On March 2, 2023, the Federal Trade Commission (FTC) issued a proposed consent order with BetterHelp, Inc. (BetterHelp), an online counseling service, for allegedly misrepresenting its privacy practices and sharing information about consumers’ interest in or use of mental health counseling services (which the FTC alleges to be sensitive health information), in violation of Section 5 of the FTC Act. The proposed order also requires BetterHelp to pay $7.8 million to the FTC for redress to consumers. This is to settle charges that it injured consumers when its unfair business practices led to consumers’ information being shared with third parties, such as Facebook and Snapchat, for advertising purposes after promising consumers it would keep such data private.
BetterHelp’s Privacy Misrepresentations
The FTC alleged that BetterHelp misled consumers about how their health information would be shared through various false and repeated assurances and privacy statement misrepresentations about not using health information for marketing or advertising purposes, and not sharing health information with third parties. According to the FTC, BetterHelp was using consumers’ email addresses, IP addresses, enrollment in the counseling service, and certain intake questionnaire responses for advertising purposes and disclosed that same information to advertising platforms, including Facebook, Snapchat and Pinterest. Notably, the FTC determined that these disclosures, including the email and IP addresses, were disclosures of health information because the email and IP addresses were collected only from consumers seeking or receiving mental health counseling services via BetterHelp.
BetterHelp’s Unfair Business Practices
The FTC also alleged that BetterHelp’s failure to take necessary steps to ensure that its collection, use, and disclosure of consumer’s health information complied with its privacy assurances and policy amounted to unfair business practices. In particular the FTC noted that BetterHelp failed to do any of the following:
Develop, implement, and maintain written standards, policies procedures or practices to safeguard consumer health information;
Provide adequate guidance or training to employees or contractors concerning safeguarding consumer health information;
Properly supervise employes with respect to their collection, use, and disclosure of consumer health information;
Obtain consumers’ affirmative express consent for the collection, use, and disclosure of their health information for advertising and third parties’ purposes;
Contractually limit third parties from using consumer health information for their own purposes when they did not provide consumers with notice or obtain consent for the uses.
Practices to Avoid and Scrutinize
The FTC’s investigation of BetterHelp was thorough, as the complaint includes a fair amount of detail to support the agency’s allegations. The complaint suggests practices to avoid, such as:
Characterizing information as “anonymous” when it includes device identifiers or IP addresses, or is hashed but still matchable to identifiable people.
Saying that information collected will not be shared, when information is shared with advertising platforms via pixel, cookie, or otherwise.
Collecting consumer information before they have the opportunity to read privacy disclosures.
Using website and marketing copy about privacy practices—such as that data is “private” or “never shared, sold or disclosed”—when actual practices do not reflect those commitments.
Including language in a cookie banner that mischaracterizes or oversimplifies practices.
Not obtaining contractual commitments with advertising platforms and service providers to limit how consumer information will be used consistent with the company’s privacy statement and public commitments (e.g., allowing use for platforms’ and providers’ own purposes).
Not disclosing that web beacons and cookies would be used for advertising
Not obtaining affirmative express consent before collecting, using, or disclosing health information when the collection, use or disclosure is not communicated in the privacy statement.
Responding with inaccurate or misleading information when news reports identify that consumer information is shared with third parties.
Displaying a HIPAA-compliance seal, or other legal compliance seal, anywhere, unless practices have actually been audited and certified as compliant.
Failing to have appropriate oversight and training for marketing teams and professionals that make marketing decisions about what consumer information to share with advertising platforms.
Sheila Sokolowski is a Partner at Hintze; she has expertise on HIPAA and health privacy and co-chairs the firm’s Health and Biotech Privacy Group.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.