Online counseling service BetterHelp has reportedly shared users’ private information with advertising platforms without consent, the FTC alleges.
According to the Commission, the company repeatedly pushed people to take an “Intake Questionnaire” and hand over sensitive health information through unavoidable prompts — all while promising to keep that information private. In fact, BetterHelp had statements like: “Rest assured – any information provided in this questionnaire will stay private between you and your counselor.”
However, the FTC has found that the company has shared users’ information with major advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest.
And so, the FTC has proposed a settlement with BetterHelp, which includes $7.8 million for partial refunds for BetterHelp customers. Also, the Commission wants to convey the message about how seriously it takes this kind of betrayal of trust.
What’s BetterHelp all about?
BetterHelp offers online counseling services through specialized versions for particular audiences, such as Pride Counseling for members of the LGBTQ community, Faithful Counseling for people of the Christian faith, Terappeuta for Spanish-speaking clients, and Teen Counseling for teenagers who enroll with parental permission.
Since its founding, BetterHelp has had more than two million sign-ups — entrusting the company with their personal information, much of it related to the status of their health. For example, the mentioned Intake Questionnaire asked people to disclose if they’re “experiencing overwhelming sadness, grief, or depression,” if they’re having thoughts they “would be better off dead or hurting [themselves] in some way,” if they’re taking medication, and if they’ve been in therapy before.
The broken promises…
To alleviate concerns about revealing personal information, BetterHelp made a variety of confidentiality promises to consumers. To that end, website visitors were told that the company collected “general and anonymous background information about you and the issues you’d like to deal with in online therapy” so the person can be matched “with the most suitable therapist.” Although the exact wording changed over time, the point was always the same — that their email addresses would be “kept strictly private” and “never shared, sold or disclosed to anyone.”
Despite those promises, the FTC says BetterHelp used a wide variety of tactics to share the health information of its users with platforms like Facebook, Snapchat, Criteo, and Pinterest for the purpose of advertising.
For instance, in 2017 – BetterHelp allegedly uploaded the email addresses of nearly 2 million of its users to Facebook to target them with ads to refer their Facebook friends to BetterHelp for mental health services.
During another period, the FTC said BetterHelp disclosed to Facebook for advertising purposes the previous therapy of 1.5 million people who visited or used BetterHelp’s site. The source of that information was their responses to the intake question, “Have you been in counseling or therapy before?”
Like that’s not enough, they disclosed to Snapchat the IP and email addresses of approximately 5.6 million former visitors to target them with BetterHelp ads. Plus, there are Criteo and Pinterest cases for which the company repeated the practice.
When a news site revealed in February 2020 that BetterHelp was sharing consumers’ health data with third parties, people complained to the company.
Instead of admitting the wrongdoings, the company doubled down on deception by falsely denying it had shared consumers’ personal information with third parties.
The proposed order
The eight-count complaint details how the FTC says BetterHelp’s allegedly deceptive and unfair practices harmed consumers. The proposed order in the case will require BetterHelp to pay $7.8 million that will be used to provide partial refunds to people who signed up for and paid for BetterHelp’s services between August 1, 2017, and December 31, 2020.
Additionally, the proposed order prohibits BetterHelp from sharing consumers’ health data for advertising or sharing their personal information for retargeting ads.
The settlement also includes provisions to limit BetterHelp’s data sharing in the future. The company must contact affected consumers directly about the case and must direct third parties to delete consumers’ health and other personal data that BetterHelp shared with them.
Takeaways for other companies
The FTC doesn’t want to see a similar thing taking place in the future and so it is offering guidance points for other companies, the most important of which is to honor their privacy promises. Other takeaways to take into consideration include the following:
“Personal information” may be “health information” simply due to the nature of the product or service. For instance, an email address might not be considered “health information” unless it stems from a health-related service like that was the case of BetterHelp where most people visited the site to seek mental health assistance.
Institute policies, practices, and procedures to protect health information. A lack of appropriate safeguards can lead to unfair and deceptive practices related to the collection, use, and disclosure of health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information.
Ditch deceptive design. As the complaint discusses in detail, BetterHelp put privacy “disclosures” behind hard-to-find and hard-to-read links. Even a portion of the website with a link to its privacy policy included this reassurance: “We never sell or rent any information you share with us.”
“Slinging hash” won’t necessarily protect consumers’ personal data. Although BetterHelp hashed people’s email addresses before sharing them with third parties, the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services.
Monitor data flows to all third parties your site or app may transmit to via web beacons, pixels, or other tracking technologies. It’s illegal to make privacy promises to consumers without taking into account any information that’s going to third parties through various forms of ad tech.
Check your site for graphics that could send deceptive messages. Almost all of BetterHelp’s pages displayed multiple seals from third parties, including a depiction of the medical caduceus and the term “HIPAA.” The complaint alleges that BetterHelp’s use of that visual falsely signaled to consumers that a government agency or other third party had reviewed the company’s practices and determined they met HIPAA’s requirements.
…
The FTC’s proposed settlement is still a work in progress, and until it’s final, the Commission can’t offer specifics about the refund process.
From our vantage point, we like what FTC is doing and can only hope they are just getting started. There are a lot of sneaky privacy deals out there, and someone has to step in. Way to go FTC!