[ad_1]
On March 2, 2023, the Federal Commerce Fee (FTC) announced a proposed settlement settlement (additionally known as “proposed consent order”) with BetterHelp, Inc., an internet counseling service, for allegedly disclosing its web site guests’ and customers’ “well being info” to advertisers, regardless of making representations on the corporate’s web site and within the firm’s privateness coverage that such info would keep nameless or be disclosed just for restricted functions. Of notice, the proposed consent order fully prohibits BetterHelp from disclosing any info related to its web site guests and customers to 3rd events for focused promoting functions, even when the corporate obtains consent from its customers for such advert concentrating on. The proposed consent order additionally requires BetterHelp to acquire consent earlier than disclosing any info related to its web site guests and customers to 3rd events for some other function, with some exceptions for firm distributors.
The proposed consent order builds on different current FTC settlements (e.g., Flo Health and GoodRx) and steerage (e.g., on the Health Breach Notification Rule and the privacy of individuals seeking reproductive services following Dobbs) to additional outline the FTC’s place on knowledge sharing by digital well being web sites, apps, and different companies.
This alert supplies a abstract and evaluation of the FTC’s criticism in opposition to BetterHelp, the proposed consent order, and key observations.
The Criticism
Background
BetterHelp, Inc., operates on-line counseling companies below a number of names, together with BetterHelp, Trustworthy Counseling, and Delight Counseling. In line with the FTC’s complaint, BetterHelp prompted web site guests to fill out an consumption questionnaire which included questions relating to the customer’s remedy expertise and present emotional state, and requested the customer’s e-mail deal with and different contact info. When guests and customers supplied the data on BetterHelp’s numerous web sites, BetterHelp allegedly displayed 1) guarantees that responses to this questionnaire would keep non-public and a couple of) a “HIPAA” seal that implied that BetterHealth complied with the Well being Insurance coverage Portability and Accountability Act (HIPAA). BetterHelp’s privateness coverage, revised quite a few instances between 2013 to 2021, additionally allegedly acknowledged that guests’ and customers’ info is 1) not used or disclosed for promoting (till 2020) and a couple of) disclosed to 3rd events just for restricted functions. The FTC alleges that regardless of these privateness assurances, BetterHelp disclosed guests’ and customers’ “well being info,” i.e., e-mail addresses and/or questionnaire solutions, to third-party advertisers akin to Fb, Snapchat, and Pinterest for retargeting and to construct lookalike audiences.
Counts
The criticism alleges two unfairness counts, two counts of deception by omission, and 4 counts of affirmative misleading representations.
- Unfairness Counts. The FTC included an unfairness depend reflecting a novel authorized idea that BetterHelp’s failure to implement safeguards to guard the privateness of shoppers’ well being info in reference to the gathering, use, and disclosure of that info was an unfair act or follow below Part 5 of the FTC Act. Particularly, the FTC alleges that BetterHelp didn’t 1) develop, implement, or preserve “written” organizational requirements or insurance policies on their privateness practices and a couple of) present ample coaching for and supervision of workers or contractors to safeguard the privateness of shoppers’ info, “ensuing within the improper and unauthorized disclosure of that info to quite a few third events for promoting and different functions.”1 The FTC additionally alleges that BetterHealth didn’t get hold of affirmative categorical consent earlier than gathering, utilizing, and disclosing shoppers’ well being info to 3rd events.
- Deception by omission. The FTC alleges that BetterHelp didn’t disclose that it used or disclosed shoppers’ well being info to 3rd events for promoting functions or the third events’ personal makes use of.
- Affirmative misrepresentations. The FTC alleges that BetterHelp made affirmative misrepresentations relating to: 1) its disclosure of well being info for promoting and third events’ personal makes use of; 2) its use of well being info for promoting; 3) its disclosure of well being info to anybody besides every shopper’s licensed therapist; and 4) its practices having been reviewed by a authorities company or different third get together and decided to have met HIPAA’s necessities.
