On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.
This latest enforcement action comes just one month after the FTC announced an enforcement action against GoodRx for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Where the GoodRx enforcement action marked the first time the FTC enforced the HBNR, the BetterHelp enforcement action similarly sets a new precedent for the FTC: This is the first FTC enforcement action returning funds to consumers whose health information was compromised by BetterHelp’s alleged misdeeds. The proposed order (“Proposed Order”) also sets out extensive requirements to prohibit BetterHelp from disclosing health information for advertising and misrepresenting its information sharing practices. The GoodRx and BetterHelp enforcement actions appear to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information.
According to the Complaint, BetterHelp offers online counseling services by matching users with BetterHelp therapists and facilitating counseling via BetterHelp’s various websites and apps. BetterHelp also offers specialized versions of its counseling services for people of the Christian faith, members of the LGBTQ community, and teenagers. To sign up for BetterHelp’s services, consumers must fill out a questionnaire that asks sensitive mental health questions, such as whether they have experienced depression or suicidal thoughts, have previously been in counseling, or take any medications. Consumers also provide their name, email address, birth date, and other personal information. In its press release on the enforcement action, FTC suggests that consumers are “pushed’ to provide this information by “repeatedly showing them privacy misrepresentations and nudging them with unavoidable prompts to sign up for its counseling service.” Consumers are then matched with a BetterHelp counselor and pay between $60 and $90 per week for counseling.
The Complaint alleges that in recognition of the amount of sensitive health information consumers provide, BetterHelp “repeatedly promised” to keep this information “private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.” However, over a period of seven years from 2013 through 2020, BetterHelp purportedly “continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements” for BetterHelp’s services. For example, BetterHelp allegedly shared its users’ email addresses and the fact they were in counseling with Facebook, which in turn identified similar consumers and targeted them with BetterHelp advertisements. BetterHelp also allegedly shared its users’ information with other third-party advertising platforms, such as Pinterest, Snapchat, and Criteo. These advertising efforts reportedly brought in “tens of thousands of new paying users, and millions of dollars in revenue” to BetterHelp. BetterHelp also allowed these third-party companies to use BetterHelp users’ information for their own research and product development, further evidence that BetterHelp failed to contractually limit how third parties could use consumers’ health information.
The Complaint also alleges that BetterHelp “failed to employ reasonable measures to safeguard the health information it collected from consumers.” BetterHelp is accused of not training its employees on how to properly protect user information when using it for advertising purposes and not overseeing its staff’s use of user information.
The Proposed Order
The Proposed Order imposes a $7.8 million fine on BetterHelp, to be paid into a fund, to refund consumers who signed up and paid for BetterHelp’s counseling services between August 1, 2017, and December 31, 2020. The FTC reports that this is the first enforcement action seeking to return funds to consumers whose health information was compromised. In addition to the monetary penalty, the Proposed Order prohibits BetterHelp from sharing users’ “individually identifiable information relating to the past, present, or future physical or mental health or condition(s)” with third-parties for advertising or re-targeting previous users. Further, the Proposed Order requires BetterHelp to:
- Obtain users’ affirmative express consent before disclosing personal information to third-parties for any purpose;
- Establish, implement, and maintain a comprehensive privacy program that includes strong safeguards to protect consumer information;
- Direct third parties to delete the consumer health information and other personal information that BetterHelp revealed to them; and
- Limit how long BetterHelp retains personal and health information according to a data retention schedule.
Digital health companies and other companies that operate websites, apps, or connected devices that capture consumer’s sensitive health information should take heed of the FTC’s enforcement actions against both BetterHelp and GoodRx. As evidenced by the BetterHelp enforcement action, companies must safeguard user information and not endeavor to leverage this information for advertising opportunities in violation of promises made to consumers. The BetterHelp enforcement action also underscores the need for appropriate user notification mechanisms to obtain user consent before disclosing their information to third parties. Further, companies should recall from the GoodRx enforcement action that even companies that are not subject to the requirements of the Health Insurance Portability and Accountability Act could still be subject to the HBNR. While the FTC did not allege violations of the HBNR by BetterHelp, further enforcement action could still be looming.
The BetterHelp enforcement action is especially noteworthy as it is the first time the FTC has endeavored to redress consumer injuries for those whose sensitive health information was inappropriately used and disclosed. This is the FTC’s second “first” in the area of health information enforcement in the span of just one month, so companies should be on the lookout for more to come.
For more information or advice regarding this enforcement action or data privacy issues in general, please contact the professional(s) listed below or your regular Crowell & Moring contact.