Peter A Clarke

With the Report of Proposed Reforms to the Privacy Act recently released it is apposite that the Federal Trade Commission has recently announced that it is taking action against BetterHelp for sharing its consumers health information, including about mental health problems, with Facebook and other platforms for advertising.  The odious practice was well entrenched and longstanding, commencing in 2013 and not concluding until the media reported on it in 2020. The nature of the data misuse is all the more appalling given BetterHelp repeatedly promised to keep the data private. Instead it monetised the data to target them and others for the service it provides.  BetterHelp has reached a settlement with the FTC. 

Arising from this action

• the FTC’ makes it clear that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
• the FTC regards a failure to obtain “affirmative express consent” for disclosure of health information to social media companies for advertising purposes to be an unfair practice.

• Companies should:

  • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
  • review their privacy policies and ensure they can be understood
  • train employees regarding privacy
  • develop policies and restrictions on how personal data must be protected

The terms imposed by the FTC are onerous and particularly swingeing compared to the relatively relaxed enforceable undertakings imposed in Australia. 

The media was, as usual, scathing with Fortune’s Counseling service BetterHelp to return $7.8M to customers in FTC settlement after it shared private health data with Facebook and Snapchat and Yahoo’ s Teladoc’s (TDOC) BetterHelp Faces FTC Hurdle, to Pay $7.8M.

The media release provides:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward.

“When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Instead, BetterHelp betrayed consumers’ most personal health information for profit. Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation.”

California-based BetterHelp offers online counseling services under several names, including BetterHelp Counseling. It also markets services aimed at specific groups such as Faithful Counseling focused on Christians, Teen Counseling, which caters to teens and requires parental consent, and Pride Counseling, which is targeted to the LGBTQ community. Consumers interested in BetterHelp’s services must fill out a questionnaire that asks for sensitive mental health information—such as whether they have experienced depression or suicidal thoughts and are on any medications. They also provide their name, email address, birth date and other personal information. Consumers are then matched with a counselor and pay between $60 and $90 per week for counseling.

At several points in the signup process, BetterHelp promised consumers that it would not use or disclose their personal health data except for limited purposes, such as to provide counseling services. Despite these promises, BetterHelp used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, according to the FTC’s complaint. 

For example, the company used consumers’ email addresses and the fact that they had previously been in therapy to instruct Facebook to identify similar consumers and target them with advertisements for BetterHelp’s counseling service, which helped the company bring in tens of thousands of new paying users and millions of dollars in revenue.

According to the complaint, BetterHelp pushed consumers to hand over their health information by repeatedly showing them privacy misrepresentations and nudging them with unavoidable prompts to sign up for its counseling service. Despite collecting such sensitive information, BetterHelp failed to maintain sufficient policies or procedures to protect it and did not obtain consumers’ affirmative express consent before disclosing their health data. BetterHelp also failed to place any limits on how third parties could use consumers’ health information—allowing Facebook and other third parties to use that information for their own internal purposes, including for research and development or to improve advertising.

BetterHelp also misled users and the public in 2020 by falsely denying news reports that it revealed consumers’ personal information, including their health information, with third parties, according to the complaint.

The $7.8 million that BetterHelp must pay under the proposed order will be used to provide partial refunds to consumers who signed up for and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020. In addition to banning BetterHelp from disclosing health information for advertising, the proposed order also prohibits the company from misrepresenting its sharing practices and requires it to:

• • obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
  • put in place a comprehensive privacy program that includes strong safeguards to protect consumer data;
  • direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them; and
  • limit how long it can retain personal and health information according to a data retention schedule. 

Interesting aspects of the complaint are:

