If the Federal Trade Commission’s (FTC) recent pursuits did not make clear the agency’s deep concerns about the use of health information for advertising purposes, a new enforcement action brought by the FTC against BetterHelp – to the tune of $7.8 million – should leave no uncertainty.
BetterHelp provides online counseling services and also provides specialized services for various constituencies, including people of Christian faith, teens and the LGBTQ+ community. The advertising technology BetterHelp utilizes on its website collects a range of information from and about visitors. When consumers sign up for a BetterHelp account, that information includes email, IP addresses, and certain sensitive health information responsive to intake questions.
The complaint details the many strong privacy promises that BetterHelp made over time to consumers through statements made during the intake process and in various iterations of the privacy policies. For instance, at sign-up, consumers were asked about mental health issues and were told the information was “anonymous,” “strictly private” or “will stay private between you and your counselor.” At times, the BetterHelp website stated that email addresses were “never shared, sold or disclosed to anyone.” Note that in this context, the fact that BetterHelp had a person’s email address would indicate the owner of that email address was seeking mental health treatment. In addition, banner statements at the bottom of the website stated at times that “[We] never sell or rent any information you share with us” and later, “We use BetterHelp and third-party cookies and web beacons to help the site function and measure the effectiveness of our ads.”
The complaint then details the many ways in which the FTC alleges that BetterHelp violated the privacy-related promises it made, including many instances in which BetterHelp allegedly shared data with third parties or used sensitive data in ways that had not been clearly described to consumers at the time of collection. A few examples of the allegations:
- Information that was collected at times was used to retarget ads to users who had visited the website.
- Personal information was used to “find and target potential new users” with ads through locating potential new users who “shared traits with current [u]sers.”
- In order to accomplish all of the above, consumers’ information was shared with various third parties.
- The company benefited from this sharing, and the FTC alleges that BetterHelp “brought in hundreds of thousands of new [u]sers, resulting in millions of dollars in additional revenue.”
The complaint also details issues that contributed to the alleged violations. The complaint emphasizes that a recent college graduate, with little to no health privacy experience, was given “carte blanche” by the company to decide what user information to upload to a third-party platform and how to use that information. In another instance, although hashed email addresses were provided to a third party, the hashing was done merely to hide the addresses from a potential hacker. BetterHelp supposedly knew that the third party would be able to undo the hashing and reveal the email addresses in order to conduct matching and know who was seeking or in therapy. Moreover, the FTC also alleges that BetterHelp did not contractually limit how third parties could use or disclose the data at issue and that some of the third parties indeed used the data for their own purposes, including research and development and improving their advertising products. This was not adequately described to users in the statements that the agency challenges, the FTC alleges.
And finally, the FTC alleges that when news reports emerged about the sharing of health data in 2020, the company provided “false responses” claiming that data was not shared with third parties. (Note: It certainly appears that this investigation went on for quite a long time given the 2020 news reports.)
The specific complaint allegations
And that is what the FTC did here, alleging that it is an unfair practice to fail to obtain affirmative express consent before collecting, using and disclosing to third parties consumer health information. There is a second broader unfairness count, which is the failure to have reasonable measures in place to protect health information in connection with the collection, use and/or disclosure of that information. Paragraph 72 of the complaint details the practices that allegedly support this count and includes the following alleged activity to support a violation:
- Lack of written standards regarding collection, use and disclosure of health information, including making sure practices comply with representations.
- Inadequate training, guidance and supervision.
- Failure to obtain affirmative express consent to collect, use and disclose health information for advertising as well as for third parties’ own purposes.
- Failure to contractually limit third parties from using health information for their own purposes.
And then there are a host of practices that the FTC alleges are deceptive and that are all of a similar genre but reflect unique, different violations, as described below:
- Tell consumers that it would disclose health information to third parties for “limited purposes” and not include advertising or third parties’ own uses as a listed purpose.
- Tell consumers that it would use health information for “limited purposes” and not include “advertising or advertising-related purposes” as a listed purpose.
- Misrepresent that it would not disclose health information to any third party for advertising or that third party’s own uses.
- Misrepresent that it would not use consumers’ health information for advertising.
- Misrepresent that health information would not be disclosed to anyone except the consumer’s licensed therapist.
- Misrepresent Health Insurance Portability and Accountability Act (HIPAA) certification. (We haven’t delved into this issue here, but don’t imply that your services have been reviewed and found compliant.)
Monetary Penalty Rationale
And finally, we get to the $7.8 million question: How did the FTC get money here when there is no alleged violation of the Health Breach Notification Rule violation? (An interesting statement from Commissioner Wilson explains why there was no rule violation in this context – it simply was because the information at issue does not meet the definition of a health record.)
The agency is using Section 19 of the FTC Act, which – in the context of administrative litigation – allows the agency to seek money in circumstances where a reasonable person would have known the practice was dishonest or fraudulent. So the bottom line is that the current commission is stating that the types of practices alleged in this case are dishonest or fraudulent.
A blog we wrote a while back explains the FTC administrative process and legal standard here and Commissioner Wilson (who left the commission effective March 1) states:
BetterHelp told consumers “Rest assured – your health information will stay private between you and your counselor” but, as alleged, shared this highly sensitive information with third parties for the purpose of monetizing it. I am comfortable that this conduct falls within our authority to seek relief under Section 19 of the FTC Act.”
We have been saying for quite a while that the FTC will be focused heavily on health privacy issues, and that is precisely what we are seeing. To stay on the FTC’s good side, entities must
- obtain express informed consent before they share health information with third parties;
- have reasonable processes and procedures to protect what happens to that information, both internally and externally (assuming they have consent to share that data); and
- tell consumers with some degree of specificity how that data will be used.
- Anyone whose practice touches upon the collection or use of health information needs to read the case in full.