We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category. Also unlike the previous matter, the FTC did not cite to the health breach notification requirements, but instead included claims only under Section 5 of the FTC Act. Under the proposed consent, BetterHelp would pay $7.8 million, which the FTC may use for consumer redress. In the Matter of BetterHelp, Inc., FTC File No. 2023169 (Mar. 2, 2023).
The FTC Complaint
According to the FTC’s complaint—which BetterHelp neither admits nor denies—from 2013 through 2020, BetterHelp developed, advertised and sold an online counseling service that matched users seeking therapy with BetterHelp’s therapists, and facilitated counseling with BetterHelp’s websites and apps. The complaint also stated that BetterHelp operated under a variety of names, some of which focused various groups of consumers, including teenagers and members of the LGBTQ+ community: Compile, Inc, MyTherapist, Teen Counseling Faithful Counseling, Pride Counseling, iCounseling, ReGain, and Terappeuta. The company used intake questionnaires that collected sensitive personal information but stated directly, and in the privacy policies, that the company would only share that information with the therapists.
The FTC’s complaint claims that BetterHelp “continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements for the Service.” The complaint stated that BetterHelp had delegated to a recent college graduate most authority with respect to advertising and to determine which consumer-identifiable data to provide to social media platforms. The FTC claims that BetterHelp did not provide proper training to this individual until 2021—after regulatory proceedings had begun.
The FTC’s complaint also states that the company would not only share the information with several social media sites (frequently agreeing to those sites’ standard terms), but also used the consumer information to retarget visitors with advertisements for the service, to find and target potential new users with advertisements, and to optimize BetterHelp’s advertisements. Although BetterHelp hashed users’ email addresses when providing them to third parties, the complaint alleges that BetterHelp knew that this hashing would not prevent the social media sites from reversing the hashing and obtaining the information about users (email addresses, IP addresses, and other information) and using it for their own purposes. The complaint also claimed that BetterHelp uploaded two million user email addresses directly to social media sites.
BetterHelp also displayed a HIPAA “seal” on its website, which the FTC claimed was an implied statement of HIPAA compliance, The complaint stated: “no government agency or other third party reviewed Respondent’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.”
The FTC complaint lists eight counts of alleged violations of Section 5 of the FTC Act: (1) unfair privacy practices; (2) failure to obtain affirmative express consent before collecting, disclosing, and using consumers’ health information; (3) failure to disclose use of health information for advertising and third parties’ uses; (4) failure to disclose use of health information for advertising; (5) privacy misrepresentation – disclosure of health information for advertising and third parties’ own uses; (6) privacy misrepresentation – use of health information for advertising; (7)privacy misrepresentation – disclosure of health information; and (8) privacy misrepresentation – HIPAA certification.
The proposed consent agreement includes not only the $7.8 million payment, but also provisions familiar to our readers: prohibition of misrepresentations and third-party assessments. In addition, the company would be required to obtain a user’s affirmative express consent prior to disclosing personal information to any third party. The consent would also require BetterHelp to require that the third parties delete the personal information they had received. In addition, the company would also be required to notify users via email, and provide a copy of the FTC’s complaint in that notice.
For the second time in approximately 30 days, the FTC has proposed requiring a company in a privacy-related matter to enact a data retention program that flatly prohibits perpetual (indefinite) data retention, as part of a $7.8 million settlement. Does your company’s retention policy permit permanent storage of personal data? When was the last time you reviewed your company’s record retention policy?