Proposed Order
The proposed consent order contains plenty of important obligations for BetterHelp, a few of that are new to FTC privateness orders.
Shopper Redress
Underneath the proposed consent order, BetterHelp is required to pay $7.8 million right into a shopper redress fund to be administered by the FTC. Monetary penalties are extremely unusual in FTC privateness enforcement actions the place there may be not a violation of a selected regulatory rule, and shopper redress is much more uncommon. Certainly, the FTC’s proposed consent order with BetterHelp represents the company’s first obvious foray into utilizing its Part 19 authority post-AMG v. FTC to acquire shopper redress for “dishonest or fraudulent” conduct in a privateness settlement that doesn’t contain the violation of a selected regulatory rule.2
Broad and Expansive Definitions
The FTC alleges in its criticism that the mere disclosure of “a [v]isitor’s or [u]ser’s e-mail deal with” constituted a disclosure of that web site customer or consumer’s well being info.3 The proposed consent order then defines “Coated Info” to incorporate each conventional classes of non-public info and “Therapy Info,” which suggests any individually identifiable info associated to the previous, current, or future bodily or psychological well being or situation(s) of a shopper, together with info regarding a shopper’s use or creation of a BetterHelp account and any info derived or extrapolated from the patron’s well being info.
Second, a rigidity exists between the criticism and the proposed consent order relating to service suppliers’ permissible secondary makes use of of Coated Info. Particularly, the proposed consent order defines a “Third Get together” as any particular person or entity aside from, amongst different issues, BetterHelp’s service suppliers or any entity that makes use of Coated Info solely as moderately mandatory to attain a selected set of functions, akin to complying with the legislation or conducting inner analysis and growth. Whereas the criticism takes concern with Fb and Pinterest utilizing the disclosed knowledge for their very own functions, together with analysis and growth, the proposed consent order seemingly permits such makes use of by allowing service suppliers to make use of knowledge for inner analysis and growth functions. The scope of analysis and growth functions that the FTC views as acceptable for service suppliers that deal with well being info to have interaction in subsequently stays unclear.
Particular Prohibitions
The proposed order outlines a number of completely different prohibitions or necessities, together with audit and compliance monitoring necessities which are more and more widespread in privateness circumstances. Significantly noteworthy necessities within the proposed consent order embody:
- Prohibition on disclosures of non-public info and well being info to 3rd events for promoting and advert concentrating on functions. The proposed consent order would prohibit BetterHelp from disclosing a shopper’s Therapy Info to Third Events for promoting and ad-targeting functions typically, and it might prohibit BetterHelp from disclosing a shopper’s broader class of Coated Info to Third Events for the aim of concentrating on promoting to that shopper. In different phrases, the proposed consent order would prohibit any type of advert retargeting to BetterHelp’s web site guests, even when BetterHelp obtained the customer’s consent for such retargeting.
- Prohibition on the disclosure of non-public and well being info with out acquiring affirmative categorical consent. The proposed consent order would limit BetterHelp from disclosing Coated Info, which incorporates well being info, with any Third Events for non-advertising functions with out first acquiring customers’ affirmative categorical consent.
- Prohibition on misrepresenting knowledge privateness and safety practices, together with compliance with federal or trade requirements, akin to the usage of a HIPAA seal. The proposed consent order would prohibit BetterHelp from misrepresenting the extent to which BetterHelp has knowledge privateness and safety practices protecting the gathering, use, disclosure, deletion, retention, upkeep, and sharing of Coated Info. Notably, this requirement contains the misleading commercial of a HIPAA seal to reveal BetterHelp’s compliance with HIPAA.
- Information deletion. BetterHelp could be required to tell the FTC of all Third Events to whom Coated Info was disclosed and account for the varieties of Coated Info disclosed. BetterHelp would then be required to direct all such Third Events to delete the data and wouldn’t be permitted to make use of these Third Events for any promoting (even non-targeted) till they verify every Third Get together’s receipt of the deletion directions.
