On the heels of its $1.5 million enforcement action against GoodRx, the FTC is back with an enforcement action against BetterHelp, an online mental health counseling service. This time the price tag will be $7.8 million, according to the FTC’s proposed settlement order. Additional requirements imposed on BetterHelp under that order would include a ban on disclosing certain information for advertising purposes, rigorous consumer consent requirements, and the implementation of a comprehensive privacy program.
The FTC’s complaint against BetterHelp, as in the GoodRx case, is focused on the company’s advertising activities, which involved disclosures of consumers’ health information to Meta and other digital advertising companies. But unlike the GoodRx action, the FTC did not rely on the Health Breach Notification Rule as basis for its claims, relying instead on alleged violations of Section 5 of the FTC Act under both the deception and unfairness prongs.
- The alleged “deceptive” conduct included using and disclosing health information for advertising purposes despite representations in its privacy policy to the contrary. The FTC also dinged BetterHelp for disclosing certain health information that BetterHelp represented would only be disclosed to the consumers’ therapists. And as in GoodRx, the FTC claimed that posting a HIPAA-related seal on BetterHelp’s websites amounted to a misrepresentation that a government agency or other party had reviewed BetterHelp’s practices and determined that they comply with HIPAA.
- The alleged “unfair” conduct included failing to obtain “affirmative express consent” before collecting, using, and disclosing consumers’ health information to “third parties” and failing to provide appropriate training to its personnel, among other practices.
The obvious takeaway is that the FTC remains focused on targeted advertising, particularly when it involves the processing of sensitive personal information. But a deeper dive into the complaint and proposed settlement reveals that the case could have broader implications for companies’ collection of sensitive information from consumers and disclosures of that information to business partners and service providers.
The FTC continues to ramp up enforcement of its affirmative express consent requirements.
Longtime privacy law practitioners may recall an early discussion of an “affirmative express consent” requirement in the FTC’s 2012 publication Protecting Consumer Privacy in an Era of Rapid Change. There, the FTC asserted that companies should obtain affirmative express consent before, among other things, collecting “sensitive data,” including health information. Fast forward about a decade and we see the FTC expanding this concept and applying it with increasing frequency.
In the BetterHelp complaint, the FTC alleged that failing to obtain consumers’ affirmative express consent to collect, use, and disclose health information for advertising purposes was an unfair trade practice. This allegation is fairly similar to what we saw in the GoodRx enforcement action. But here the FTC also alleged that BetterHelp’s failure to obtain affirmative express consent to collect, use, and disclose consumers’ health information for “third parties’ own purposes, such as research and improvement of their own products” was unfair.
That allegation is notable because the FTC went out of its way to call out secondary data uses that service providers who might receive and process data on behalf of their customers often take for granted. As discussed below, the BetterHelp complaint suggests the FTC will apply closer scrutiny to disclosures of sensitive information to determine whether a data recipient is bound by appropriate restrictions with regard to its use of that information or has rights to use the data for its own benefit.
Companies should review the consent requirements imposed on BetterHelp and other defendants to determine whether their consent mechanisms align with the FTC’s affirmative express consent expectations for collection, use, and disclosure of sensitive personal information.
Back in 2012, the FTC provided minimal guidance on how to meet the affirmative express consent standard. Enforcement actions and settlements over the years have fleshed out the agency’s expectations. Although each settlement is tied to a specific party’s alleged misconduct, and the conditions may not necessarily represent the FTC’s general expectations for all companies, it is worth considering the consent standard imposed on BetterHelp in the proposed settlement. That standard requires the company to provide the following disclosures to consumers when it obtains their affirmative express consent:
- The categories of information that will be collected.
- The specific purposes for which the information is being collected, used, or disclosed.
- The names or categories of third parties collecting the information or to which the information is disclosed. If categories of third parties are disclosed instead of specific names, the disclosure must include a link to a separate page listing the names of the third parties.
- A “simple, easily located” means of withdrawing consent.
- Any limitations on the ability to withdraw consent.
Disclosing the names of third parties to consumers could be particularly challenging for some companies, and when it comes to disclosures to third parties in the ad-tech ecosystem, it could be difficult to even identify them all. And if the third parties change, new consent may be required. Implementing a consent withdrawal mechanism could also be burdensome.
The proposed settlement makes clear that, after providing the necessary disclosures to the consumer, the consumer must consent through a clear affirmative action. The FTC appears to be looking for something along the lines of checking a box and clicking an “I accept” button. Inferring consent from “[c]losing . . . a given piece of content,” for example, would not be sufficient. Browse-wrap is definitely out.
The enforcement action signals that the FTC will scrutinize downstream parties’ data use rights and perhaps associated contract language. Companies should review service providers’ data use rights and associated contracts to determine whether they trigger affirmative express consent requirements.
The BetterHelp complaint and proposed settlement make clear that the FTC is not just concerned with advertising-related disclosures. In numerous places, the FTC highlighted data recipients’ secondary data use rights. In its complaint, for example, the FTC dinged the company for failing to “contractually limit third parties from using [consumer’s] health information for their own purposes, including . . . to research and improve] . . . their own products, when [BetterHelp] did not provide [consumers] notice or obtain their consent for such uses.”
The FTC also admonished BetterHelp for “merely agreeing to [third parties] stock contracts and terms.” That statement does not auger well for companies without the leverage to force service providers and other business partners to modify standard terms and clickthrough agreements.
The proposed settlement agreement provides some clues into what types of entities qualify as a “third party,” such that disclosures of sensitive personal information to those third parties would require affirmative express consent. Similar to the framework set up by the CCPA and other comprehensive state privacy laws, there is a carveout for service providers. But to qualify for “service provider” status, an organization cannot use personal information other than to provide the services specified in its customer agreement. Additionally, the service provider must downstream data use limitations to its subcontractors via contract. If these requirements are not met, the organization may become a “third party” for purposes of the FTC’s affirmative express consent analysis—triggering the affirmative express consent requirement. Fortunately, the definition of third party includes a few additional carveouts, including for using data to comply with law and “undertake internal research for the technological development and demonstration of [the data recipient’s] . . . products or services.”
Given how the FTC’s settlement with BetterHelp defines “third parties,” companies disclosing sensitive personal information to service providers should carefully evaluate their relationships and agreements with those parties to determine whether the FTC may actually consider these service providers to be “third parties” such that the agency’s affirmative express consent requirement is triggered.
* * *
As the BetterHelp case makes clear, targeted advertising disclosures and processing will continue to be an enforcement priority for the FTC. But the case also provides insights into the FTC’s expectations regarding its affirmative express consent doctrine and service provider contracts. We shouldn’t necessarily assume that the allegations in the complaint and, in particular, the remedial requirements imposed on BetterHelp by the proposed settlement order reflect the standards that the FTC would apply in every scenario. But companies engaged in the processing of sensitive personal information should take note and carefully evaluate whether they need to update their practices in light of recent enforcement trends.