• it operates 5 services:
  • “BetterHelp,” serves general audiences and has been in operation since 2013
  • Faithful Counseling, in operation since July 2017, is aimed at consumers of the Christian faith
  • Pride Counseling, in operation since August 2017, caters to the LGBTQ community
  • Teen Counseling, in operation since January 2017, offers counseling to 13-to 18-year-olds with parental consent
  • ReGain, in operation since May 2016, offers couples counseling
• Users pay $60 to $90 per week for counseling through the Service [11]
• to sign up for the Service and become a paying user an individual must fill out a questionnaire  answering detailed questions about his/her mental health [11]
• BetterHelp,” has added over:
  • 118,000 U.S. Users in 2018,
  • over 158,000 U.S. Users in 2019, and
  • over 641,000 U.S. Users in 2020.
• since its inception, BetterHelp has signed up over 2 million Users, and, currently has over 374,000 active Users in the United States.
• BetterHelp  earned over $345 million in revenue in 2020, and over $720 million in revenue in 2021
• from 2018 to 2020, BetterHelp used these consumers’ email addresses and the fact that they had previously been in therapy to instruct Facebook to identify similar consumers and target them with advertisements for the Service [5]
• BetterHelp handed over personal information to numerous third-party advertising platforms, including Facebook, Pinterest, Snapchat, and Criteo, often permitting these companies to use the information for their own research and product development as well [6]
• BetterHelp did not:
  • employ reasonable measures to safeguard the health information it collected from consumers.
  • properly train its employees on how to protect the information when using it for advertising,
  • properly supervise its staff in the use of the information.
  •  provide consumers with proper notice as to the collection, use, and disclosure of their health information.
  • limit contractually how third parties could use consumers’ health information, instead merely agreeing to their stock contracts and terms [7]
• in 2017, BetterHelp delegated most decision-making authority over its use of Facebook’s advertising services to a Junior Marketing Analyst who:
  • was a recent college graduate,
  • had never worked in marketing, and
  • had no experience and little training in safeguarding consumers’ health information when using that information for advertising.
  • had carte blanche to decide which Visitors’ and Users’ health information to upload to Facebook and how to use that information [16].
• It wasn’t until 2021 that BetterHelp gave privacy training specific to its business or advertising.
• since 2013 BetterHelp used Visitors’ and Users’:
  • email addresses,
  • IP addresses,
  • enrollment in the Service, and certain Intake Questionnaire responses

for various advertising purposes, including

(1) re-targeting Visitors with advertisements for the Service;

(2) using Users’ health information to find and target potential new Users with advertisements—on the basis that these potential new Users were likely to sign up for the Service because they shared traits with current Users; and

(3) optimizing Respondent’s advertisements, which involved targeting advertisements at individuals with attributes similar to those that had previously responded to Respondent’s ads, such as new Users.

• between 2017 and 2018, BetterHelp uploaded lists of over 7 million Visitors’ and Users’ email addresses to Facebook. Facebook matched over 4 million of these Visitors and Users with their Facebook user IDs, linking their use of the Service for mental health treatment with their Facebook accounts
• in January 2019, BetterHelp disclosed to Snapchat the IP addresses and email addresses of approximately 5.6 million Visitors to re-target them with advertisements for the Service [55].
• from July 2018 to January 2019, Respondent disclosed the email addresses of over 70,000 Visitors—including Pride Counseling and Faithful Counseling Visitors—to Criteo in order to re-target them with advertisements.
• from August 2019 to September 2020, Respondent disclosed Visitors’ email addresses to Pinterest for advertising [55]
• from November 2017 to October 2020, BetterHelp used information concerning approximately 600,000 Pride Counseling Visitors’ or Users’ mental health statuses and their connection with the Visitors’ and Users’ LGBTQ identities to optimize future advertisements for the Service on Facebook [56]
• BetterHelp did not contractually limit how the third parties could use and disclose the data other than merely agreeing to these third parties’ general terms of service, which either placed no restrictions on the third parties’ use and disclosure of the information or specifically permitted the third parties to use the information for their own purposes [57].
• following the February 2020 publication of news reports that BetterHelp was sharing consumers’ health information with third parties, including Facebook, numerous Users contacted it  and voiced their anger about the disclosures [62].   In response BetterHelp scripted false responses  customers stating:

(1) “At BetterHelp, we are fully committed to protecting data and will not pass any P[ersonally] I[dentifiable] I[nformation] and/or P[rotected] H[ealth] I[nformation] to external entities including our third party partners;” and

(2) “your P[rotected] H[ealth] I[nformation] and P[ersonally] I[dentifiable] I[nformation] is protected and not exposed” to Facebook

