The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest. This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.
However, the FTC alleged BetterHelp disclosed consumers’ personal information, such as email addresses and IP addresses, to third parties like Facebook and Snapchat – to place BetterHelp advertisements to visitors to the BetterHelp website or similar types of consumers (look-alike audiences). For instance, BetterHelp disclosed the information of around 600,000 individuals with LGBTQ identities seeking mental health treatment through BetterHelp’s services to Facebook to create look-alike audiences for targeted advertising to others. Between 2017 and 2018, BetterHelp complied and uploaded a total of 7 million email addresses from its users to Facebook for targeted advertisements.
BetterHelp also utilized pixels and web beacons to automatically track certain actions of its users and website visitors, including their answers to BetterHelp’s prompts and their enrollment to BetterHelp services. Through these technologies, Facebook automatically received this information along with the individual’s IP address, email addresses, and other persistent identifiers and matched it with individual Facebook accounts.
The FTC also found that because BetterHelp displayed HIPAA seals on its web pages in proximity to other seals provided by third parties (as displayed below), it deceptively signaled to consumers that a government agency or other third party had reviewed BetterHelp’s privacy and information security practices and determined that they met HIPAA’s requirements, neither of which occurred.
Finally, the FTC identified a series of BetterHelp’s data privacy and cybersecurity practices as “deceptive practices,” including, but not limited to:
- Failing to maintain any oversight or restrictions on the personal information provided to third parties;
- Failing to implement appropriate safeguards in protecting consumer’s personal information; and
- Pressuring consumers to disclose their personal health information in connection with BetterHelp intake questionnaire.
To demonstrate its displeasure toward these “deceptive practices”, FTC imposed some very strict penalties, including the imposition of a $7.5 million fine, a prohibition from disclosing certain personal health information for advertisement purposes, and a requirement to obtain consent before disclosing certain personal health information to third parties for any purpose.
While FTC has shown a pattern to scrutinize one issue (sharing data with advertisers without proper notice and consent), it continues to expand the scope of its investigation and its definition of “deceptive practices” to include items like unnecessary data collection and poor cybersecurity practices.
- Employ a data minimization standard. Businesses should consider whether their collection of data at certain stages is necessary and proportionate, which is the new standard set forth in the California Consumer Privacy Act.
- Implement a comprehensive privacy and information security program. Businesses collecting consumer data should put in place a comprehensive privacy and information security program that includes strong safeguards to protect consumer data, including sensitive information.
Federal Trade Commission, FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising, FTC.Gov (Mar. 2, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook