The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest.[1] This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.
BetterHelp provides online counseling services for those seeking mental health or specialized forms of therapy. It operated under several names, each of which had its own website and catered to a specific demographic. For example, “Better Help” served general audiences while “Pride Counseling” served members of the LGBTQ community. When engaging customers, BetterHelp made numerous representations regarding the confidentiality and privacy of its customers’ personal information. For example, BetterHelp’s Privacy Policy stated, “we never sell or rent any information you share with us” and the initial intake questionnaire stated, “Rest assured – any information will stay private between you and your counselor.”
However, the FTC alleged BetterHelp disclosed consumers’ personal information, such as email addresses and IP addresses, to third parties like Facebook and Snapchat – to place BetterHelp advertisements to visitors to the BetterHelp website or similar types of consumers (look-alike audiences). For instance, BetterHelp disclosed the information of around 600,000 individuals with LGBTQ identities seeking mental health treatment through BetterHelp’s services to Facebook to create look-alike audiences for targeted advertising to others. Between 2017 and 2018, BetterHelp complied and uploaded a total of 7 million email addresses from its users to Facebook for targeted advertisements.
BetterHelp also utilized pixels and web beacons to automatically track certain actions of its users and website visitors, including their answers to BetterHelp’s prompts and their enrollment to BetterHelp services. Through these technologies, Facebook automatically received this information along with the individual’s IP address, email addresses, and other persistent identifiers and matched it with individual Facebook accounts.
The FTC also found that because BetterHelp displayed HIPAA seals on its web pages in proximity to other seals provided by third parties (as displayed below), it deceptively signaled to consumers that a government agency or other third party had reviewed BetterHelp’s privacy and information security practices and determined that they met HIPAA’s requirements, neither of which occurred.
Finally, the FTC identified a series of BetterHelp’s data privacy and cybersecurity practices as “deceptive practices,” including, but not limited to:
- Failing to maintain any oversight or restrictions on the personal information provided to third parties;
- Failing to implement appropriate safeguards in protecting consumer’s personal information; and
- Pressuring consumers to disclose their personal health information in connection with BetterHelp intake questionnaire.
The FTC determined that BetterHelp’s misrepresentations had gone on for years and that BetterHelp did nothing to ensure that its collection, use, and disclosure practices complied with its privacy policy promises to visitors and users. Specifically, the FTC criticized the fact that no one at BetterHelp reviewed the privacy policy regularly and did not assign someone the responsibility until January 2021.
To demonstrate its displeasure toward these “deceptive practices”, FTC imposed some very strict penalties, including the imposition of a $7.5 million fine, a prohibition from disclosing certain personal health information for advertisement purposes, and a requirement to obtain consent before disclosing certain personal health information to third parties for any purpose.
While FTC has shown a pattern to scrutinize one issue (sharing data with advertisers without proper notice and consent), it continues to expand the scope of its investigation and its definition of “deceptive practices” to include items like unnecessary data collection and poor cybersecurity practices.
Key Takeaways:
- Review your privacy policy and all representations surrounding the collection process. Businesses should understand all the statements made to consumers may be construed as representations similar to those in your privacy policy and test the veracity of those statements.
- Audit your prior advertising practices with your prior privacy policy language. In addition to its prospective legal compliance, Businesses may need to consider how to remedy or address prior fraudulent or inaccurate data privacy practices. This would include knowledge about all information being shared with third parties, past and present, including via pixels or otherwise.
- Employ a data minimization standard. Businesses should consider whether their collection of data at certain stages is necessary and proportionate, which is the new standard set forth in the California Consumer Privacy Act.
- Implement a comprehensive privacy and information security program. Businesses collecting consumer data should put in place a comprehensive privacy and information security program that includes strong safeguards to protect consumer data, including sensitive information.
[1]Federal Trade Commission, FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising, FTC.Gov (Mar. 2, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook