What to know about BetterHelp’s FTC health data privacy settlement

The US Federal Trade Commission (FTC) has issued a proposed order requiring online therapy service BetterHelp to pay $7.8M for sharing their customers’ sensitive health information with advertisers, despite promises that the information would be kept private. As part of the proposed settlement, BetterHelp will be required to obtain “affirmative express consent” before disclosing customer health information to third parties, and to develop a more comprehensive privacy program, among other requirements. The order will need to be approved by a federal judge. 

BACKGROUND

Just a month ago, the FTC fined GoodRX $1.5 million and permanently prohibited GoodRX from disclosing user health information with third parties for advertising purposes. 

Other companies hit with privacy-related FTC enforcements in 2023 so far include Epic Games, Chegg, and Drizley. In most of these cases, they’re enforcing Act 5 of the FTC Act which bars unfair or deceptive practices. Otherwise, they’re enforcing federal laws that pertain to consumer privacy. 

WHAT IS THE BETTERHELP CONTROVERSY? 

In the complaint against BetterHelp, the FTC says that BetterHelp breaks it promises that they would only use the information collected from their users to facilitate their online therapy services. Throughout their website and patient intake process, users were assured their personal health information wouldn’t be shared or sold to third parties, and that their email address would be private even to their therapist. 

Ultimately, the FTC found evidence that BetterHelp’s statements were deceptive because they not only shared email addresses, but also sensitive information in order to retarget ads on platforms including Facebook and Snapchat. Some of the personal sensitive information was directly collected during the intake process, and other characteristics could be inferred through use of BetterHelp’s specialized services for LGBTQ+, Christian, and youth populations. 

WHAT ARE THE TERMS OF THE BETTERHELP SETTLEMENT?

BetterHelp is ordered to pay $7.8M to people who used their services between 2017 and 2020. On July 14, 2023, the FTC finalized their order against BetterHelp.

They are banned from sharing consumers information, including persistent identifiers like cookie IDs or mobile device IDs, to third parties for targeted advertising purposes. And they are required to get express consent from their users if they plan to share their data for any other purposes. 

They will also need to implement a privacy program, set limits on the amount of time user data is stored, and ensure that third parties delete data they received from BetterHelp during those years. Specifically, BetterHelp will have the responsibility to instruct any third parties who had previously received such information without obtaining the consumers’ explicit consent to erase that data within a period of 90 days.

HOW IS THE GOODRX SETTLEMENT DIFFERENT FROM BETTERHELP’S?

The terms of the settlement are very similar to that of GoodRx, an online pharmacy. GoodRx is banned from sharing any data for advertising purposes, and is also now required to obtain express consent from users to share their data for any other purpose. And just as with BetterHelp, they need to ensure that the third parties which received user data from them delete it. 

The difference is that in the GoodRx case, the FTC relied on the 2009 Health Breach Notification Rule, which applies to entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA). 

The FTC Health Breach Notification Rule requires notification to impacted consumers, the FTC, and in some cases the media, of any breach of unsecured identifiable health information. It was never enforced, but in 2021, the FTC issued a statement putting mobile health apps on notice and reminding them to examine their obligations under the Rule. The statement also clarified that a “breach” is not limited to cybersecurity intrusions but could also include sharing of covered information without individual authorization. The GoodRX enforcement action is the FTC’s first action under such guidance.  

DOES THE BETTERHELP CONTROVERSY AFFECT ALL ADVERTISERS?

Privacy settlements have been ramping up in general, and companies dealing with sensitive information are clearly going to be under special scrutiny. Prior to the settlements with BetterHelp and GoodRx, the FTC also brought a case against period tracking app Flo Health. 

The FTC’s warning to Amazon following their acquisition of OneMedical is just another indication that they don’t plan on slowing down anytime soon. In announcing the acquisition, Amazon proactively pledged that they would not share OneMedical patient health information to sell their other products, at least without getting consent from users. 

In response, the FTC sent a warning to the industry: “companies that fail to have adequate safeguards or controls in place to protect sensitive health data or fail to obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data may be in violation of the law…the parties and the market more broadly should be on notice that the Commission will continue to monitor this space and bring enforcement actions whenever the facts warrant.” 

Given recent enforcement actions, we can expect to see more cases brought against health companies that result in many of the same requirements, including: a ban on using health info for advertising, a requirement to gain express consent to share information for any other reason, and a directive to ensure third-parties delete any previous data that was shared. 

Update (March 8, 2023): BetterHelp has been hit with a class-action privacy lawsuit on top of the FTC settlement. The plaintiff alleges that BetterHelp “used private information extensively for [their] own profit, including by sharing and disclosing private information.”

Keep up with the latest in privacy news affecting the digital marketing industry by subscribing to our weekly newsletter, A Little Privacy Please.