FTC Continues Enforcement Focus on the Use and Disclosure of Health Information for Advertising

by Kirk J. Nahra, Ali A. Jessani, Arianna Evers, and Samuel Kane

Author photographs

From left to right: Kirk J. Nahra, Ali A. Jessani, Arianna Evers, and Samuel Kane. (Photos courtesy of Wilmer Cutler Pickering Hale & Dorr LLP.)

On Thursday, March 2, the FTC announced an enforcement action against BetterHelp, Inc., an online mental health counseling service, relating to claims that the company’s collection and use of consumer health data were unfair and deceptive acts and practices under Section 5 of the FTC Act. As part of the settlement, BetterHelp will be required to pay $7.8 million, which the FTC will use to provide partial refunds for consumers who enrolled in and paid for BetterHelp services between August 2017 and December 2020. The BetterHelp enforcement decision comes just over a month after the FTC reached a historic settlement order with another company in the healthcare space, GoodRx, for similar alleged violations.

The BetterHelp and GoodRx complaints highlight how aggressively the agency is willing to interpret its enforcement authority in order to penalize conduct that it views to be undesirable. As in the GoodRx case, the FTC in BetterHelp went beyond typical “deceptive” claims and also included “unfair” allegations against the company for failing to obtain “affirmative express consent before collecting, using, and disclosing consumers’ health information,” as well as for not implementing reasonable privacy measures to protect such information. Although these positions have not been tested in the courts because of the settlements, the “unfair” allegations in both of these cases indicate that these are standards that the FTC apparently expects all companies to adhere to with respect to health information, regardless of how transparent they may have been about their privacy practices.

The FTC also displayed its aggressiveness in relation to the settlement orders in both cases. Like the GoodRx case, the FTC in BetterHelp banned the company from sharing health information for advertising purposes — an aggressive remedy that the agency has not previously required. Additionally, the FTC in BetterHelp required BetterHelp to pay a hefty monetary sum even though the company did not previously enter into and violate a consent order with the agency (which is often how the FTC enforces monetary penalties). Here, the FTC relied upon its authority to obtain consumer refunds as part of an administrative hearing. This shows that the FTC will use all available avenues to impose some form of monetary sanction on offending companies in order to increase the deterrent effect of the agency’s enforcement actions and to make consumers whole.

In light of this heightened regulatory scrutiny, companies in the digital health space should ensure that they are engaged in transparent data privacy practices, including by obtaining appropriate consents for uses of consumer information and ensuring that privacy policies and privacy-related public statements accurately describe their data use practices.

In this post, we provide a summary of the FTC’s complaint and proposed consent order, as well as key takeaways for businesses looking to understand this enforcement action’s implications for their privacy compliance programs moving forward.

The Complaint

BetterHelp is an online mental health counseling platform that connects its customers to a network of licensed therapists and facilitates customers’ subsequent mental health treatment through its websites and apps. In addition to its BetterHelp Counseling service, BetterHelp also offers services targeted towards particular groups, such as Faithful Counseling (for Christians), Teen Counseling (for teens), and Pride Counseling (for members of the LGBTQ community). As part of its sign-up process, BetterHelp requires customers to complete an “intake questionnaire,” which includes questions about the customer’s mental health status and history.

The main thrust of the FTC’s complaint against BetterHelp is that, from January 2013 to December 2020, the company engaged in a pattern of deceptive and unfair data privacy practices with regards to consumers’ health information, and that these practices harmed consumers both financially (for consumers who paid a “‘price premium’ based on [BetterHelp’s] deceptive privacy assurances”) and emotionally (for those consumers who may have had sensitive information — such as mental health history and LGBTQ status — disclosed without their consent). The complaint concludes by levying eight counts against BetterHelp for violations of Section 5 of the FTC Act (leading with two unfairness counts, followed by six deceptive practices counts).

The complaint’s specific allegations include the following.

1. Deceptive Statements Regarding Privacy on Websites and Apps: The FTC alleges that BetterHelp made numerous deceptive statements about its privacy practices across its various platforms. For example, the complaint describes how the company’s websites repeatedly claimed that BetterHelp would not share consumers’ intake questionnaire responses with third parties, when the company was in fact disclosing those responses, as well as users’ email addresses and IP addresses, to various marketing providers (for both advertising purposes and those marketing providers’ own purposes). The complaint also asserts that BetterHelp’s privacy policies during the relevant period did not indicate that the company used consumer health information for advertising purposes even though it used and disclosed that information to third parties for advertising and other purposes. Relatedly, the complaint found insufficient BetterHelp’s disclaimer in a cookie banner that it used consumer information to “target” advertisements, reasoning that the “target” language “still did not inform Visitors that [BetterHelp] would use and disclose their health information for advertising or that third parties would be able to use Visitors’ information for their own purposes.”

