By Kate Black and Sam Castic
The Federal Trade Commission recently announced two enforcement actions under the FTC Act against digital health companies that focus on the use and disclosure of information for online advertising purposes. The agency's complaints against GoodRx and BetterHelp exhibit several shared themes and offer five lessons for companies that are looking to make sense of the enforcement actions. While these cases are both focused on companies in the health sector, these lessons relate to the FTC's current interpretation of unfair acts and deceptive practices that are unlawful for all types of companies under Section 5 of the FTC Act. For this reason, they should be considered by any company engaging in common online advertising practices.
1. FTC defines "health" and "sensitive information" broadly.
In both cases, the FTC made it clear that it considers any identifiers such as IP addresses, mobile IDs, specific geolocation or email addresses, even when hashed, to be personal information. And when that data is connected with health-related content, such as disease or condition URLs, health history, drug names or interest in treatment, it considers this to be personal health information, even if collected on the company's public website — i.e., where a user or patient was not logged in.
The FTC highlighted some specific categories of information that it considers personal health information when collected using common tracking technologies — like cookies, pixels, etc. — that store identifiers such as a unique ID:
Custom "events," information about a user's activities on a website or mobile app, labeled with health information, such as drug names, medication quantity and pharmacy names;
URLs containing health information, such as a condition name or health-related services; and
Survey, intake and enrollment information related to health history and current symptoms.
In addition, in each case, the FTC asserted that data sets where health information can be inferred are also considered health information. For example, in the BetterHelp matter, the agency contended that sharing hashed email addresses with online advertising companies was considered a disclosure of health information because the email address was only collected as part of a request for therapy services, even if no additional health or therapy request information was shared. Further, in the BetterHelp matter, the FTC alleged that there was a disclosure of personal health information even when a custom event was given a generic name such as "event_1" when a BetterHelp employee individually disclosed the health context underlying that event to an employee of the advertising company because the advertising company was then able to infer health information regarding the users associated with that event. While both the GoodRx and BetterHealth cases concern health companies, the same logic can be applied to the processing of other kinds of sensitive information collected by commonly used tracking technologies, such as information bearing on or revealing race, sexual orientation, religion or finances. The commission's position on what constitutes sensitive information was not based on applicable laws or regulations that define this view, which highlight the context-based reviews that the FTC may undertake in future enforcement actions. Any company engaging in online advertising practices, including those summarized above, should work with their marketing and technology teams to understand what portions of the company's websites and mobile applications have tracking technologies like cookies, pixels or software development kits, or SDKs, that transmit data to vendors and third parties, determine if and in what circumstances sensitive personal information is shared through the tracking technologies and configure those technologies so that they transmit the minimum amount of information needed.
2. Companies must disclose the use of sensitive information for online advertising.
The FTC alleged Section 5 violations where the companies did not notify users about the use and disclosure of personal health information for marketing purposes, claiming that each company, through its website privacy notice, promised that it would not share such information with advertisers for such a purpose. In addition, the FTC asserted Section 5 violations where BetterHelp made inaccurate privacy promises regarding personal health information collected on its website, citing several places on the company's website that promised it would keep "private" any health information provided by a user. But the company instead shared that information with third-party advertisers. The FTC highlighted the use of personal health information in the following kinds of online advertising efforts:
Retargeting
Retargeting integrates Google, Facebook, Criteo and other third-party tracking technologies onto company websites to show targeted ads on third-party websites based on the health content website visitors viewed or provided.
Custom Audiences
Facebook's digital advertising services can be used to create "custom audiences" of individuals to serve ads to on Facebook using health-related information for health-related advertisements. Custom audiences are created — and then shared with Facebook — by combining users' medication or health condition-specific events data with their email addresses, phone numbers and mobile identifiers to identify users with Facebook and Instagram accounts and target health services advertisements to them.
Lookalike Audiences
Companies can share individual-level information in a "source audience" with Facebook for it to find Facebook users with similar qualities to target with a company's ads. In the FTC's view, including health information to curate a "source audience" is considered a disclosure of health information for advertising purposes.
To apply this lesson at your company:
Ensure that your company has clear, prominent and consistent disclosures of the types of personal information used for each of these types of marketing, and for other online advertising efforts, in your company privacy statement, website disclosures and cookie banners.
Implement and reinforce procedures to have marketing, product and web teams obtain privacy-focused reviews of customer-facing descriptions of data and privacy practices before they launch or are updated.
Validate that your company privacy statement transparently discloses how your company collects, uses and disclosures potentially sensitive information like health information, and if it does not, obtain affirmative express consent before collecting, using or disclosing it.
3. Companies should limit the independent use of sensitive data by third parties.
According to the FTC, both GoodRx and BetterHelp agreed to the "standard terms" offered by Google, Facebook, Criteo and other third-party advertising companies. These terms allowed the advertising companies to use — and reuse — provided personal information for the third party's own commercial purposes. In each instance, the FTC alleged that Facebook, in particular, used the information provided to it for its own product development purposes. This type of independent use, the FTC claimed, ran counter to the commitments made by each company in their privacy statements.
Make sure your company:
Knows all the third-party companies that it shares personal information with (1) via cookie, pixel, SDK or other tracking technology on its website or in its mobile app, and (2) via server-to-server integration or file upload;
Reviews the often click-through or online-only contractual terms for alignment with your company's obligations and public commitments; and
Has contractual and technical controls to limit how third-party companies may use the personal information shared.
4. Companies should implement strong governance over marketing data use.
In both cases, the FTC highlighted the lack of corporate controls over the use of personal health information in online advertising efforts, both times alleging that each company did not have adequate written policies or executive oversight over online advertising initiatives. In the BetterHelp case, the FTC also highlighted that a "junior marketing analyst" was given authority to make all digital marketing-related decisions and disclosures, without the appropriate training.
To reduce risk from these concerns:
Make sure there is meaningful oversight of your company's online advertising efforts, including with respect to what individual level (i.e., personal) information is used and shared;
Provide marketing professionals with role-appropriate privacy training that they can apply to their jobs, not just general one-size-fits-all training provided to employees in all types of roles; and
Validate that there are written and implemented policies that meaningfully govern the use of personal information — and sensitive personal information like health information — in marketing.
5. Companies should not make false claims about compliance or certifications.
In both cases, the FTC alleged a Section 5 violation for falsely claiming compliance with the Health Insurance Portability and Accountability Act by displaying a compliance seal on their websites. In addition, the agency purported that GoodRx falsely claimed compliance with the Digital Advertising Alliance, or DAA, principles. The misrepresentation of DAA compliance appears to be the first time that the FTC alleged that misrepresentations about compliance with digital advertising standards will also be considered a violation of Section 5. To apply this lesson:
Review any public-facing seals or statements regarding your company's compliance or adherence to privacy laws or standards;
Make sure any seals or statements that your company uses are accurate and supported by a third-party assessment where appropriate; and
Implement privacy review protocols and approval processes before any new seals or statements are used.
Conclusion
As a result of the FTC's enforcement actions, GoodRx and BetterHelp have agreed to consent orders with long-term, ongoing obligations that will limit business and marketing practices, require ongoing compliance costs and processes, and involve the payment of monetary penalties of $1.5 million and $7.8 million, respectively. If your company engages in common online advertising practices like using cookies and pixels on its website to support retargeting efforts or sharing individual-level data, even if hashed, with companies for marketing purposes, focusing on the five lessons above may help avoid such costly and business-limiting outcomes.
Kate Black is a Partner and co-chair of the Health & Biotech Privacy Group at Hintze.
Sam Castic is a Partner at Hintze.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.