The Federal Trade Commission (FTC) announced they had reached a $7.8 million settlement with BetterHelp, Inc. (“BetterHelp”), a mental health and online counseling platform. The FTC does not allow BetterHelp to combine consumer-sensitive health data with other personally identifiable information (PI) and share it with third-party advertising platforms without first obtaining affirmative consent and complying with certain privacy practices. claimed to have contradicted its representation. The proposed order would require BetterHelp’s customer to pay a partial refund of $7.8 million. This is the first time the FTC has asked a company to refund a customer whose personal information was shared without consent. Going forward, BetterHelp is not permitted to share sensitive health information or PI without obtaining affirmative consent from the patient or customer. BetterHelp should also overhaul its privacy programs and require external parties that receive sensitive consumer data to delete such information.
This enforcement comes just a month after the FTC announced a $1.5 settlement against GoodRx Holdings Inc., a prescription drug discount provider. (“GoodRx”) allegedly failed to notify consumers and others of its unauthorized disclosure of consumer-protected health information (PHI) to third parties for targeted advertising purposes (FTC It was a notable settlement, as it was the first enforcement action in almost 15 years by the little-used health breach notification rule that requires personal health record vendors and related entities to notify consumers after breaches involving unprotected information).
This one-two punch underscores the FTC’s position. Digital health companies and mobile apps should be transparent about their data collection practices, provide appropriate just-in-time explanations, and provide consumers with explicit affirmative consent before collecting, using, or sharing health information. Consent must be obtained and all agreements regarding consumer data harmonized with others. Companies with privacy promises and practices have made to their consumers.
In the BetterHelp lawsuit, the FTC alleges that in the relevant period from 2013 to 2020, the FTC administered intake surveys to consumers seeking counseling services and collected sensitive health information and other personal information (such as email addresses and IP addresses, etc.). BetterHelp promised to keep that information private. However, according to the FTC, BetterHelp shares such information with major advertising platforms to retarget users who have visited its site or used its app, and those third parties may use such information. Interestingly, the FTC also found that, during the relevant period, BetterHelp disguised itself on its web pages alongside other digital logos about website security provided by third parties to BetterHelp and displayed the seal, implying that BetterHelp claims to be HIPAA compliant. But a government agency or any other third party has not reviewed BetterHelp’s information practices for HIPAA compliance, much less determined that the practices meet his HIPAA requirements. As previously mentioned, under the settlement, BetterHelp will, among other things, pay the consumer $7.8 million, ask advertising partners to delete health data collected during the relevant period and strengthen its privacy program and certify that to the FTC.
What to learn from BetterHelp and GoodRx cases:
- Strictly following the FTC’s recent policy statements: The FTC, under Chair Lina Khan, is focused on data privacy initiatives, setting out its priorities in policy statements ahead of enforcement actions. For example, in September 2021, the agency will ensure that health apps and connected devices that collect or use consumer health information must comply with the Health Breach Notification Regulations. The FTC has since announced its GoodRx settlement following this statement. July 2022, “Location, Health, and Other Sensitive Information: The FTC has committed to fully enforce the law against illegal use and sharing of sensitive data following a Supreme Court ruling, on its business blog. Then, following that statement sharing the most recent settlement with BetterHelp.
- Sensitive health information and marketing practices are under the microscope depending on certain circumstances, consumer health apps and related digital platforms may collect health data that is not considered PHI within the scope of HIPAA. The latest enforcement action shows that the FTC is scrutinizing digital health companies and their collection of PHI, as well as representations related to their marketing practices, regardless of whether HIPAA applies.
- Multiple enforcement tools: Both enforcements involved sensitive health data, but the BetterHelp settlement was brought under the provisions of the FTC statute against unfair or deceptive business practices, while the GoodRx settlement broke the health breach notification rule. As the Director of Consumer Protection for the FTC said in connection with its settlement with GoodRx, “the FTC has informed us that it will use all of its legal powers to protect sensitive data of U.S. consumers from misuse and unlawful exploitation.”
- Money settlement is important, it imposed monetary relief in BetterHelp lawsuits for allegedly defrauding consumers after promising to keep sensitive personal data private.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – delta-compliance.com
