalike” advertising, ie to recognize characteristics and interests of website visitors or users of its services in order to display advertising to them other People with similar interests and characteristics.

The FTC acknowledged that BetterHelp hashed email addresses (ie converted them into a series of unreadable characters) before sharing them, but also claimed that this action was not intended to be done due to the advertising and did not protect the privacy of the individuals involved Platforms linked the hashed email addresses to internal user IDs and could, according to the complaint, learn sensitive information about them. As in the GoodRx complaint, the FTC specifically noted BetterHelp’s failure to use generic event names linked to information about consumers (e.g., the individual had previously been in counseling or therapy and determined that such disclosure allowed the Allowed recipient ad platforms to know not only that certain users were interested in therapy, but also that they had previously received therapy.As in the GoodRx case, the FTC also noted that BetterHelp accepts the standard terms of the advertising platforms that allow the Platforms in many cases allow the data provided by advertisers like BetterHelp to be used for the platforms’ own purposes.

In addition, the FTC alleged that BetterHelp has not obtained specific express consent to collect, use, and disclose consumer health information for such advertising purposes or for use by the advertising platforms for its own purposes, and lacks adequate written policies, procedures, and employees/contractors training services relating to the processing of consumer health information.

The FTC also claimed that the company displayed a HIPAA compliance seal, when in fact no government agency or other third party had ever reviewed BetterHelp’s privacy or information security practices and determined that they met HIPAA requirements. The FTC claimed that HIPAA doesn’t even regulate many of BetterHelp’s therapists.

The FTC alleges that these practices were unfair or misleading under Section 5 of the FTC statute, given the representations BetterHelp made during its sign-up process (e.g. ), Privacy Policy and Cookie Policy, and in light of BetterHelp’s statements not such as using health information and sharing it with third parties who may use the data for their own purposes.

The proposed Consent Order (1) prohibits BetterHelp from sharing personal data, including health data, with third parties for ad retargeting (regardless of whether it obtains consumer consent); (2) requires BetterHelp to obtain explicit consent to share personal information, including certain health information; (3) requires BetterHelp to request third party deletion of data and notify consumers of FTC enforcement actions; and (4) includes a mandatory requirement for a privacy program and a requirement for reporting data breaches to the FTC. As mentioned above, BetterHelp also has to pay $7.8 million that will be used to compensate consumers.

snack

• This case, particularly when combined with the recent GoodRx case, underscores the high level of scrutiny that the FTC applies to the processing of health-related information, including through non-HIPAA websites and mobile apps. These cases underscore the FTC’s view that businesses should obtain express consent to collect, use, or disclose sensitive consumer health information for advertising purposes, even if such information does not prima facie identify a consumer.

• This is the first instance where the FTC has focused on the role of sharing personal information to create lookalike audiences. In such models, users whose data is used do not see ads as a result, but people with similar behaviors or characteristics do. To date, most regulatory regimes and FTC attention have focused on models that result in the subject of the data seeing targeted advertising. This may lead other regulators to scrutinize lookalike practices or cause ad platforms to reconsider their contractual obligations related to those practices.

• While the GoodRx case contained a claim under the FTC’s Health Breach Notice Rule (HBNR) for disclosure of health information without consumer consent and Section 5 claims, the claims against BetterHelp were made entirely under Section 5. Commissioner Christine Wilson in her The matching testimony in the BetterHelp case explained that this was because all health information that BetterHelp allegedly disclosed without authorization came from a single source – the consumer – and in order to qualify as a “personal health record” under the HBNR Information required “from which multiple sources can be drawn” as required by existing HBNR wording. At the same time, their endorsement reminds us that the FTC’s 2021 HNBR Policy Statement took a far broader view of what it means to have information from multiple sources. Should the FTC attempt to enforce this view, it would face hefty civil penalties of up to $50,000 per violation.
• Finally, like the GoodRx case, the BetterHelp case reflects the FTC’s increasing willingness to pursue unfairness claims. The complaint borrows from the FTC’s “case law” on data security by identifying a long list of so-called “improper” practices that it alleges are unfair. Additionally, by asserting that certain data practices are unfair, the FTC interprets Section 5 to impose obligations remarkably similar to those of the GDPR and the state’s new comprehensive privacy laws. For example, the BetterHelp complaint suggests that companies, or at least those that process sensitive consumer health data, do not have internal written policies, employee training and supplier contract requirements – similar to the requirements imposed by the GDPR and/or new state data protection laws – may be considered “unfair” acts and practices. We expect to see more of these lawsuits in the future, and that these allegations of dishonesty may indicate the direction of the FTC’s ongoing rulemaking on “Trade Surveillance and Data Security,” in which the FTC will look to evidence such as its law enforcement experience , must demonstrate the prevalence of unfair or fraudulent acts or practices that are ultimately the subject of its rulemaking.

© 2023 Perkins Coie LLP