March 20, 2023

For the first time, FTC orders company to compensate consumers for health data compromise

On March 2, 2023, the US Federal Trade Commission (“FTC”) issued a proposed consent order prohibiting BetterHelp, Inc.—which operates an online platform that provides consumers access to mental health counseling services—from sharing consumer personal and health data, in violation of the FTC Act.  The proposed consent order includes a first-of-its-kind restitution provision, requiring BetterHelp to pay $7.8 million into a fund for consumer redress and to appoint an independent redress administrator.

The FTC’s complaint alleges that BetterHelp pressed consumers to provide sensitive health information, but failed to maintain adequate policies or procedures to safeguard that information, train its staff on how to protect such data, or contractually limit how third parties could use consumers’ health information.  The complaint further alleges that, between 2013 and 2020, BetterHelp disclosed consumers’ sensitive health information, along with consumers’ IP and email addresses, to third party advertising platforms  despite assurances on BetterHelp’s platform to the contrary.

In addition to the monetary penalty, the proposed consent order prohibits BetterHelp from: disclosing consumer data to any third party for the purpose of promotion, advertisement, or sale, and requires consumer consent prior to disclosure of their personal information (which is not limited to health or treatment information) to third parties for any purpose; and misrepresenting the purpose(s) for which it collects, maintains, uses, or discloses consumers’ personal information, and the manner in which the company complies with applicable regulations or is certified by government or self-regulatory organizations.  The proposed consent order also requires BetterHelp to direct third parties to destroy previously shared personal data, and to notify consumers of the FTC’s allegations regarding the use of their data.

In addition to these provisions, the agreement mandates the implementation and maintenance of a comprehensive, written privacy program, including the appointment of a qualified employee to oversee the program, and annual certifications of compliance by senior corporate managers to be submitted for ten years.  The agreement also requires the engagement of a qualified, independent third-party assessor, and regular reports by the assessor for twenty years.

FTC press release | Complaint | Agreement containing consent order