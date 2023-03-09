On March 2, 2023, following a 4-0 vote, the Federal Trade Commission announcement A complaint And proposed consent order with BetterHelp, Inc., an online advice platform that allegedly leaked consumer health data to third-party advertising platforms. The settlement requires payment of $7.8 million to be used for consumer refunds – the first time an FTC action has demanded the return of funds to consumers whose health data were allegedly compromised. The BetterHelp case comes just weeks after the FTC’s enforcement action against GoodRx, which also allegedly leaked consumer health data to third-party advertising platforms without permission. Together, the two cases demonstrate the considerable attention the FTC pays to consumer health privacy issues.

Proposed Complaint and Order

According to the FTC’s complaint, BetterHelp shared email and IP addresses, and in some cases admissions information such as the individual’s prior counseling or therapy use, with several advertising platforms. In particular, according to the FTC, BetterHelp disclosed this data (1) to retarget people with advertisements who had visited its website but had not registered for its services and who had opened accounts but had not signed up. subscribed to its services and (2) for “look-alike” advertising, that is, to identify the characteristics and interests of website visitors or users of its services in order to show advertisements to other people with similar interests and characteristics.

The FTC acknowledged that BetterHelp hashed the email addresses before sharing them (i.e. converted them to a string of unreadable characters), but also alleged that this act was not intended to protect the privacy of the individuals in question because the advertising platforms linked hashed email addresses to internal user IDs and thus, according to the complaint, could learn sensitive information about them. As it did in the GoodRx complaint, the FTC specifically pointed to the fact that BetterHelp did not use generic event names related to consumer information (e.g., “Event 1, Event 2” ) and instead disclosed what each event correlated to, such as whether the individual had ever undergone counseling or therapy, noting that such disclosure allowed the receiving ad platforms not only to know that particular users were interested in therapy, but also that they had already undergone therapy. In addition, as it did in the GoodRx case, the FTC pointed to BetterHelp’s acceptance of advertising platforms’ terms and conditions, which in many cases allow platforms to use data provided by advertisers like BetterHelp for the platforms’ own purposes.

Additionally, the FTC alleged that BetterHelp failed to obtain affirmative express consent to collect, use, and disclose consumer health information for such advertising purposes or for use by advertising platforms for their own purposes and lacked written policies, procedures and adequate employees/contractors. training relating to the processing of consumer health information.

The FTC also alleged that the company displayed a HIPAA compliance seal when in fact no government agency or other third party had ever reviewed BetterHelp’s privacy or information security practices and determined that they met the requirements. of HIPAA. The FTC alleged that HIPAA does not even regulate many BetterHelp therapists.

The FTC alleges that these practices were unfair or deceptive under Section 5 of the FTC Act in light of statements BetterHelp made during its registration process (for example, “Rest assured, any information provided in this questionnaire will remain confidential between you and your adviser”), the privacy policy and the cookie policy, as well as in light of the statements that BetterHelp has made not do, for example that it would use and disclose health information to third parties, who may use the data for their own purposes.

The proposed consent order (1) prohibits BetterHelp from disclosing personal information, including health information, to third parties for the purposes of retargeting advertising (whether or not BetterHelp obtains consumer consent); (2) requires BetterHelp to obtain affirmative express consent to share personal information, including specified health information; (3) requires BetterHelp to request third-party deletion of data and notify consumers of FTC enforcement actions; and (4) includes a mandatory privacy program requirement and a requirement to report data breaches to the FTC. As noted above, BetterHelp must also pay $7.8 million to be used for consumer redress.

Take away food

This case, especially in combination with the recent case against GoodRx, highlights the high degree of control that the FTC applies to the processing of health information, including by non-regulated websites and mobile applications. HIPAA. These cases underscore the FTC’s view that companies should obtain affirmative express consent to collect, use, or disclose sensitive consumer health information for advertising purposes, even when that information does not prima facie identify a consumer.

This is the first instance in which the FTC has focused on the role of sharing personal information in an effort to create lookalike audiences. In such models, users whose data is used do not see ads accordingly, but people with similar behaviors or characteristics do. Until now, most regulatory regimes and FTC attention have focused on patterns that cause the data subject to see targeted advertisements. This may cause other regulators to review similar practices or cause ad platforms to rethink their contractual commitments to such practices.

While the GoodRx case included a claim under the FTC Health Violation Notice Rule (HBNR) for disclosure of health information without consumer consent, as well as claims under Section 5, the claims against BetterHelp were filed entirely under Section 5. Commissioner Christine Wilson in his concurring statement in the BetterHelp case explained that this is because all of the health information allegedly disclosed by BetterHelp without permission came from a single source – the consumer – and to be a “personal health record” under the HBNR, it requires information that “can be drawn from multiple sources”, as the current wording of the HBNR requires. At the same time, his agreement reminds us that the FTC 2021 HNBR Policy Statement took a much broader view of what it means to be able to pull information from multiple sources. If the FTC sought to enforce this view, it would face stiff civil penalties of up to $50,000 per violation.

Finally, the BetterHelp case, like the GoodRx case, reflects the FTC's increased willingness to sue for injustice. The complaint borrows from the FTC's data security "jurisprudence" by identifying a long list of supposedly "unreasonable" practices that it says are unfair. Additionally, through its claims that certain data practices are unfair, the FTC actually interprets Section 5 to impose obligations remarkably similar to those imposed by the GDPR and comprehensive new national privacy laws. private. For example, BetterHelp's complaint suggests that the failure of companies, or at least those dealing with sensitive consumer health data, to have internal written policies, employee training and contractual requirements with suppliers – similar requirements imposed by the GDPR and/or new state privacy laws – may be considered "unfair" acts and practices. We expect to see more of these claims go forward and that these claims of injustice may portend the direction of the FTC's pending regulations on "commercial surveillance and data security", where the FTC must point to evidence, such as its law enforcement experience, to demonstrate the prevalence of any unfair or deceptive acts or practices that are ultimately subject to its regulation.