The FTC alleges the following unreasonable privacy practices:

a  failed to develop, implement, or maintain written organizational standards, policies, procedures, or practices with respect to the collection, use, and disclosure of consumers’ health information, including ensuring that Respondent’s practices complied with its privacy representations to consumers;
b. failed to provide adequate guidance or training for employees or third-party contractors concerning properly safeguarding the privacy of consumers’ health information in connection with the collection, use, and disclosure of that information;
c. failed to properly supervise employees with respect to their collection, use, and disclosure of consumers’ health information;
d. failed to obtain Visitors’ and Users’ affirmative express consent to collect, use, and disclose their health information for Respondent’s advertising, as well as for third parties’ own purposes, such as research and improvement of their own products; and
e. failed to contractually limit third parties from using Visitors’ and Users’ health information for their own purposes, including but not limited to research and improvement of their own products, when Respondent did not provide Visitors and Users notice or obtain their consent for such uses.

The proposed order, running to 48 pages, provides:

• BetterHelp and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are prohibited from disclosing to a Third Party for the purposes of advertising, marketing, promoting, offering, offering for sale, or selling any product or service: (1) Treatment Information; and (2) Covered Information for the purpose of targeting the consumer to which the disclosed information pertains
• BetterHelp must not misrepresent (or assist another in misrepresenting) in any manner, expressly or by implication:
  A. the extent to which Respondent collects, maintains, uses, discloses, Deletes, or permits or denies access to any Covered Information, or the extent to which Respondent protects the privacy, security, availability, confidentiality, or integrity of any Covered Information;
  B. the purpose(s) for which Respondent, or any entity to whom Respondent discloses or permits access to Covered Information, collects, maintains, uses, discloses, or permits access to any Covered Information;
  C. the extent to which a consumer can maintain privacy and anonymity when visiting or using any online properties, services, or mobile applications associated with Respondent;
  D. the extent to which consumers may exercise control over Respondent’s collection of, maintenance of, use of, Deletion of, disclosure of, or permission of access to, Covered Information, and the steps a consumer must take to implement such controls; and
  E. the extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security or any other compliance program sponsored by a government or any self-regulatory or standard-setting organization, including the Digital Advertising Alliance, the Digital Advertising Accountability Program, or any entity that certifies compliance with HIPAA; and
  F. the extent to which Respondent is a HIPAA-covered entity, and the extent that Respondent’s privacy and information practices are in compliance with HIPAA requirements
• within 90 days provide a copy of the Complaint and Order and notify all Third Parties that the Federal Trade Commission alleges that BetterHelp disclosed  Information of consumers to them in a manner that was unfair or deceptive and in violation of the FTC Act, and instruct them to Delete all Information accessed, received, or acquired from BetterHelp without a consumer’s Affirmative Express Consent.
• within 60 days establish and implement, and thereafter maintain, a comprehensive privacy program (“Privacy Program”) that protects the privacy, security, availability, confidentiality, and integrity of  information which must include:

A. document in writing the content, implementation, and maintenance of the Privacy Program;
B. provide the written program and any evaluations thereof or updates thereto to the Covered Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the Covered Business’s Privacy Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;
C. designate a qualified employee or employees, who report(s) directly to an executive, such as the Chief Executive Officer, Chief Compliance Officer, or Chief Legal Officer, to coordinate and be responsible for the Privacy Program; and keep the executive and the Board of Directors informed of the Privacy Program, including all actions and procedures implemented to comply with the requirements of this Order, and any actions and procedures to be implemented to ensure continued compliance with this Order;
D. assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks in each area of the Covered Business’s operations to the privacy, security, availability, confidentiality, and integrity of Covered Information that could result in the unauthorized access, collection, use, destruction, or disclosure of, or provision of access to, Covered Information;

E. design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information identified by the Covered Business in response to sub-Provision
VI.D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, Deletion, disclosure of, or provision of access to, the Covered Information. Such safeguards must also include:
1. policies, procedures, and technical measures to systematically inventory Covered Information in the Covered Business’s control and Delete Covered Information that is no longer reasonably necessary and in accordance with applicable retention laws and regulations;
2. policies, procedures, and technical measures to prevent the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information inconsistent with the Covered Business’s representations to consumers;
3. audits, assessments, and reviews of the contracts, privacy policies, and terms of service associated with any Third Party to which the Covered Business discloses, or provides access to, Covered Information;
4. policies and technical measures that limit employee and contractor access to Covered Information to only those employees and contractors with a legitimate business need to access such Covered Information;
5. mandatory privacy training programs for all employees on at least an annual basis, updated to address the collection, use, and disclosure of Covered Information for advertising purposes; any internal or external risks identified by Respondent in sub-Provision VI.D; and safeguards implemented pursuant to sub-Provision VI.E, that include training on the requirements of this Order;
6. a data retention policy that, at a minimum, includes:
a. a retention schedule that limits the retention of Covered Information for only as long as is necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be Deleted, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order; and
b. a requirement that Respondent documents, adheres to, and makes publicly available on its terms of service/use a retention schedule for Covered Information, setting forth: (1) the purposes for which the Covered Information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe in accordance with applicable laws and regulations for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) that precludes indefinite retention of any Covered Information;

