- The Federal Trade Commission (FTC) has indicated that companies working in the digital health space must prioritize the safeguarding of consumer data privacy.
- Recent enforcement by the agency includes a consent decree issued to a mental health treatment organization to settle claims that it engaged in unfair and deceptive trade practices.
- This Holland & Knight alert examines the FTC's heightened approach to data security and ways in which digital health companies can avoid pitfalls.
The Federal Trade Commission (FTC) is on a roll in its efforts to signal to the digital health industry that data privacy must be a priority. The FTC announced a consent decree with BetterHelp on March 2, 2023, to settle claims that the online mental health treatment company engaged in unfair and deceptive trade practices when it made website visitor information available to third parties for marketing and advertising purposes. The settlement highlights the growing risk associated with the use of third-party cookies and pixels on websites for companies that offer health services.
- The FTC's complaint (Complaint) emphasizes the government's position that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
- The FTC considered failure to obtain "affirmative express consent" for disclosure of health information to social media companies for advertising purposes to be an unfair trade practice – a significant position since the practice in the U.S. is generally opt-out, if any choice is offered at all.
- Various forms of disclosures, in particular about cookies, were said to be misleading. The FTC observed that BetterHelp repeatedly promised to keep health information private but then engaged in marketing activities that resulted in information being shared with third parties.
- The FTC alleged that displaying a seal implying compliance with the Health Insurance Portability and Accountability Act (HIPAA) was deceptive.
The FTC's Complaint
BetterHelp is an online service that offers individuals access to mental health counseling for a weekly fee. To sign up, individuals must complete a web-based intake form and create an account. The Complaint alleges that, between 2013 and 2020, BetterHelp made the information submitted in this process available to third parties, including social media companies. While the Complaint states that BetterHelp did so for its own marketing purposes so that the third parties could advertise to potential users of BetterHelp services, it nonetheless found that BetterHelp did not prevent the third parties from using BetterHelp consumer data for their own purposes, including research and product development.
The Complaint is light on technical details as to how the disclosures occurred but strongly implies that this was mainly through cookies that would have collected information when individuals visited BetterHelp's websites and completed the forms. The Complaint also alleges that BetterHelp actively shared details regarding certain individuals with Facebook and requested that Facebook use its "look-alike" tool to profile the individuals and market to those with similar characteristics.
BetterHelp displayed HIPAA seals on numerous web pages. Also, its sales representatives told consumers that the company was "HIPAA certified." The FTC viewed this as deceptive to the extent that the company was signaling to consumers that its practices met HIPAA's requirements. In fact, no third party reviewed the company's information practices to determine whether they complied with HIPAA. Additionally, the FTC observed that many of the company's therapists are not subject to HIPAA and that the company does not know which data are protected by HIPAA and which are not.
BetterHelp neither admitted nor denied the allegations of the Complaint in the consent decree.
The FTC imposed fairly typical requirements associated with privacy and security consent decrees, such as the requirement for a privacy program and external assessments. Additionally, the consent decree requires BetterHelp to get "express affirmative consent" for any future disclosure of "Covered Information" to a third party. Covered information is defined broadly to include persistent identifiers such as cookie IDs or IP addresses. This means that BetterHelp has to get opt-in consent for any future operation of cookies, which is far beyond current legal requirements for most entities. There is also a $7.8 million penalty for consumer redress.
- consider carefully whether any of their web pages or apps collect information that could be considered sensitive
- review their privacy policies and ensure they can be followed
- proceed carefully when disclosing health data to third parties to ensure it is used and disclosed only for permissible purposes and that third-party contracts provide adequate guardrails
- train employees regarding privacy, the company's specific policies and restrictions on how personal data must be protected
- avoid characterizing the company's policies as being HIPAA-compliant if that is not, in fact, the case – particularly if HIPAA does not apply to the company
- make sure consumer-facing privacy policies are clear, both visually and in content
Most importantly, companies should make sure they keep whatever privacy promises have been made to consumers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.