March 6, 2023

Lessons Learned from FTC Enforcement Action Against BetterHelp

Holland & Knight Alert
Rachel Marmor | Shannon Britton Hartsfield

Highlights

  • The Federal Trade Commission (FTC) has indicated that companies working in the digital health space must prioritize the safeguarding of consumer data privacy.
  • Recent enforcement by the agency includes a consent decree issued to a mental health treatment organization to settle claims that it engaged in unfair and deceptive trade practices.
  • This Holland & Knight alert examines the FTC's heightened approach to data security and ways in which digital health companies can avoid pitfalls.

The Federal Trade Commission (FTC) is on a roll in its efforts to signal to the digital health industry that data privacy must be a priority. The FTC announced a consent decree with BetterHelp on March 2, 2023, to settle claims that the online mental health treatment company engaged in unfair and deceptive trade practices when it made website visitor information available to third parties for marketing and advertising purposes. The settlement highlights the growing risk associated with the use of third-party cookies and pixels on websites for companies that offer health services.

Key Takeaways

  • The FTC's complaint (Complaint) emphasizes the government's position that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
  • The FTC considered failure to obtain "affirmative express consent" for disclosure of health information to social media companies for advertising purposes to be an unfair trade practice – a significant position since the practice in the U.S. is generally opt-out, if any choice is offered at all.
  • Various forms of disclosures, in particular about cookies, were said to be misleading. The FTC observed that BetterHelp repeatedly promised to keep health information private but then engaged in marketing activities that resulted in information being shared with third parties.
  • The FTC alleged that displaying a seal implying compliance with the Health Insurance Portability and Accountability Act (HIPAA) was deceptive.

The FTC's Complaint

BetterHelp is an online service that offers individuals access to mental health counseling for a weekly fee. To sign up, individuals must complete a web-based intake form and create an account. The Complaint alleges that, between 2013 and 2020, BetterHelp made the information submitted in this process available to third parties, including social media companies. While the Complaint states that BetterHelp did so for its own marketing purposes so that the third parties could advertise to potential users of BetterHelp services, it nonetheless found that BetterHelp did not prevent the third parties from using BetterHelp consumer data for their own purposes, including research and product development.

These disclosures, the Complaint alleges, were deceptive because statements in the sign-up process and BetterHelp's privacy policy created the impression that information would not be shared. BetterHelp "repeatedly promised" to protect health data and "continually broke these privacy promises" by using the data to target consumers and others with advertisements for its services. The company did not properly train its employees regarding using information for advertising and failed to properly supervise its staff's use of the data. The Complaint alleges that BetterHelp agreed to the stock wording of third-party contracts and failed to negotiate for special protection for health data.

The Complaint is light on technical details as to how the disclosures occurred but strongly implies that this was mainly through cookies that would have collected information when individuals visited BetterHelp's websites and completed the forms. The Complaint also alleges that BetterHelp actively shared details regarding certain individuals with Facebook and requested that Facebook use its "look-alike" tool to profile the individuals and market to those with similar characteristics.

BetterHelp displayed HIPAA seals on numerous web pages. Also, its sales representatives told consumers that the company was "HIPAA certified." The FTC viewed this as deceptive to the extent that the company was signaling to consumers that its practices met HIPAA's requirements. In fact, no third party reviewed the company's information practices to determine whether they complied with HIPAA. Additionally, the FTC observed that many of the company's therapists are not subject to HIPAA and that the company does not know which data are protected by HIPAA and which are not.

BetterHelp neither admitted nor denied the allegations of the Complaint in the consent decree.

The Consequences

The FTC imposed fairly typical requirements associated with privacy and security consent decrees, such as the requirement for a privacy program and external assessments. Additionally, the consent decree requires BetterHelp to get "express affirmative consent" for any future disclosure of "Covered Information" to a third party. Covered information is defined broadly to include persistent identifiers such as cookie IDs or IP addresses. This means that BetterHelp has to get opt-in consent for any future operation of cookies, which is far beyond current legal requirements for most entities. There is also a $7.8 million penalty for consumer redress.

Implications

Between last month's announcement of enforcement activity against GoodRx (see Holland & Knight's previous alert, "FTC Seeks First-Ever Health Breach Notification Rule Enforcement: Pixel Users Beware," Feb. 2, 2023), the U.S. Department of Health and Human Services' Office for Civil Rights bulletin regarding website tracking tools (see Holland & Knight's previous alert, "HHS Offers HIPAA Guidance on Online Tracking Technologies," Dec. 2, 2022), the California Attorney General's 2022 fine against Sephora for violation of law associated with its use of cookies and this enforcement action, it is clear that government regulatory interest in cookie practices, and health privacy in general, is high.

Exercising Caution

Companies that use cookies (especially digital health companies) should:

  • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
  • review their privacy policies and ensure they can be followed
  • proceed carefully when disclosing health data to third parties to ensure it is used and disclosed only for permissible purposes and that third-party contracts provide adequate guardrails
  • train employees regarding privacy, the company's specific policies and restrictions on how personal data must be protected
  • avoid characterizing the company's policies as being HIPAA-compliant if that is not, in fact, the case – particularly if HIPAA does not apply to the company
  • make sure consumer-facing privacy policies are clear, both visually and in content

Most importantly, companies should make sure they keep whatever privacy promises have been made to consumers.


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.


Related Insights