The Federal Trade Commission continues to be a powerful force reining in privacy abuses against American consumers. In March 2023, the FTC announced a proposed $7.8 million settlement with BetterHelp, an online therapy and counseling service, for repeatedly violating its promise to consumers “not to use or disclose their personal health data.”
Considering that health information, and mental health information in particular, are quite sensitive and confidential, online counseling service BetterHelp (acquired by telehealth company Teladoc in 2015) repeatedly violated its customers’ trust by disclosing said information to a variety of partners and advertisers over the course of multiple years.
The practices for which BetterHelp has been penalized were also employed by white-labeled versions of its platform targeted at particular demographics like the LGBTQ community, Christians, Spanish speakers, and teens. In addition to its “promises,” BetterHelp deployed a HIPAA seal, despite the fact that no government agency reviewed their practices or validated that they met the landmark health privacy law’s standards.
BetterHelp promised consumers that it would keep their confidential data private in a number of ways, stating that “background information about you and the issues you’d like to deal with” would only be used to match the consumer with an appropriate therapist. Nonetheless, the FTC states that BetterHelp shared the health information of over 7 million users and email and IP addresses of over 5 million users with a variety of advertising platforms and social media companies to target them with ads. According to the FTC, after a 2020 news story broke that BetterHelp was sharing private information, the company “doubled down on the deception by falsely denying it had shared consumers’ personal information.”
In addition to the payment of refunds, the settlement requires BetterHelp to remedy its privacy malpractice with a series of requirements that will last 20 years (in most cases). BetterHelp must contact the affected customers directly about the case and direct third parties (the advertising platforms) to delete the health and other private data shared with them. The order also prohibits them from using consumer data for advertising. Additionally, it must stop misrepresenting its data collection and use policies and obtain “affirmative express consent” before sharing any data with a third party. The settlement also requires an independent third party conduct privacy assessments of BetterHelp.
While agreeing to the settlement, BetterHelp’s blog states that it “is no admission of wrongdoing.”
All businesses who have online privacy policies or make public statements about their privacy practices need to know that they can be legally liable for not following through on those promises. Federal law – and many state laws – prohibit unfair competition, which includes deceptive acts or practices. Inaccurate or misleading privacy policies can be considered a deceptive act or practice.
For businesses drafting privacy policies, it is therefore important to ensure that what they are writing is accurate. Doing that is a team effort – at a minimum, IT, marketing, and any website hosting vendors need to be involved for information collected through the website. Additionally, businesses that use third party widgets or tools on their website need to understand what information is being collected by them and how it is being used.
Organizations must recognize that cookie banners and older forms of acquiring and managing consumer consent will no longer suffice; they must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic.
Download the PDF version of this Data Privacy Alert here.