Privacy & Information Security Law Blog

On March 2, 2023, the FTC announced a proposed order against BetterHelp, Inc., an online mental health counseling service, for sharing consumer data, including sensitive mental health information, with third parties for targeted advertising and other purposes. The FTC’s proposed order is notable, in that it is the first such order that would return funds to consumers whose health data was affected.

As alleged in the FTC’s complaint, BetterHelp induced consumers to enroll in the service and provide their sensitive health information through privacy misrepresentations and unavoidable prompts. BetterHelp allegedly promised to keep users’ information private, with statements such as, “Rest assured – any information provided in this questionnaire will stay private between you and your counselor,” and stating in its privacy policy that it would only use and disclose email address and IP address data for limited purposes, not including advertising. The FTC alleged that, contrary to these representations, BetterHelp disclosed millions of users’ email addresses, IP addresses, enrollment in the service, and certain intake questionnaire responses (which included health information) to social media companies and other third-party advertising platforms for advertising and for the third parties’ own purposes. In addition, when news reports revealed BetterHelp’s data sharing practices and consumers addressed the company about these practices, BetterHelp allegedly  falsely denied that it had shared consumers’ personal information with third parties.

The proposed order, if approved, would:

• Prohibit BetterHelp from sharing consumers’ health data for advertising purposes;
• Require BetterHelp to pay $7.8 million to consumers for disclosing their sensitive data to third parties for advertising purposes, in contravention of its privacy promises;
• Prohibit BetterHelp from misrepresenting its information practices;
• Require BetterHelp to obtain consumers’ affirmative express consent before collecting, using, or disclosing their  personal information to third parties, by informing consumers of the information to be disclosed, the third parties that will receive the information, and how the information will be used;
• Require BetterHelp to implement a comprehensive privacy program;
• Require third parties to whom BetterHelp previously disclosed consumer personal information to delete such data;
• Require BetterHelp to adhere to a data retention schedule and data minimization policies and practices;
• Require BetterHelp to submit to initial and biennial assessments by a third-party assessor for 20 years; and
• Require BetterHelp to provide the FTC with an initial and annual certification of compliance with the order for 10 years.

Commissioner Christine S. Wilson issued a concurring statement.