On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.

This latest enforcement action comes just one month after the FTC announced an enforcement action against GoodRx for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Where the GoodRx enforcement action marked the first time the FTC enforced the HBNR, the BetterHelp enforcement action similarly sets a new precedent for the FTC: This is the first FTC enforcement action returning funds to consumers whose health information was compromised by BetterHelp’s alleged misdeeds. The proposed order (“Proposed Order”) also sets out extensive requirements to prohibit BetterHelp from disclosing health information for advertising and misrepresenting its information sharing practices. The GoodRx and BetterHelp enforcement actions appear to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information.

The Complaint

According to the Complaint, BetterHelp offers online counseling services by matching users with BetterHelp therapists and facilitating counseling via BetterHelp’s various websites and apps. BetterHelp also offers specialized versions of its counseling services for people of the Christian faith, members of the LGBTQ community, and teenagers. To sign up for BetterHelp’s services, consumers must fill out a questionnaire that asks sensitive mental health questions, such as whether they have experienced depression or suicidal thoughts, have previously been in counseling, or take any medications. Consumers also provide their name, email address, birth date, and other personal information. In its press release on the enforcement action, FTC suggests that consumers are “pushed’ to provide this information by “repeatedly showing them privacy misrepresentations and nudging them with unavoidable prompts to sign up for its counseling service.” Consumers are then matched with a BetterHelp counselor and pay between $60 and $90 per week for counseling.

The Complaint alleges that in recognition of the amount of sensitive health information consumers provide, BetterHelp “repeatedly promised” to keep this information “private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.” However, over a period of seven years from 2013 through 2020, BetterHelp purportedly “continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements” for BetterHelp’s services. For example, BetterHelp allegedly shared its users’ email addresses and the fact they were in counseling with Facebook, which in turn identified similar consumers and targeted them with BetterHelp advertisements. BetterHelp also allegedly shared its users’ information with other third-party advertising platforms, such as Pinterest, Snapchat, and Criteo. These advertising efforts reportedly brought in “tens of thousands of new paying users, and millions of dollars in revenue” to BetterHelp. BetterHelp also allowed these third-party companies to use BetterHelp users’ information for their own research and product development, further evidence that BetterHelp failed to contractually limit how third parties could use consumers’ health information.

The Complaint also alleges that BetterHelp “failed to employ reasonable measures to safeguard the health information it collected from consumers.” BetterHelp is accused of not training its employees on how to properly protect user information when using it for advertising purposes and not overseeing its staff’s use of user information.

The Proposed Order

The Proposed Order imposes a $7.8 million fine on BetterHelp, to be paid into a fund, to refund consumers who signed up and paid for BetterHelp’s counseling services between August 1, 2017, and December 31, 2020. The FTC reports that this is the first enforcement action seeking to return funds to consumers whose health information was compromised. In addition to the monetary penalty, the Proposed Order prohibits BetterHelp from sharing users’ “individually identifiable information relating to the past, present, or future physical or mental health or condition(s)” with third-parties for advertising or re-targeting previous users. Further, the Proposed Order requires BetterHelp to:

  • Obtain users’ affirmative express consent before disclosing personal information to third-parties for any purpose;
  • Establish, implement, and maintain a comprehensive privacy program that includes strong safeguards to protect consumer information;
  • Direct third parties to delete the consumer health information and other personal information that BetterHelp revealed to them; and
  • Limit how long BetterHelp retains personal and health information according to a data retention schedule. 

Takeaways

Digital health companies and other companies that operate websites, apps, or connected devices that capture consumer’s sensitive health information should take heed of the FTC’s enforcement actions against both BetterHelp and GoodRx. As evidenced by the BetterHelp enforcement action, companies must safeguard user information and not endeavor to leverage this information for advertising opportunities in violation of promises made to consumers. The BetterHelp enforcement action also underscores the need for appropriate user notification mechanisms to obtain user consent before disclosing their information to third parties. Further, companies should recall from the GoodRx enforcement action that even companies that are not subject to the requirements of the Health Insurance Portability and Accountability Act could still be subject to the HBNR. While the FTC did not allege violations of the HBNR by BetterHelp, further enforcement action could still be looming.

The BetterHelp enforcement action is especially noteworthy as it is the first time the FTC has endeavored to redress consumer injuries for those whose sensitive health information was inappropriately used and disclosed. This is the FTC’s second “first” in the area of health information enforcement in the span of just one month, so companies should be on the lookout for more to come.

For more information or advice regarding this enforcement action or data privacy issues in general, please contact the professional(s) listed below or your regular Crowell & Moring contact.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.

Photo of Savanna Williams Savanna Williams

Savanna Williams is an Associate in Crowell & Moring’s Health Care Group and is part of the firm’s Digital Health Practice. Her practice focuses on counseling health care entities on regulatory matters, including the physician self-referral law and Medicare & Medicaid regulations. With…

Savanna Williams is an Associate in Crowell & Moring’s Health Care Group and is part of the firm’s Digital Health Practice. Her practice focuses on counseling health care entities on regulatory matters, including the physician self-referral law and Medicare & Medicaid regulations. With respect to digital health, Savanna provides strategic, legal, and policy advice to health technology clients navigating the intersection between health care and technology regulations. She also works with U.S. military veterans on discharge status upgrades on a pro bono basis.