AGENCY:
Federal Trade Commission.
ACTION:
Proposed consent agreement; request for comment.
SUMMARY:
The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.
DATES:
Comments must be received on or before April 13, 2023.
ADDRESSES:
Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write “BetterHelp, Inc.; File No. 202 3169” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex P), Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT:
Miles Plant (202-326-2526), Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule § 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before April 13, 2023. Write “BetterHelp, Inc.; File No. 202 3169” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.
Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write “BetterHelp, Inc.; File No. 202 3169” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex P), Washington, DC 20580.
Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.
Visit the FTC website at http://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before April 13, 2023. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (the “Commission”) has accepted, subject to final approval, an agreement containing a consent order from BetterHelp, Inc. (“Respondent” or “BetterHelp”). The proposed consent order (“Proposed Order”) has been placed on the public record for thirty (30) days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order.
BetterHelp is an online mental health counseling service that matches consumers with one of BetterHelp's over 25,000 contracted licensed therapists. Through BetterHelp's websites and apps, consumers can communicate with therapists via video conferencing, text messaging, live chat, and audio calls. BetterHelp has offered this service under several names, including BetterHelp Counseling, Faithful Counseling, Pride Counseling, ReGain, Terappeuta, iCounseling, and MyTherapist.
To sign up for BetterHelp's counseling service, a consumer must complete an online intake questionnaire containing detailed questions about the consumer's mental health status and history (the “Intake Questionnaire”). Following completion of the Intake Questionnaire, the consumer can create an account by providing their name or nickname, email address, phone number, and emergency contact information.
As consumers progressed through the Intake Questionnaire, BetterHelp represented that the consumers' information “will stay private between you and your counselor.” Similarly, when a consumer completed the Intake Questionnaire and signed up for an account to use Faithful Counseling, Pride Counseling, or Teen Counseling, BetterHelp represented that the consumer's email address would be “kept strictly private” and “never shared, sold or disclosed to anyone.” BetterHelp made additional privacy guarantees in its privacy policies—first implicitly and then explicitly—of limited use and limited disclosure of consumers' email addresses, IP addresses, and health information. Despite representing to consumers that BetterHelp would keep consumers' information private and only use their information for non-advertising purposes, BetterHelp used and disclosed information obtained from consumers through the Intake Questionnaire and sign-up process for advertising.
Additionally, BetterHelp prominently displayed a seal—in close proximity to several other seals provided by third parties—that attested to BetterHelp's purported compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a statute that sets forth privacy and information security protections for health information. In addition, BetterHelp represented to consumers that it was in fact “HIPAA certified,” with its customer service representatives informing consumers that “[y]ou will also be able to see our HIPAA certification at the bottom of” our web pages. However, no government agency or other third party had reviewed BetterHelp's information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.
The Commission's proposed eight-count complaint alleges that BetterHelp violated section 5(a) of the Federal Trade Commission Act by: (1) unfairly failing to employ reasonable measures to protect consumers' health information in connection with the collection, use, and disclosure of that information (Count I); (2) unfairly failing to obtain consumers' affirmative express consent prior to collecting, using, and disclosing consumers' health information (Count II); (3) failing to disclose that it shared consumers' health information with third parties for BetterHelp's advertising purposes and the recipient third parties' own business purposes, and failing to disclose that BetterHelp used consumers' health information to target the consumers and others with advertisements (Counts III and IV); (4) misrepresenting that it would not disclose consumers' health information to third parties for advertising and the recipient third parties' own business purposes, that it would not use such information for advertising or advertising-related purposes, and that it would not share such information with anyone except each consumer's licensed therapist (Counts V-VII); and (5) misrepresenting that a governmental agency or third party had reviewed BetterHelp's practices and determined that such practices met the requirements of HIPAA (Count VIII).
Summary of Proposed Order With BetterHelp
The Proposed Order contains provisions designed to prevent BetterHelp from engaging in the same or similar acts or practices in the future. Part I of the Proposed Order prohibits BetterHelp from sharing individually identifiable information relating to the past, present, or future physical or mental health or condition(s) of a consumer with any third party ( i.e., any party other than BetterHelp, its service providers, therapists or counselors employed by or contracted with BetterHelp, certain employee benefit programs, and entities using consumers' information for other very limited purposes) for advertising. Part I also prohibits BetterHelp from sharing consumers' personal information more generally with Third Parties for the purpose of re-targeting ( i.e., sharing personal information of consumers who have previously engaged with BetterHelp, such as by visiting one of its websites or using one of its apps, to send advertisements to those consumers). Part II of the Proposed Order requires that, before it can share a consumers' personal information with a third party for any purpose that is not prohibited under part I, BetterHelp must obtain that consumer's affirmative express consent, which includes informing the consumer of the information to be disclosed, the third parties that will receive the information, and how the information will be used.
Part III of the Proposed Order prohibits BetterHelp from misrepresenting: (1) the extent to which it collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which it protects the privacy, security, availability, confidentiality, or integrity of Covered Information; (2) the purposes for which BetterHelp or any entity to whom it discloses or permits access to Covered Information collects, maintains, uses, discloses, or permits access to such information; (3) the extent to which a consumer can maintain privacy and anonymity when visiting or using BetterHelp's online properties; (4) the extent to which consumers may exercise control over BetterHelp's collection of, maintenance of, use of, deletion of, disclosure of, or permission of access to Covered Information; (5) the extent to which BetterHelp is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security or any other compliance program sponsored by a government or any self-regulatory or standard-setting organization; and (6) the extent to which BetterHelp is covered by HIPAA, and the extent that its privacy and information practices are in compliance with HIPAA requirements.
