The Federal Trade Commission (FTC) has fined online therapy provider BetterHelp $7.8 million over the sharing of personal information with advertisers. The case can teach us a lot about how the regulation of privacy and cookies are evolving in the US.
The US has no generally-applicable federal privacy law, and the FTC doesn’t reference any state privacy law in its complaint. BetterHelp is also not covered by the Health Insurance Portability and Accountability Act (HIPAA).
Despite this weak regulatory framework, the FTC built a strong case against BetterHelp, alleging that the company shared users’ sensitive health information with third parties without proper notice or consent.
This article explores where BetterHelp went wrong and what the FTC’s order means for all businesses operating in the US.
What Is BetterHelp?
BetterHelp is a US-based provider of remote therapy and counselling services. The company trades under various other names, including MyTherapist, Faithful Counseling, and Pride Counseling.
The FTC’s sanction against BetterHelp comes just weeks after a similar case involving GoodRx, a prescription drug discount app also accused of sharing health data with advertisers.
These decisions confirm that the FTC is taking cookie and tracking violations increasingly seriously, particularly where health data is involved.
Repeated False Promises
The FTC says that BetterHelp “repeatedly promised” to keep its customers’ data private and to only use data for providing its therapy services.
Here’s an example: When setting up an account with BetterHelp, the app requested information about users’ medication. The app displayed text reading: “Rest assured—your health
information will stay private between you and your counsellor” (BetterHelp removed this text in October 2021).
Another example: When requesting users’ email addresses, a notice stated that the data would be “kept strictly private” and “never shared, sold, or disclosed to anyone.”
The company’s cookie banner also stated that BetterHelp would “never sell or rent any information.”
The FTC says that BetterHelp broke these and other promises.
Sharing Data With Advertisers
Because of the nature of BetterHelp’s services, the FTC argues that data identifying people as BetterHelp customers can qualify as “health information”. The sensitive nature of health information can make privacy violations more serious.
The FTC’s complaint says BetterHelp shared data with Facebook, Pinterest, Snapchat, and Criteo, among others. These platforms provide advertising services and typically collect data via cookies and other tracking technologies.
The FTC also strongly criticizes how BetterHelp shared its customers’ email addresses.
The company shared users’ email addresses with Facebook together with an indication of the fact that the user had been in therapy. Facebook used this information to target similar users with BetterHelp ads.
BetterHelp also shared the contents of its users’ “Intake Questionnaires” with advertisers. The questionnaire asked users highly intimate questions, such as whether they had received therapy or taken medication. This data was later used for ad-targeting purposes.
Other data reportedly sold by BetterHelp included information about people’s sexuality and religion.
$7.8 million fine and targeted advertising ban
The FTC sanctioned BetterHelp under the FTC Act, which prohibits deceptive or misleading commercial practices.
BetterHelp must pay $7.8 million in partial refunds to some customers (the first order of this kind in an FTC order). The company is permanently banned from sharing personal information for advertising purposes.
The FTC has also ordered BetterHelp to:
- Get consent before sharing personal information with some third parties (for any purpose).
- Implement a privacy program to help safeguard user data.
- Require third parties to delete data received from BetterHelp.
- Implement a retention schedule for systematically deleting personal information.
What we can learn from the BetterHelp case
Using cookies and other advertising technologies is not illegal—even for healthcare providers or similar services.
If BetterHelp had provided transparent information about its practices and requested consent where appropriate, the company might not have been investigated by the FTC. BetterHelp might also have avoided some serious reputational damage.
The FTC’s action against BetterHelp reiterates some other important points that every business should understand:
- While the US does not have a generally-applicable federal privacy law, consumers still have privacy protections under consumer law.
- The FTC considers that a business might be misleading its users if it promises not to “sell” personal information but then collects and sells data via cookies.
- If data about a user can be associated with their use of a healthcare provider, that information might be considered “health data”, warranting special protection.