7. for each product or service, policies and procedures to document internally the decision to collect, use, Delete, disclose, or provide access to, each type of Covered Information. Such documentation should include: (a) the name(s) of the person(s) who made the decision; (b) for what purpose the type of Covered Information is being collected; (c) the data segmentation controls in place to ensure that the Covered Information collected is only used and/or disclosed for the particular purpose(s) for which it was collected; (d) the data retention limit set and the technical means for achieving Deletion; (e) the safeguards in place to prevent unauthorized disclosure of each type of Covered Information; and (f) the access controls in place to ensure only authorized employees with a need-to-know have access to the Covered Information;
8. audits, assessments, reviews, or testing of each mechanism by which the Covered Business discloses Covered Information to a Third Party or provides a Third Party with access to Covered Information (including but not limited to web beacons, pixels, and Software Development Kits); and
9. for each product or service offered by any Covered Business, Clearly and Conspicuously disclose the categories of Covered Information collected from consumers, the purposes for the collection of each category of Covered Information, and any transfer of Covered Information to a Third Party. For each such transfer of Covered Information, the disclosure must, at a minimum, include: (a) the specific categories of Covered Information transferred; (b) the identity of each Third Party receiving the transfer; (c) the purposes for which the Covered Business transferred the Covered Information; (d) the purposes for which each Third Party receiving the Covered Information may use the Covered Information, including but not limited to the purposes for the Third Party reserves the right to use such Covered Information; and (e) whether each Third Party receiving the transfer of Covered Information reserves the right to transfer the Covered Information to other entities or individuals.
F. assess, at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information, and modify the Privacy Program based on the results;
G. test and monitor the effectiveness of the safeguards at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, and modify the Privacy Policy based on the results;
H. select and retain service providers capable of safeguarding Covered Information they receive from the Covered Business, and contractually require service providers to implement and maintain safeguards for Covered Information; and
I. evaluate and adjust the Privacy Program in light of any material changes to the Covered Business’s operations or business arrangements, the results of the testing and monitoring required by sub-Provision VI.G, a Covered Incident, and any other circumstances that the

• BetterHelp  must obtain initial and biennial assessments
• BetterHelp must provide the FTC with certification each year for 10 years.,
• BetterHelp must pay to the FTC $7,800,000
• an independent redress administrator (“Administrator”) shall be appointed to assist with the efficient administration of consumer redress
• BetterHelp must create certain records for 20 years  and retain each such record for 5 years being:

A. accounting records showing the revenues from all products or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;
B. personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;
C. copies or records of all consumer complaints and refund requests concerning the collection, use, maintenance, disclosure, deletion, or permission of access to Covered Information, whether received directly or indirectly, such as through a Third Party, and any response;
D. records of all disclosures of consumers’ Covered Information to Third Parties showing, for each Third Party that received Covered Information, the name and address of the Third Party, the date(s) of such disclosures, the purpose(s) for which the Covered Information was transferred, and how and when Respondent obtained consumers’ Affirmative Express Consent for the disclosures in accordance with Provision II;
E. a copy of each unique advertisement or other marketing material making a representation subject to this Order;
F. a copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security, availability, confidentiality, or integrity of any Covered Information, including any representation concerning a change in any website or other service controlled by BetterHelp that relates to the privacy, security, availability, confidentiality, or integrity of Covered Information;
G. for 5 years after the date of preparation of each Assessment all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment;
H. for 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communication relate to BetterHelp’s compliance with this Order;
I. for 5 years from the date created or received, all records, whether prepared by or on behalf of BetterHlep, that tend to show any lack of compliance by Respondent with this Order; and
J. all records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.