In the hierarchy of confidential data, health information ranks right up there. And in the hierarchy of health information, details about a person’s mental health may be among the most confidential. But according to the FTC, that’s not how online counseling service BetterHelp viewed it. The FTC says the company repeatedly pushed people to take an Intake Questionnaire and hand over sensitive health information through unavoidable prompts. And it promised to keep that information private through statements like: “Rest assured – any information provided in this questionnaire will stay private between you and your counselor.” But from the FTC’s perspective, a truthful statement would have been “Rest assured – we plan to share your information with major advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest.” A proposed FTC settlement with BetterHelp includes $7.8 million for partial refunds for BetterHelp customers and conveys an unmistakable message about just how seriously the FTC takes this kind of betrayal of trust.
BetterHelp offers online counseling services through that name and through specialized versions for particular audiences – for example, Pride Counseling for members of the LGBTQ community, Faithful Counseling for people of the Christian faith, Terappeuta for Spanish-speaking clients, and Teen Counseling for teenagers who enroll with parental permission.
Since BetterHelp was founded, more than two million people have signed up, entrusting the company with their personal information, much of it related to the status of their health – and their mental health. For example, the company’s Intake Questionnaire asked people to disclose if they’re “experiencing overwhelming sadness, grief, or depression,” if they’re having thoughts they “would be better off dead or hurting [themselves] in some way,” if they’re taking medication, and if they’ve been in therapy before.
To assuage concerns about revealing personal information online or through an app, BetterHelp made a variety of confidentiality promises to consumers. Visitors to the site were told at the outset that the company collected “general and anonymous background information about you and the issues you’d like to deal with in online therapy” so the person can be matched “with the most suitable therapist.” Although the exact wording changed over time, the company assured people that aside from a few narrow uses related to providing online counseling services, their private information would remain private. In addition, for more than three years, BetterHelp told people thinking about signing up for Faithful Counseling, Pride Counseling, or Teen Counseling that their email addresses would be “kept strictly private” and “never shared, sold or disclosed to anyone.”
Despite those promises, the FTC says BetterHelp used a wide variety of tactics to share the health information of over 7 million consumers with platforms like Facebook, Snapchat, Criteo, and Pinterest for the purpose of advertising. You’ll want to read the complaint for details, but here are just a few examples. In 2017, BetterHelp allegedly uploaded the email addresses of all current and former clients to Facebook – nearly 2 million in total – to target them with ads to refer their Facebook friends to BetterHelp for mental health services. During another period, the FTC says BetterHelp disclosed to Facebook for advertising purposes the previous therapy of 1.5 million people who visited or used BetterHelp’s site. The source of that information: their responses to the intake question “Have you been in counseling or therapy before?”
But that’s not all. According to the complaint, BetterHelp broke its privacy promises by disclosing to Snapchat the IP and email addresses of approximately 5.6 million former visitors to target them with BetterHelp ads. In addition, for a six-month period, the company disclosed to Criteo the email addresses of over 70,000 visitors – including people who had looked into Pride Counseling and Faithful Counseling. Similarly, for a one-year period, BetterHelp disclosed visitors’ email addresses to Pinterest. What was in it for BetterHelp? According to the complaint, “Using this health information for advertising, [BetterHelp] has brought in hundreds of thousands of new Users, resulting in millions of dollars in additional revenue.”
When a news site revealed in February 2020 that BetterHelp was sharing consumers’ health data with third parties, people complained to the company. As one person put it, “I have not given ANY consent to share my information with ANYONE. ESPECIALLY ads targeting my mental health ‘weakness.’” How did BetterHelp respond? The FTC says the company doubled down on deception by falsely denying it had shared consumers’ personal information – including their health information – with third parties.
The eight-count complaint details how the FTC says BetterHelp’s allegedly deceptive and unfair practices harmed consumers. The proposed order in the case will require BetterHelp to pay $7.8 million that will be used to provide partial refunds to people who signed up for and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020. In addition, the proposed order prohibits BetterHelp from sharing consumers’ health data for advertising or sharing their personal information for re-targeting – serving ads to consumers who had visited the company’s site or used its app. The settlement also includes provisions to limit BetterHelp’s data sharing in the future. The company must contact affected consumers directly about the case and must direct third parties to delete consumers’ health and other personal data that BetterHelp shared with them. Once the proposed settlement is published in the Federal Register, you’ll have 30 days to file a public comment.
The case offers a key guidance point for other companies: Honor your privacy promises. Tell the truth and get consumers’ affirmative express consent before sharing any health information.
Here are other takeaways to take into consideration.
“Personal information” may be “health information” simply due to the nature of the product or service. Generally speaking, an email address might not be considered “health information” – unless, of course, the source of the information is a health-related service. In the case of BetterHelp, most people visited the site to seek mental health assistance. Therefore, just the fact that BetterHelp, Pride Counseling, or Faithful Counseling was the source of their email or IP address revealed highly sensitive information to third parties. The message for others in the industry: Context counts.
Institute policies, practices, and procedures to protect health information. As the FTC’s complaint makes clear, a lack of appropriate safeguards can lead to unfair and deceptive practices related to the collection, use, and disclosure of health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information. It also didn’t get consumers’ affirmative express consent before disclosing their health information to third parties and it failed to contractually limit those third parties from using the data for their own purposes.
Ditch deceptive design. As the complaint discusses in detail, while BetterHelp moved consumers through a series of prominent prompts in an effort to get them to turn over their personal information, the company put privacy “disclosures” behind hard-to-find and hard-to-read links. Even a portion of the website with a link to its privacy policy included this reassurance: “We never sell or rent any information you share with us.” Once BetterHelp made that promise, how likely is it that consumers would pursue the issue further? What’s more, the FTC says even if people were able to navigate to the company’s privacy policy, they still weren’t given the straight story about how BetterHelp turned over their highly personal information to advertising platforms.
“Slinging hash” won’t necessarily protect consumers’ personal data. Although BetterHelp hashed people’s email addresses before sharing them with third parties – in other words, converted them into a sequence of letters and numbers through a cryptographic tool – the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services. Once Facebook had those addresses, it would easily match them to the email of people with Facebook accounts. What can other companies learn from that example? Certainly there are instances where hashing may be called for, but it won’t protect the privacy of consumers’ information if third parties can un-hash the data.
Monitor data flows to all third parties your site or app may transmit to via web beacons, pixels, or other tracking technologies. It’s illegal to make privacy promises to consumers without taking into account any information that’s going to third parties through various forms of ad tech. It boils down to this: Don’t make privacy promises that your practices don’t live up to.
When it comes to conveying claims to consumers, a picture can be worth a thousand words. Almost all of BetterHelp’s pages displayed multiple seals from third parties. Among them was a depiction of the medical caduceus and the term “HIPAA.” The complaint alleges that BetterHelp’s use of that visual falsely signaled to consumers that a government agency or other third party had reviewed the company’s practices and determined they met HIPAA’s requirements. Have you checked your site recently for graphics that could send similar deceptive messages?
Until the FTC’s proposed settlement with BetterHelp is final, we can’t offer specifics about the refund process. Bookmark the FTC’s refund page and watch for more information.