FTC continues health data privacy enforcement

Julie Rubash, Chief Privacy Counsel
March 6, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


FTC Continues Health Data Privacy Enforcement

The FTC made two announcements this week demonstrating its increasing focus on health information privacy enforcement: a proposed settlement with online counseling service BetterHelp regarding the sharing of health information with social media platforms for advertising purposes; and a warning to Amazon that it will hold the company accountable for ensuring personal health information from newly acquired company One Medical will not be shared or used to sell other Amazon products, absent clear user permission.


These actions come on the heels of a $1.5MM FTC enforcement action against telehealth company GoodRX for alleged sharing of user email addresses with Facebook for targeted advertising purposes without user authorization. Collectively, these actions send strong signals of the FTC’s intentions in the health data privacy space. More explicitly, in its warning letter to Amazon, the FTC also sent a warning to the industry: “companies that fail to have adequate safeguards or controls in place to protect sensitive health data or fail to obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data may be in violation of the law…the parties and the market more broadly should be on notice that the Commission will continue to monitor this space and bring enforcement actions whenever the facts warrant.” 

Read more about the proposed BetterHelp settlement, and what it means for health data privacy.

Montana Privacy Legislation Passes One Chamber

The Montana Senate unanimously passed SB 384, which would implement a Connecticut-style comprehensive privacy law, transmitting the legislation to the Montana House


Montana is the second state in 2023 to pass comprehensive privacy legislation through one chamber, joining Indiana, which passed SB 5, a Virginia-style bill, out of the Senate in early February. 

Consideration of Federal Privacy Legislation Starts Again

The U.S. House Innovation, Data and Commerce Subcommittee held a hearing to discuss comprehensive privacy legislation at the federal level. Speakers at the hearing included representatives from nonprofit Center for Democracy & Technology; privacy tech company Anonym; and law firm Kelly Drye & Warren. While the speakers’ had some differing viewpoints on what privacy legislation should include, all supported the general passage of federal privacy legislation. 


 A bill to implement the American Data Privacy and Protection Act (ADPPA), a federal comprehensive privacy law, was introduced and failed to pass in 2022, perhaps largely due to strong objections from the California Privacy Protection Agency, among other U.S. state authorities, based on the bill’s broad preemption language. The ADPPA has not yet been reintroduced in 2023 but will likely serve as a starting point for 2023 discussions. 


noyb Files Complaints re Cookie-Based Access Request Authentication

Advocacy group None of Your Business (noybannounced its filing of a series of complaints alleging that certain data brokers and websites failed to sufficiently respond to access requests with respect to cookie-based data. Specifically, when sent an access request citing a cookie identifier, the companies allegedly either asked for other forms of identification (such as additional personal details) or ignored the request altogether. noyb alleged that these actions were inconsistent with GDPR and recent EDPB guidance.


The cited EDPB guidance, issued in January 2022, includes a section addressing “issues with establishing the identity of the person making the request” and includes a specific example of a controller that processes cookies and associated pseudonymous random identifiers for behavioral advertising. The guidance says that, in this scenario, if the data subject exercises his right of access via the controller’s website, the controller should be able to precisely identify the data subject to show the data subject’s behavioral advertising data, by linking the terminal equipment of the data subject to its advertising profile with the cookies dropped in the terminal, and subsequently grant access to the personal data, since a link between the data processed and the data subject can be found. Alternatively, if the data subject makes a request via email, the controller will have no other choice but to ask the data subject to provide additional information (the cookie identifier stored in the terminal equipment of the data subject) to be able to identify the advertising profile associated with the data subject.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]