The complaint also criticizes the misleading nature of BetterHelp’s user interface, essentially implying that it involved dark patterns (a topic that the FTC has expressed some interest in in recent months). For instance, the complaint notes that visitors to BetterHelp websites were quickly “urged to begin the Intake Questionnaire and hand over their health information,” whereas the company’s privacy policy could only be found “in small, low-contrast writing that [was] barely visible at the bottom of the page.” The complaint also dismisses BetterHelp’s later inclusion of a privacy policy link in a cookie banner as insufficient, stating that “[d]espite including a link to the privacy policy, the banner effectively dissuaded Visitors from reading the privacy policy by stating, until October 2020, that [BetterHelp] would ‘never sell or rent any information you share with us.’”

Finally, a portion of the complaint takes BetterHelp to task for including seals on its website that implied it had been certified as “HIPAA-compliant,” even though the company had received no such certification.

2. Disclosure of Health Information to Third Parties for Advertising: The FTC asserts that BetterHelp disclosed consumers’ health information — which it characterizes as including consumers’ email addresses, IP addresses, enrollment in BetterHelp’s services, and intake questionnaire responses — to third parties for advertising purposes. In making this allegation, the FTC adopts a broad view of what constitutes “health information.” Specifically, it alleges that even the disclosure of a consumer’s email address alone would constitute a disclosure of health information in this context because, given that BetterHelp “collected email addresses only from [individuals] seeking mental health therapy … disclosure of [the individual’s] email address implicitly identified the [individual] as one seeking and/or receiving mental health treatment.”

3. Unreasonable Privacy Practices: The complaint also alleges that BetterHelp engaged in a range of other practices that failed to adequately safeguard consumer health information, labeling these lax privacy procedures an unfair business practice (an approach reminiscent of past FTC data security enforcement actions). Most notably, the FTC highlights BetterHelp’s failure to obtain consumers’ “affirmative express consent” to collect, use, and disclose health information for advertising purposes, as well as the purposes of various third parties. The complaint also identifies a series of other problematic practices, including the failure to develop written standards and procedures to govern the use of consumer health information; the failure to adequately train and supervise employees and third-party contractors regarding their handling of consumer health information; and a failure to contractually limit third parties from using consumers’ health information for their own purposes.

The Proposed Order

The proposed consent order imposes the following requirements on BetterHelp:

1. Prohibition on Disclosure of Personal Information for Advertising: BetterHelp is prohibited from disclosing consumers’ personal information (including health information) to third parties for advertising and related purposes. The language in the consent order is broad, barring BetterHelp from “disclosing to a Third Party for the purposes of advertising, marketing, promoting, offering, offering for sale, or selling any product or service: (1) Treatment Information; and (2) Covered Information for the purpose of targeting the consumer to which the disclosed information pertains.” The consent order defines “Treatment Information” as “individually identifiable information relating to [a consumer’s] past, present, or future physical or mental health or condition(s).” “Covered Information,” meanwhile, is defined as “information from or about an individual consumer,” including, for example, name, address, geolocation, payment card information, and IP address, among other types of information.

The scope of this prohibition is extremely broad. Indeed, given the order’s prohibition on the disclosure of “covered information” for advertising purposes, BetterHelp is essentially left unable to use any personal information for such ends. This scope exceeds the GoodRx order, which imposed a similar prohibition on disclosing information for advertising purposes, but applied only to “Health Information,” defined as “individually identifiable information relating to the past, present, or future physical or mental health or conditions of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and any individually identifiable health information that is derived or extrapolated from information about an individual’s activities, or pattern of activities, from which a determination is made that the individual has a health condition or is taking a drug.” Moreover, the GoodRx order included carveouts for specific types of advertising or advertising-adjacent activities (e.g., contextual advertising, advertising effectiveness analytics) that are not explicitly present in the BetterHelp order.

2. Obtaining Consumers’ Affirmative Express Consent Before Disclosing Personal Information: Before making any disclosure of consumer personal information to third parties, BetterHelp must obtain that consumer’s affirmative express consent. The FTC defines “affirmative express consent” as entailing “any freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the individual … following a Clear and Conspicuous disclosure to the individual of” (1) “the categories of information that will be collected,” (2) “the specific purpose(s) for which the information is being collected, used, or disclosed,” (3) “the names or categories of Third Parties (e.g., ‘analytics partners’ or ‘advertising partners’) collecting the information, or to whom the information is disclosed,” (4) “a simple, easily located means by which the consumer can withdraw consent,” and (5) “any limitations on the consumer’s ability to withdraw consent.”

Notably, the BetterHelp consent order’s specific enumeration of the five elements that must be disclosed to an individual to establish affirmative express consent is a change even from the GoodRx order, which required only the disclosure of “all information material to the provision of consent.”

