FTC to Advertisers: We’re Tracking Your Use of Health Information
For the second time in as many months, the Federal Trade Commission (FTC) last week announced a settlement alleging that a company’s use and disclosure of consumers’ health information for online advertising violated the law. The BetterHelp settlement indicates that the FTC takes a broad view of what constitutes “health information,” but it raises questions about how the FTC will apply its reinterpretation of the Health Breach Notification Rule under its September 2021 policy statement.
Overview of the FTC’s Broad View of “Health Information”
BetterHelp is an online counseling service that has registered more than 2 million users since its 2013 inception. When a consumer visits the site, the FTC alleges that she is “immediately prompted to begin” Better Help’s intake questionnaire that asks questions about the consumer’s history of therapy, current mental state, and religious beliefs among other characteristics, and then provides an email address and other information to create an account.
According to the FTC’s complaint, the company violated the FTC Act through its use of advertising pixels or web beacons and by uploading consumers’ “health information” to ad platforms for retargeting and to reach additional prospects. In the FTC’s view, the “health information” that BetterHelp disclosed not only included information about consumers’ past use or current enrollment in the company’s services but also their interest in obtaining therapy. This information was sufficient to “reveal” that consumers were “seeking mental health treatment.”
Specifically, the FTC alleges that the company disclosed consumers’ email addresses, IP addresses, and information about their interest or enrollment in BetterHelp’s services. For instance, BetterHelp made available certain “event” information, such as when consumers “answered certain questions . . . in a certain way” or “when” they enrolled in the company’s services. The FTC also alleges that the company disclosed the contents of certain intake questionnaire responses, such as whether an individual had previously been in counseling and how they answered questions about their financial status.
The complaint implicitly rejects counterarguments that the identifiers at issue were not “personal” information in the first place. For example, BetterHelp “hashed” consumers’ email addresses – converting email addresses “into a sequence of letters and numbers through a cryptographic tool.” The complaint asserts that ad platforms were able to “effectively undo” the hashing and match the underlying email addresses with platform user IDs. The complaint also states, without explanation or qualification, that IP addresses are sufficient to identify individuals, at least within the context of BetterHelp’s practices. The complaint points to a variety of BetterHelp’s past privacy representations, including that the company would “never sell or rent any information you share with us” and that it would share only “anonymous background information” about users. As a result, the FTC alleges, BetterHelp injured consumers and broke its promises that it would not share certain information with third parties or use it for advertising purposes.
No Violation of the Health Breach Notification Rule
Count I of the FTC’s complaint is based on unfairness; it contends that BetterHelp’s failure to employ reasonable measures to protect health information “result[ed] in the improper and unauthorized disclosure of that information to numerous third parties,” which “caused or [is] likely to cause substantial injury to consumers.” To a casual reader, these allegations might seem like they are describing the breach of health information. The FTC, however, did not allege that BetterHelp violated the Health Breach Notification Rule (HBNR). Commissioner Wilson’s concurring statement explains that there are at least two reasons the Commission decided against pursuing an HBNR count: (1) BetterHelp’s conduct ended before the FTC issued its September 2021 HBNR Policy Statement (which we wrote about here); and (2) BetterHelp’s service does not include “records that can be drawn from multiple sources,” as required by the HBNR. This leaves us to wonder whether companies operating in the health space will know whether their apps or services are drawing from multiple sources, subjecting them to potential liability under the HBNR?
The FTC’s Theories of Unfairness
The FTC’s complaint advances at least two theories of consumer injury. First, the complaint alleges that BetterHelp’s disclosure of mental health-related information “is likely to cause [consumers] stigma, embarrassment, and/or emotional distress” and “may also affect [their] ability to obtain and/or retain employment, housing, health insurance, or disability insurance.” Although mental health treatment has been long recognized as deserving special protection, the FTC’s allegations do not distinguish between a consumer’s interest in BetterHelp and the fact that they are receiving mental health services from BetterHelp. This distinction is significant in advertising industry standards and practices, but the FTC’s complaint does not recognize the distinction and offers no limiting principle to apply in other settings or with different types of health information.
Second, the FTC alleges that consumers who enrolled in BetterHelp’s services suffered financial injury. Consumers allegedly paid a “price premium” for the company’s services based on its privacy representations, and “would not have been willing” to pay the going rate for these services had they fully understood the company’s data practices.
These theories of harm underlie the FTC’s two unfairness claims, but the claims do not track with the alleged different injuries. Instead, Count I alleges that BetterHelp’s overall “fail[ure] to employ reasonable measures to protect consumers’ health information” – including insufficient training and third-party contractual data use limitations, and the lack of opt-in consent – was overall unfair. Separately, Count II of the complaint charges that BetterHelp was required to have obtained affirmative express consent before “collecting, using, and disclosing” this information to third parties.
As part of its settlement, BetterHelp will pay $7.8 million. The proposed settlement order describes the settlement funds as payable to an FTC redress fund, which the FTC explains it will use to “provide partial refunds to people who signed up for and paid for BetterHelp’s services between August 1, 2017 and December 31, 2020.” The legal theory for this relief is not described in the settlement package, although the complaint described the “price premium” BetterHelp theoretically charged for its alleged deceptive privacy assurances. While the Supreme Court’s holding in AMG Capital Management v. FTC prevents the FTC from using its Section 13(b) authority for monetary remedies, parties are free to agree to settlement terms, including regarding redress.
The FTC is signaling through this settlement and recent actions that using consumer information related to health for advertising purposes without at least enhanced notice and consent risks violations of Section 5. Companies offering health-related products or services should consider:
- If you have a full inventory of the information you’re sharing with third parties through pixels or otherwise.
- Whether you are defining “health information” consistently with where the FTC is drawing lines today.
- Will your existing consumer disclosures withstand the close scrutiny of a regulatory review. For example, do you promise anonymity or privacy?