In the wake of the Federal Trade Commission (“FTC”) enforcement action against GoodRx last month, the agency has issued another proposed consent order against virtual mental health platform BetterHelp on a similar basis. Namely, the organization’s privacy policies and representations did not match its privacy practices. The FTC’s order will require BetterHelp to pay $7.8 million, including to consumers whose data was shared with third parties for advertising purposes.
The FTC complaint alleges that BetterHelp’s enrollment process assures consumers that their personal health data will not be used or disclosed except to provide them with counseling. However, email addresses, IP addresses, and health questionnaire information were monetized and shared with Facebook, Snapchat, Criteo, and Pinterest, among others, for advertising purposes. Additionally, those third parties were not restricted in how they were permitted to use consumer data; for example, the recipient third parties were permitted to use the data for internal research and development and to improve their own advertising practices. Furthermore, the organization had included a Health Insurance Portability and Accountability Act (“HIPAA”) seal on its website to indicate that it was certified as HIPAA compliant, when in fact it had not undergone any type of HIPAA review or third-party accreditation.
Similar to GoodRx, the FTC’s complaint indicates that the practices of BetterHelp were unfair and deceptive in violation of the FTC Act, and the proposed consent order (i) prohibits BetterHelp from sharing health information for advertising purposes, (ii) requires BetterHelp to obtain express affirmative user consent prior to GoodRx sharing health information for any other purpose, (iii) requires BetterHelp to direct third parties to purge consumer health and other personal data, and (iv) limits BetterHelp’s future retention of personal and health information. The order also prohibits the company from making future misrepresentations regarding its privacy practices.
Unlike GoodRx, the FTC did not pursue enforcement under its Health Breach Notification Rule (“HBNR”) against BetterHelp. Commissioner Christine Wilson indicated that “One could argue that BetterHelp would fall within the ambit of the HBNR because it offers a health platform and app, particularly under the expansive view espoused in the Policy Statement… The information BetterHelp collects from consumers and provides to therapists on its platform does not constitute a personal health record of identifiable health information under the Rule because it does not include records that “can be drawn from multiple sources,” as required by the existing formulation of the Rule. A consumer provides his or her information to BetterHelp, but the company does not pull additional health information from another source or vendor. For this reason, foregoing an HBNR count is appropriate.”
How Frier Levitt Can Help
Data privacy and technology regulations are evolving and enforcement initiatives to protect consumer data are ramping up. This marks the FTC’s second enforcement action to protect consumer data in two months. Companies and providers with access to health data must ensure their practices are consistent with applicable federal and state laws that may impact how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining what measures you must take to ensure your data practices comply with the FTC Act.