Part IV of the Proposed Order requires BetterHelp to identify to the Commission which third parties received consumers' personal information from BetterHelp without their consent and what personal information each such third party received. Part IV also requires that BetterHelp then ask those third parties to delete such personal information.
Part V of the Proposed Order requires that BetterHelp provide notice to consumers who created an account with BetterHelp prior to January 1, 2021, that BetterHelp may have used and disclosed their personal information for advertising. Part VI requires BetterHelp to establish and implement, and thereafter maintain, a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of consumers' Covered Information (as defined in the Proposed Order).
Part VII of the Proposed Order requires BetterHelp to obtain initial and biennial privacy assessments by an independent, third-party professional (“Assessor”) for 20 years, and part VIII requires BetterHelp to cooperate with the Assessor in connection with the assessments required by part VII. Part IX of the Proposed Order requires that a BetterHelp executive certify the company's compliance with the Proposed Order. Part X of the Proposed Order requires BetterHelp to notify the Commission following the discovery of a violation of parts I, II, or III of the Proposed Order.
Part XI of the Proposed Order requires BetterHelp to pay $7,800,000 in monetary relief for consumer redress, and part XII describes the procedures and legal rights related to that payment. Part XIII of the Proposed Order requires BetterHelp to provide information to, and pay for, an independent redress administrator (“Administrator”) selected by the Commission, which will be responsible for administration of consumer redress.
Parts XIV through XVII of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring BetterHelp to provide information or documents necessary for the Commission to monitor compliance. Part XVIII states that the Proposed Order will remain in effect for twenty (20) years, with certain exceptions.
The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order's terms.
By direction of the Commission.
April J. Tabor,
Secretary.
Concurring Statement of Commissioner Christine S. Wilson
Today the Commission announces a consent agreement with BetterHelp resolving allegations that it failed to protect consumers' health information and failed to disclose or misrepresented its marketing practices. I support the allegations in the proposed complaint and the relief in the negotiated consent.
The complaint explains that BetterHelp provides an online counseling service that matches users with the respondent's therapists and facilitates counseling via its websites and apps. Millions of consumers have used the service and provided BetterHelp with sensitive personal information regarding their health status and history, in addition to their name, email address, and IP address. Contrary to its repeated representations to keep this information private, the complaint explains that BetterHelp monetized consumers' health information to target them and others with advertisements. To this end, Respondent provided sensitive consumer health information to third-party advertising platforms including Facebook, Pinterest, Snapchat, and Criteo. I agree that this alleged conduct violates Section 5 of the FTC Act.
Notably, the complaint does not include an allegation that BetterHelp violated the Health Breach Notification Rule (HBNR or Rule). I support this careful approach to the application of the Rule, particularly given the FTC Policy Statement on Breaches by Health Apps and Other Connected Devices (Policy Statement). The Commission, in a 3-2 party-line vote, issued this Policy Statement in September 2021. I dissented because the Policy Statement included a novel expansion of the application of the Rule that contradicted earlier business guidance and was issued during the pendency of the ongoing HBNR rulemaking proceeding.
FTC Policy Statement on Breaches by Health Apps and Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/news-events/events-calendar/open-commission-meeting-september-15-2021.
Dissenting Statement of Commissioner Christine S. Wilson, Policy Statement on Breaches by Health Apps and Other Connected Devices (Sept. 15 2021), https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf.
See Exhibit A, Dissenting Statement of Commissioner Christine S. Wilson, Policy Statement on Breaches by Health Apps and Other Connected Devices (Sept. 15, 2021) (prior Commission business guidance on the HBNR), https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf.
Health Breach Notification Rule, Request for Public Comment, 85 FR 31085 (May 22, 2020).
One could argue that BetterHelp would fall within the ambit of the HBNR because it offers a health platform and app, particularly under the expansive view espoused in the Policy Statement. I am pleased to see that the Commission has not taken this approach.
This is especially appropriate because, according to the complaint, BetterHelp's violative conduct ceased in December 2020, before the issuance of the Policy Statement. I recently supported the application of the Rule to the conduct in the GoodRx matter because the alleged conduct at issue there fell squarely within the scope of the HBNR as drafted. See Concurring Statement of Commissioner Christine S. Wilson, GoodRx (Feb. 3, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/public-statements/goodrx-concurring-statement-commissioner-christine-wilson.
The information BetterHelp collects from consumers and provides to therapists on its platform does not constitute a personal health record of identifiable health information under the Rule because it does not include records that “can be drawn from multiple sources,” as required by the existing formulation of the Rule. A consumer provides his or her information to BetterHelp but the company does not pull additional health information from another source or vendor. For this reason, foregoing an HBNR count is appropriate.
See16 CFR 318.2(d); 42 U.S.C. 1320d(6).
I note further that I support the imposition of monetary relief in this matter. BetterHelp told consumers: “Rest assured—your health information will stay private between you and your counselor” but, as alleged, shared this highly sensitive information with third parties for the purpose of monetizing it. I am comfortable that this conduct falls within our authority to seek relief under Section 19 of the FTC Act. I commend the staff on the successful resolution of this matter.
[FR Doc. 2023-05139 Filed 3-13-23; 8:45 am]
BILLING CODE 6750-01-P