FTC Orders BetterHelp to Pay $7.8M in AdTech Ruling
The FTC recently filed its second enforcement action related to web tracking tools (a.k.a. AdTech) and the unauthorized disclosure of health information for advertising and third parties’ independent uses. The Complaint and Consent Order against BetterHelp, Inc. (“BetterHelp”), an online counseling service provider, allege that BetterHelp shared consumers’ sensitive mental health information with Facebook, Snapchat, and Pinterest for targeted advertising purposes. Notably, this is the first FTC action that involves returning funds to consumers whose health data was compromised. Specifically, the $7.8 million fine will be used to provide partial refunds to consumers who signed up and paid for BetterHelp’s services between August 1, 2017 and December 31, 2020. The FTC alleges that BetterHelp’s conduct violates Section 5 of the FTC Act (15 U.S.C. Sec. 45(a)). BetterHelp’s conduct took place prior to the FTC’s issuance of its Health Breach Notification Rule (HBNR) policy statement in 2021, and so the FTC does not allege a violation of HBNR, as it did in the GoodRX enforcement action.
In addition to offering general counseling services, BetterHelp provides mental health counseling to consumers through targeted client groups, including Christians, teens, those seeking marriage counseling, and the LGBTQ community. Since its inception in 2013, BetterHelp has gained over 2 million users. Today it has over 374,000 active users in the United States and 25,000 licensed therapists who provide services via video conferencing, text messaging, live chat, and audio calls.
BetterHelp’s Allegedly Deceptive Privacy Practices and Misrepresentations
The Complaint also alleges that BetterHelp neglected to safeguard the information it obtained from visitors and users by failing to train its employees properly on requirements regarding the collection, use, and disclosure of that information. Specifically, the complaint alleges that BetterHelp placed a recent college graduate with no marketing experience and little training in charge of deciding which visitor and user information was uploaded to Facebook. Additionally, BetterHelp failed to develop, implement or maintain written policies, procedures or practices related to the collection, use, and disclosure of consumers’ health information to ensure that its practices complied with the representations it made to its users. Finally, BetterHelp maintained a deceptive “HIPAA” seal on its website implying that BetterHelp’s privacy and information security practices were HIPAA compliant. BetterHelp removed the HIPAA seal upon receipt of a CID from the Commission in December 2020.
Key Takeaways and Lessons Learned
- Review contracts with third parties to ensure they contain language appropriately limiting how the third party can use consumer health information (as opposed to giving blanket approval for such companies to use the information for their own research and product development).
- Ensure staff is appropriately trained on policies, procedures and practices with respect to the collection, use and disclosure of user health information - and ensure that compliance with internal policies is monitored.
- Do not put a HIPAA seal on your company’s website or otherwise imply that your company is “HIPAA compliant.” No regulatory agency or certification entity has been authorized to conduct assessments of HIPAA compliance, and therefore no entity has the ability to claim that it has received a “HIPAA compliance” seal of approval.
- Companies must obtain express authorization before collecting, using and disclosing consumers’ health information for marketing purposes.