The Federal Trade Commission ("FTC") recently issued a Decision and Order against BetterHelp, prohibiting the online counseling service from sharing consumers' sensitive health data for advertising purposes. The Order also requires BetterHelp to pay a $7.8 million settlement to compensate consumers affected by its alleged conduct.
BetterHelp was created in 2013 to provide consumers with accessible and affordable care. It is the largest online therapy platform in the world, helping consumers find and connect with licensed mental healthcare professionals that meet their individualized objectives. BetterHelp's online platform also facilitates teletherapy sessions with providers by hosting video conferencing, phone and messaging services. BetterHelp electronically stores and transmits consumers' health questionnaires, private communications, payments, and other sensitive information to provide these services. Since BetterHelp collects and shares consumer health information, it must comply with FTC standards.
Since BetterHelp collects and shares consumer health information, it must comply with FTC standards. The FTC seeks to protect consumers' online privacy and data by regulating how businesses, data brokers, and third parties can collect, utilize, and sell sensitive data. The FTC maintained that the marketplace for sensitive data lacks transparency. In one 2014 study, the FTC reported that data brokers frequently used the data they obtained to make sensitive inferences, such as whether a consumer could be categorized as an "expectant parent." In an annual report, one data broker stated to shareholders that it had 3,000 data points for nearly every consumer in the United States. While consumer concerns about trust and privacy breaches can have serious, real-world implications, consumer data also allows for beneficial, targeted content that allows consumers to find products and services that meet their demands more efficiently.
The FTC's legal authority to prosecute the mismanagement of consumer data comes from Section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce" (15 USC § 45). Unfair practices are those which cause substantial injury to consumers, cannot be reasonably avoided by consumers, and are not outweighed by countervailing benefits to consumers or competition. In contrast, deceptive practices are categorized as representations, omissions, or practices that mislead consumers. While a business may be found in violation of either unfair or deceptive acts or practices, the violation is often a mixture of the two. So long as a consumer has reasonably interpreted a misleading representation and that representation is material, the FTC can prosecute under a deceptive act or practice.
Allegations that BetterHelp violated Section 5 of the Federal Trade Commission Act prompted its lawsuit against BetterHelp. Specifically, the FTC stated that BetterHelp used and disclosed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, despite assuring consumers that their information would be safeguarded. BetterHelp's website contained statements such as "rest assured – any information provided in this questionnaire will stay private between you and your counselor," which the FTC alleged misled consumers and violated the Act under deceptive practices. The scope of these statements also changed over time, limiting the amount of notice consumers received. The term "any information" was rewritten to "specific information," and eventually, the statement was removed altogether. The FTC asserted that suggestions on BetterHelp's website that consumers' data would remain "anonymous" and "never sold or shared with anyone" did not accurately represent the data's actual collection and use.
To remedy BetterHelp's alleged violations under Section 5 of the Federal Trade Commission Act, the FTC ordered BetterHelp to comply with various provisions under its finalized order. These provisions include, but are not limited to, the following:
- A prohibition against the disclosure of treatment information and other covered information that targets the consumer for the purposes of advertising, marketing, promoting, offering, offering for sale, or selling any product or service. This includes sharing personal information for re-targeting, which is serving ads to consumers who visited the company's site or used its app;
- A requirement to obtain a consumer's affirmative express consent before disclosing certain information;
- A prohibition against misrepresentations about the privacy of certain consumer information;
- An order requiring BetterHelp to instruct third parties to delete certain consumer information that does not receive a consumer's affirmative express consent;
- An order requiring BetterHelp to email a notice, drafted by the FTC, to certain consumers affected by the company's conduct;
- An order requiring BetterHelp to establish and implement a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of certain consumer information;
- An order requiring BetterHelp to obtain privacy assessments by a third-party assessor that details how the company is complying with the privacy program it is required to establish in the prior order;
- Ongoing compliance reports to the FTC and recordkeeping; and
- Monetary relief paid to the FTC in the amount of $7.8 million that will be used to provide partial refunds to people who signed up for and paid for BetterHelp's services between August 1, 2020, and December 31, 2020.
The FTC asserts that its case against BetterHelp will offer guidance to other businesses similarly situated in the healthcare industry. It issued the following statement: "Honor your privacy promises, tell the truth, and get consumers' affirmative express consent before sharing any health information."
BetterHelp responded to the FTC's settlement on its website, stating that they were using industry-standard practices frequently put forth by some of the largest healthcare providers. However, they "understand the FTC's desire to set new precedents around consumer marketing" and are "happy to settle this matter with the agency." BetterHelp also clarified that the settlement was not an admission of wrongdoing and specified certain information they never shared with advertisers and similar third parties, such as members' names or clinical data from therapy sessions.
Businesses can stay compliant with the Federal Trade Commission Act by adopting the following standards:
- Keeping consumers informed of updated privacy policies and data usages, through explicit notice such as emails or push notifications.
- Allowing consumers to opt in or out of sharing certain sensitive information with third parties.
- Implementing security measures to protect sensitive consumer data and frequently checking those measures to ensure they stay up-to-date and working.
- Maintaining oversight of how third parties use consumer data through contracts or other available legal means.
Gordon & Rees would like to acknowledge Orange County Summer Associate, Jennifer Pemberton, who served as a contributing author of this article.