3. No Misrepresentations of Data Privacy Practices: BetterHelp is specifically barred from misrepresenting various aspects of its data privacy practices, including, for example, the types of protections that it offers for consumer personal information, the purposes for which it discloses personal information, the extent to which a consumer remains anonymous in the course of its interactions with the company’s services, and the extent to which the company complies with various industry and government privacy standards (e.g., HIPAA).

4. Deletion of Personal Information Held By Third Parties: BetterHelp is required to instruct third parties to which it disclosed consumer personal information without affirmative express consent to delete that information.

5. Privacy Program: BetterHelp must implement a formal privacy program, including such elements as oversight by company senior leadership, periodic risk assessments, implementation of relevant safeguards, development of a data retention policy, and requiring service providers to impose appropriate privacy controls. BetterHelp must also hire a third-party assessor (subject to FTC approval), essentially tasked with evaluating the company’s implementation of its privacy program on a biennial basis.

6. $7.8 Million Payment to FTC: BetterHelp is required to pay the FTC $7.8 million, which the Commission will use to provide partial refunds for consumers who enrolled in and paid for BetterHelp’s services between August 1, 2017 and December 31, 2020.

The proposed consent order is not final. Rather, the FTC will make it available in the Federal Register for a 30-day public comment period, after which it will decide whether to finalize the order.

Key Takeaways

1. Creating Substantive Limitations on Certain Data Use Cases Through the “Unfairness” Prong of Section 5: Between this enforcement action and the GoodRx case, the FTC has now — in the space of slightly more than one month — sanctioned two companies for improperly using consumer health information for advertising purposes. This suggests that the FTC is looking for ways to limit the use of consumer health information for advertising purposes in any situation. Indeed, the Commission’s August 2022 Advance Notice of Proposed Rulemaking on commercial surveillance and data security (which we have previously analyzed) suggested as much, with the Commission in that document asking stakeholders “[t]o what extent … new rules [should] limit targeted advertising and other commercial surveillance practices.”

The FTC’s reliance on its Section 5 unfairness authority in this case is also noteworthy. As discussed above, the FTC labeled BetterHelp’s deficient privacy practices as an unfair business practice — an approach it also took in the GoodRx case. This indicates that the Commission may be using its unfairness authority to develop a standard of reasonable privacy practices that companies can then model their own practices on.

2. Emphasis on Obtaining Affirmative Express Consent: Like the GoodRx enforcement action, much of the BetterHelp complaint focuses on the company’s failure to obtain affirmative express consent from consumers before transferring health information to third parties for advertising purposes and the third parties’ own purposes (e.g., developing their own products). The concept of affirmative express consent is not a new one for the FTC — indeed, the Commission raised the idea as far back as its 2012 report on Protecting Consumer Privacy in an Era of Rapid Change. Taken together, however, the BetterHelp and GoodRx cases indicate that affirmative express consent is likely to be a focal point of FTC enforcement in the digital health space moving forward. Companies that use other types of sensitive data for marketing purposes—including data about children, financial and health information, and certain geolocation data—should be paying careful attention to these enforcement actions and consider whether they too should be seeking affirmative express consent.

3. Scope of “Health Information”: As noted above, the complaint adopts an expansive view of what constitutes health information, indicating that information that might not be health information in isolation can be transformed into health information by context. Specifically, the complaint asserts that email addresses constituted health information when BetterHelp shared that information with third parties, because a mental health counseling platform’s disclosure of an individual’s email address is inherently indicative of that individual’s mental health status or history.

4. Continued Emphasis on Dark Patterns: Though the complaint never uses the term, the FTC’s critique of BetterHelp’s user interface clearly implies that BetterHelp was employing a dark pattern interface. A crackdown on dark patterns is at the heart of recent FTC enforcement activities, with the concept having been the subject of a September 2022 FTC report and being incorporated into the recent GoodRx and Epic Games enforcement actions.

5. No Safe Harbor for Hashing: One notable detail in the complaint concerned the FTC’s view of BetterHelp’s practice of “hashing” consumer email addresses transferred to various third parties. The FTC dismissed BetterHelp’s use of hashing, noting that “the hashing was not meant to conceal the Visitors’ and Users’ identities from [those] third parties,” but rather, was “done merely to hide the email addresses from a bad actor in the event of a security breach.” Indeed, the FTC alleged, BetterHelp “knew that [the] third parties … were able to, and in fact would, effectively undo the hashing and reveal the email addresses of those Visitors and Users.” Thus, companies that transfer personal information to third parties should not attempt to paper over poor data privacy practices solely with technical safeguards like hashing.

Kirk J. Nahra is a Partner, Ali A. Jessani is a Senior Associate, Arianna Evers is Special Counsel, and Samuel Kane is an Associate at Wilmer Cutler Pickering Hale & Dorr LLP. This post originally appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).