The proposed consent order builds on other recent FTC settlements (e.g., Flo Health and GoodRx) and guidance (e.g., on the Health Breach Notification Rule and the privacy of individuals seeking reproductive services following Dobbs) to further define the FTC’s position on data sharing by digital health websites, apps, and other services.
This alert provides a summary and analysis of the FTC’s complaint against BetterHelp, the proposed consent order, and key observations.
The complaint alleges two unfairness counts, two counts of deception by omission, and four counts of affirmative deceptive representations.
- Unfairness Counts. The FTC included an unfairness count reflecting a novel legal theory that BetterHelp’s failure to implement safeguards to protect the privacy of consumers’ health information in connection with the collection, use, and disclosure of that information was an unfair act or practice under Section 5 of the FTC Act. Specifically, the FTC alleges that BetterHelp failed to 1) develop, implement, or maintain “written” organizational standards or policies on their privacy practices and 2) provide adequate training for and supervision of employees or contractors to safeguard the privacy of consumers’ information, “resulting in the improper and unauthorized disclosure of that information to numerous third parties for advertising and other purposes.”1 The FTC also alleges that BetterHealth failed to obtain affirmative express consent before collecting, using, and disclosing consumers’ health information to third parties.
- Deception by omission. The FTC alleges that BetterHelp failed to disclose that it used or disclosed consumers’ health information to third parties for advertising purposes or the third parties’ own uses.
- Affirmative misrepresentations. The FTC alleges that BetterHelp made affirmative misrepresentations regarding: 1) its disclosure of health information for advertising and third parties’ own uses; 2) its use of health information for advertising; 3) its disclosure of health information to anyone except each consumer’s licensed therapist; and 4) its practices having been reviewed by a government agency or other third party and determined to have met HIPAA’s requirements.
The proposed consent order includes a number of significant obligations for BetterHelp, some of which are new to FTC privacy orders.
Under the proposed consent order, BetterHelp is required to pay $7.8 million into a consumer redress fund to be administered by the FTC. Financial penalties are incredibly uncommon in FTC privacy enforcement actions where there is not a violation of a specific regulatory rule, and consumer redress is even more unusual. Indeed, the FTC’s proposed consent order with BetterHelp represents the agency’s first apparent foray into using its Section 19 authority post-AMG v. FTC to obtain consumer redress for “dishonest or fraudulent” conduct in a privacy settlement that does not involve the violation of a specific regulatory rule.2
Broad and Expansive Definitions
The FTC alleges in its complaint that the mere disclosure of “a [v]isitor’s or [u]ser’s email address” constituted a disclosure of that website visitor or user’s health information.3 The proposed consent order then defines “Covered Information” to include both traditional categories of personal information and “Treatment Information,” which means any individually identifiable information related to the past, present, or future physical or mental health or condition(s) of a consumer, including information concerning a consumer’s use or creation of a BetterHelp account and any information derived or extrapolated from the consumer’s health information.
Second, a tension exists between the complaint and the proposed consent order regarding service providers’ permissible secondary uses of Covered Information. Specifically, the proposed consent order defines a “Third Party” as any individual or entity other than, among other things, BetterHelp’s service providers or any entity that uses Covered Information only as reasonably necessary to achieve a specific set of purposes, such as complying with the law or conducting internal research and development. While the complaint takes issue with Facebook and Pinterest using the disclosed data for their own purposes, including research and development, the proposed consent order seemingly allows such uses by permitting service providers to use data for internal research and development purposes. The scope of research and development purposes that the FTC views as acceptable for service providers that handle health information to engage in therefore remains unclear.
The proposed order outlines several different prohibitions or requirements, including audit and compliance monitoring requirements that are increasingly common in privacy cases. Particularly noteworthy requirements in the proposed consent order include:
- Prohibition on disclosures of personal information and health information to third parties for advertising and ad targeting purposes. The proposed consent order would prohibit BetterHelp from disclosing a consumer’s Treatment Information to Third Parties for advertising and ad-targeting purposes generally, and it would prohibit BetterHelp from disclosing a consumer’s broader class of Covered Information to Third Parties for the purpose of targeting advertising to that consumer. In other words, the proposed consent order would prohibit any form of ad retargeting to BetterHelp’s website visitors, even if BetterHelp obtained the visitor’s consent for such retargeting.
