The Federal Trade Commission ('FTC') announced, on 2 March 2023, a proposed consent order banning BetterHelp, Inc. from sharing consumers' health data and requiring the same to pay $7.8 million for violations of §5(a) of the Federal Trade Commission Act ('the FTC Act'), following an investigation.

Background to the case

In particular, the FTC highlighted that it had initiated an investigation into certain acts and practices of BetterHelp, following concerns regarding potential violations of the FTC Act, proceeding in the public interest.

Findings of the FTC

Following its investigation, the FTC determined in its complaint that, although BetterHelp promised consumers that it would not use or disclose their personal health data except for limited purposes, such as to provide counselling services, BetterHelp used and revealed consumers' email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest, for advertising purposes.

Further to the above, the FTC's complaint concluded that BetterHelp violated §5(a) of the FTC Act by:

• unfairly failing to employ reasonable measures to protect consumers' health information in connection with the collection, use, and disclosure of the same information;
• unfairly failing to obtain consumers' affirmative express consent prior to collecting, using, and disclosing consumers' health information;
• failing to disclose that it shared consumers' health information with third parties for BetterHelp's advertising purposes and the recipient third parties' own business purposes;
• failing to disclose that BetterHelp used consumers' health information to target the consumers and others with advertisements;
• misrepresenting that it would not disclose consumers' health information to third parties for advertising and the recipient third parties' own business purposes, and that it would not use such information for advertising or advertising-related purposes, or share such information with anyone except each consumer's licensed therapist; and
• misrepresenting that a governmental agency or third party had reviewed BetterHelp's practices and determined that such practices met the requirements of Health Insurance Portability and Accountability Act of 1996 ('HIPAA').

Outcomes

In light of the above, the FTC noted that it had accepted the agreement with BetterHelp containing the consent order and placed it on the public record for a period of 30 days for the receipt and consideration of public comments.

In addition, the FTC explained that the proposed consent order contains provisions designed to prevent BetterHelp from engaging in the same or similar acts or practices in the future, namely:

• prohibiting BetterHelp from sharing individually identifiable information relating to the past, present, or future physical or mental health or condition(s) of a consumer with any third party;
• requiring BetterHelp to obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
• requiring BetterHelp to put in place a comprehensive privacy program that includes strong safeguards to protect consumer data;
• requiring BetterHelp to direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; and
• requiring BetterHelp to limit how long it can retain personal and health information according to a data retention schedule.

Notably, the proposed consent order also requires BetterHelp to pay $7.8 million in monetary relief for consumer redress.

You can read the announcement here, the complaint here, and the proposed consent order here.