Online counseling company BetterHelp has agreed to pay $7.8 million to settle charges from the Federal Trade Commission that it improperly shared customers’ sensitive data with companies like Facebook and Snapchat, even after promising to keep it private. The proposed order, announced by the FTC on Thursday, would ban the same behavior in the future and require BetterHelp to make some changes to how it handles customer data.
According to the regulator, the sign-up process for the company’s service “promised consumers that it would not use or disclose their personal health data except for limited purposes.” However, the FTC alleges that the company instead “used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes.”
The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn’t sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices. The commission’s complaint accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that “no government agency or other third party reviewed [BetterHelp]’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.”
“BetterHelp betrayed consumers’ most personal health information for profit,” said Samuel Levine, FTC bureau of consumer protection director, according to the agency’s press release.
If the FTC’s order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020. Here are some of the other things BetterHelp would be required to do:
- Stop sharing individually identifiable information about consumer’s mental health with any third parties
- Stop misrepresenting its data collection and use policies
- Alert customers who created accounts before January 1st, 2021, that their personal info may have been used for advertising
- Obtain “affirmative express consent” from a customer before sharing information with a third party
- Reach out to third parties that received customer information and ask that it be deleted
- Establish a “comprehensive privacy program” and have an independent third party carry out privacy assessments
The requirements would largely be in place for the next 20 years. The FTC says that the agreement will go through a 30-day public comment period before it makes a final decision on whether to put it into effect. It’s worth noting, though, that the proposal passed the commission by a 4 to 0 vote, so it does seem to have a fair amount of support.
By agreeing to the order, BetterHelp isn’t admitting or denying many of the allegations brought against it by the FTC. In a statement posted to its website, the company calls its practices “industry-standard” but says: “we understand the FTC’s desire to set new precedents around consumer marketing, and we are happy to settle this matter with the agency.” It also clarifies that it’s never shared information like “members’ names or clinical data from therapy sessions” with “advertisers, publishers, social media platforms, or any other similar third parties.”
It’s far from the first time that concerns have been raised about BetterHelp or other online mental healthcare providers. Last year, lawmakers, including Sen. Elizabeth Warren (D-MA) and Ron Wyden (D-OR), sent a letter to BetterHelp asking for information on what data the service collected, how it was used, and how it interacted and disclosed its dealings with online advertisers and social media companies. Mozilla has also said that when it reviewed 32 mental health apps, it found that 28 of them shared people’s info with other companies.
While selling people’s mental health data isn’t necessarily illegal — even if they haven’t given consent, according to a report from The Washington Post — the FTC has been cracking down on companies that it determines are doing it improperly. Earlier this year, it fined GoodRx $1.5 million for sending health data to companies like Google and Facebook and barred the company from doing so again in the future.