- Prohibition on the disclosure of personal and health information without obtaining affirmative express consent. The proposed consent order would restrict BetterHelp from disclosing Covered Information, which includes health information, with any Third Parties for non-advertising purposes without first obtaining users’ affirmative express consent.
- Prohibition on misrepresenting data privacy and security practices, including compliance with federal or industry standards, such as the use of a HIPAA seal. The proposed consent order would prohibit BetterHelp from misrepresenting the extent to which BetterHelp has data privacy and security practices covering the collection, use, disclosure, deletion, retention, maintenance, and sharing of Covered Information. Notably, this requirement includes the deceptive advertisement of a HIPAA seal to demonstrate BetterHelp’s compliance with HIPAA.
- Data deletion. BetterHelp would be required to inform the FTC of all Third Parties to whom Covered Information was disclosed and account for the types of Covered Information disclosed. BetterHelp would then be required to direct all such Third Parties to delete the information and would not be permitted to use those Third Parties for any advertising (even non-targeted) until they confirm each Third Party’s receipt of the deletion instructions.
- Mandated privacy program. The proposed consent order would require BetterHelp to design and implement a comprehensive privacy program that protects the privacy, security, and confidentiality of consumer’s Covered Information, including their health information. Notably, the FTC would require BetterHelp to conspicuously identify the categories of personal and health information BetterHelp collects from consumers; the purposes for the collection for each category of data; and identify the categories of information that are shared with third parties.
- Covered incident reporting. The proposed consent order defines “Covered Incident” in a way that would require BetterHelp to report to the FTC any order violations pertaining to 1) the disclosure of a consumer’s Treatment Information with Third Parties for advertising purposes or Covered Information for ad-targeting purposes; 2) obtaining affirmative express consent before disclosing consumer’s Covered Information with Third Parties for non-advertising purposes; or 3) BetterHelp misrepresenting its data privacy and security practices.
Taken together, the FTC’s February settlement with GoodRx and its current settlement with BetterHelp provide a roadmap for the agency’s agenda on health privacy. Below are some observations on current trends:
- Prohibition on disclosure of personal information and health information to third party advertisers. As in the FTC’s settlement with GoodRx, BetterHelp’s proposed consent order prohibits the company from disclosing a consumer’s health information to third parties for advertising purposes, even if a consumer affirmatively consents to such practices. BetterHelp’s proposed consent order goes a step further, however, by also prohibiting BetterHelp’s disclosure of any personal information for targeted advertising.
- Affirmative express consent for disclosures to all other third parties. The FTC’s orders against GoodRx and BetterHelp both require the companies to obtain affirmative express consent from consumers to disclose certain information to third parties (other than for disclosures for advertising, which is prohibited). Again, while the GoodRx order applies to just health information, BetterHelp’s order requires affirmative express consent to disclose any personal information to a third party. Importantly, the proposed consent order defines “third party” in a unique way, potentially including certain vendors that companies may traditionally view as service providers.
- Incorporating data security requirements into health privacy cases. Covered incident reporting requirements are more typical of the FTC’s data security cases where a data breach incident occurred. The FTC’s recent health privacy cases, however, have established a broader definition of “covered incident” and imposed this reporting requirement for digital health companies, regardless of whether a security breach occurred.
- Skeptical view of hashed emails. The FTC notes that although BetterHelp hashed consumers’ emails addresses before disclosing them to third-party advertisers, such encryption does not conceal account holders’ identity from the advertisers where the advertiser also possesses the consumer’s email address.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, Yeji Kim, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
While the complaint does not mention Section 19 of the FTC Act or use the terms “dishonest” or “fraudulent,” outgoing Commissioner Christine Wilson indicated her support for obtaining monetary relief under Section 19 in a concurring statement posted with the settlement package.
FTC Complaint ¶ 48, In the Matter of BetterHelp, Inc. (March 3, 2023). “As noted above, each such disclosure of even a Visitor’s or User’s email address constituted as disclosure of the Visitor’s or User’s health information. Specifically, because Respondent collected email addresses only from Visitors and Users seeking mental health therapy via the Service (by filling out the Intake Questionnaire, signing up for the Service, and/or becoming a User), disclosure of a Visitor’s or User’s email address implicitly identified the Visitor or User as one seeking and/or receiving mental health treatment via the Service.”