FTC Cracks Down on BetterHelp’s Sharing of Overall health Info for Marketing
Following its February settlement with GoodRx, the Federal Trade Commission (FTC) has fired a different shot across the bow in its ongoing campaign to shield consumers’ digital well being info. Earlier this month the FTC announced a consent order with BetterHelp, Inc., an on-line mental well being counseling service, to resolve alleged violations of the Federal Trade Commission Act (FTC Act) connected to the company’s collection, use, and sharing of customers’ well being info.
This case is notable for many motives, which we talk about beneath, but a important takeaway for well being app developers is that the mere disclosure of a customer’s e-mail address or IP address to a third celebration, such as advertisers, can be deemed a disclosure of well being info when it is readily apparent to the recipient that the info relates to precise solutions, such as mental well being counseling. The consent order is also notable for banning BetterHelp from sharing well being information for marketing purposes, and, if finalized, would seem to be the initially order requiring a organization to spend partial refunds, totaling $7.eight million, to shoppers whose well being info was disclosed.
The FTC’s complaint against BetterHelp set forth the following allegations: (1) disclosure of well being info for marketing purposes (two) deceptive privacy misrepresentations and (three) failing to employ affordable measures to safeguard well being info.
- Disclosure of Overall health Info for Marketing Purposes
To sign up for BetterHelp’s solutions, shoppers ought to build an account and fill out an intake questionnaire. By means of this questionnaire, BetterHelp gathers info such as the consumer’s e-mail address, IP address, and info about well being status and history, such as the explanation for searching for therapy solutions.
BetterHelp allegedly disclosed this intake info to a lot of third celebration marketing platforms, such as Facebook, Snapchat, Pinterest, and Criteo, and made use of it to marketplace their solutions from 2013–2020. For instance, amongst 2017 and 2018, BetterHelp allegedly offered Facebook with lists of more than 7 million consumers’ e-mail addresses, and Facebook then matched more than four million of these shoppers with their Facebook accounts, targeting these folks and comparable customers with ads. According to the FTC, consumers’ e-mail addresses are inherently well being info simply because they indicate that their owners had been searching for mental well being solutions. BetterHelp also allegedly disclosed other intake responses such as irrespective of whether the customer had previously participated in therapy for targeted marketing purposes.
Like GoodRx, BetterHelp made use of many tracking technologies to receive and subsequently disclose info, such as via the use of tracking pixels. Understanding and addressing customer tracking has turn out to be a priority for the FTC, which lately published a summary of the practice entitled Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking.
- Deceptive Privacy Misrepresentations
The FTC additional alleged that BetterHelp engaged in deceptive company practices by falsely promising that well being info would remain private amongst the customer and the counselor. Meanwhile, BetterHelp was allegedly delivering info gleaned from the intake questionnaires to third parties for marketing purposes.
The FTC claimed these deceptive privacy assurances had been material to shoppers considering the fact that shoppers would want this hugely sensitive info to stay private, but had no affordable way to stay clear of the harms due to BetterHelp’s repeated misrepresentations. The FTC also alleged that the weekly charges shoppers paid for BetterHelp’s solutions integrated a “price premium” primarily based on the company’s claimed privacy practices i.e., the organization was in a position to charge far more for its solutions simply because clients believed that their information would be protected.
- Failing to Employ Affordable Measures to Safeguard Overall health Info
Lastly, the FTC alleged that BetterHelp engaged in unfair company practices by failing to employ affordable measures to safeguard well being info. For instance, BetterHelp allegedly failed to train personnel on how to shield info when making use of it for marketing and did not implement policies or supply notice to shoppers on collection, use, and disclosure of well being info. Additional, BetterHelp did not contractually limit how third parties could use and disclose well being info and merely agreed to third parties’ common terms of service, which offered tiny to no restrictions on their use of the well being info.
Notably, in spite of locating that BetterHelp impermissibly shared customer well being info with third parties, the FTC did not allege that the organization violated the Overall health Breach Notification Rule (HBNR). In her concurring statement supporting the selection to forego alleging a violation of the HBNR, FTC Commissioner Christine S. Wilson explained that the info BetterHelp collects from its customers and offers to therapists on its platform is not a private well being record of identifiable info simply because it does not include things like records that can be drawn from many sources. The customer offers their info to BetterHelp, but the organization does not pull extra well being info from other sources or vendors.
Proposed Consent Order
To resolve these allegations, BetterHelp agreed to a consent decree below which it ought to spend $7.eight million for partial refunds to shoppers who bought counseling solutions from the organization. This is the initially time the FTC has necessary a organization to spend partial refunds to shoppers whose well being info was disclosed. BetterHelp will also have to spend all fees and costs connected with the independent redress monitor who will oversee disbursement of the refunds.
The consent decree also calls for BetterHelp to:
- not disclose consumers’ well being info to third parties for marketing purposes
- receive consumers’ affirmative, express consent prior to sharing their well being info with third parties
- adequately represent the use of covered info
- notify third parties who improperly received access to covered info and instruct them to delete it
- supply notice to all impacted customers
- establish and implement a privacy plan that protects the privacy, safety, availability, confidentiality, and integrity of covered info with privacy assessments by a third celebration expert and
- submit certification and reports of appropriate compliance.
As is FTC practice, the settlement has a twenty-year term.
In addition to this action highlighting the FTC’s enforcement priorities, there are a quantity of takeaways for well being app developers, who really should take into account taking the following measures:
- Reconcile policies and practices. Developers really should take into account reconciling their privacy policies and privacy-connected statements with their actual use and disclosure of buyer information. A mismatch amongst policies and practices could build exposure below the FTC Act and, based on the app, the HBNR and/or HIPAA.
- Critique HIPAA “seals” and “certifications.” Assume twice prior to putting HIPAA “seals” or other indicators of HIPAA compliance on documents, internet sites, and apps, specially if you are not straight regulated by HIPAA.
- Evaluate your compliance staffing requirements. The case also highlights the significance of appropriately staffing an organization with personnel who have encounter in information protection and information governance. According to the complaint, BetterHelp had delegated selection-generating authority more than its use of Facebook marketing to a junior analyst who had lately graduated college, had no relevant encounter in safeguarding customer well being info, and had not received education.
- Analyze third celebration terms. Developers really should evaluation and, when acceptable, revise the terms of service and privacy policies of third parties that will be getting sensitive information. In this case, BetterHelp merely accepted Facebook and other third parties’ terms, thereby delivering these third parties with close to unfettered use of such info.
The FTC’s concentrate on healthcare information privacy is most likely to continue as customer reliance on these platforms increases. We will continue to preserve a close eye on developments in this space.