- Mandated privateness program. The proposed consent order would require BetterHelp to design and implement a complete privateness program that protects the privateness, safety, and confidentiality of shopper’s Coated Info, together with their well being info. Notably, the FTC would require BetterHelp to conspicuously determine the classes of non-public and well being info BetterHelp collects from shoppers; the needs for the gathering for every class of knowledge; and determine the classes of data which are shared with third events.
- Coated incident reporting. The proposed consent order defines “Coated Incident” in a manner that might require BetterHelp to report back to the FTC any order violations pertaining to 1) the disclosure of a shopper’s Therapy Info with Third Events for promoting functions or Coated Info for ad-targeting functions; 2) acquiring affirmative categorical consent earlier than disclosing shopper’s Coated Info with Third Events for non-advertising functions; or 3) BetterHelp misrepresenting its knowledge privateness and safety practices.
Key Observations
Taken collectively, the FTC’s February settlement with GoodRx and its present settlement with BetterHelp present a roadmap for the company’s agenda on well being privateness. Beneath are some observations on present traits:
- Prohibition on disclosure of non-public info and well being info to 3rd get together advertisers. As within the FTC’s settlement with GoodRx, BetterHelp’s proposed consent order prohibits the corporate from disclosing a shopper’s well being info to 3rd events for promoting functions, even when a shopper affirmatively consents to such practices. BetterHelp’s proposed consent order goes a step additional, nonetheless, by additionally prohibiting BetterHelp’s disclosure of any private info for focused promoting.
- Affirmative categorical consent for disclosures to all different third events. The FTC’s orders in opposition to GoodRx and BetterHelp each require the businesses to acquire affirmative categorical consent from shoppers to reveal sure info to 3rd events (aside from for disclosures for promoting, which is prohibited). Once more, whereas the GoodRx order applies to simply well being info, BetterHelp’s order requires affirmative categorical consent to reveal any private info to a 3rd get together. Importantly, the proposed consent order defines “third get together” in a novel manner, probably together with sure distributors that firms could historically view as service suppliers.
- Incorporating knowledge safety necessities into well being privateness circumstances. Coated incident reporting necessities are extra typical of the FTC’s knowledge safety circumstances the place an information breach incident occurred. The FTC’s current well being privateness circumstances, nonetheless, have established a broader definition of “lined incident” and imposed this reporting requirement for digital well being firms, no matter whether or not a safety breach occurred.
- Skeptical view of hashed emails. The FTC notes that though BetterHelp hashed shoppers’ emails addresses earlier than disclosing them to third-party advertisers, such encryption doesn’t conceal account holders’ id from the advertisers the place the advertiser additionally possesses the patron’s e-mail deal with.
Wilson Sonsini Goodrich & Rosati routinely helps firms navigate complicated privateness and knowledge safety points. For extra info or recommendation regarding cybersecurity compliance or investigations, please contact Tracy Shapiro, Haley Bavasi, Eddie Holman, Hale Melnick, Yeji Kim, Stacy Okoro, or any member of the agency’s privacy and cybersecurity follow.
[1]FTC Criticism ¶ 77, Within the Matter of BetterHelp, Inc. (March 3, 2023).
[2]Whereas the criticism doesn’t point out Part 19 of the FTC Act or use the phrases “dishonest” or “fraudulent,” outgoing Commissioner Christine Wilson indicated her help for acquiring financial reduction below Part 19 in a concurring assertion posted with the settlement package deal.
[3]FTC Criticism ¶ 48, Within the Matter of BetterHelp, Inc. (March 3, 2023). “As famous above, every such disclosure of even a Customer’s or Consumer’s e-mail deal with constituted as disclosure of the Customer’s or Consumer’s well being info. Particularly, as a result of Respondent collected e-mail addresses solely from Guests and Customers searching for psychological well being remedy through the Service (by filling out the Consumption Questionnaire, signing up for the Service, and/or changing into a Consumer), disclosure of a Customer’s or Consumer’s e-mail deal with implicitly recognized the Customer or Consumer as one searching for and/or receiving psychological well being remedy through the Service.”