Companies Need “BetterHelp” With Advertising Compliance
Imagine you just got the worst news of your life and are in a state of depression. Facing your darkest hour, you need to speak to someone immediately. Finding a counselor or therapist seems daunting. All you want is to reach for the easiest thing to help get you back on your feet. Then you see an online mental health counseling service advertisement that promises to match you with thousands of therapists via text, live chat, audio calls, and video conferencing. BetterHelp advertised private and secure online mental health services -- in the height of COVID, and for those in desperate need of therapy while in lockdown, this might have sounded like a godsend. But sadly, all was not what it appeared to be.
A recent FTC investigation and $7.8m settlement revealed that BetterHelp broke its privacy promises by sharing users’ personal information (including sensitive information regarding their mental health needs) with major advertising platforms for targeted advertising, including Facebook, Snapchat, Criteo, and Pinterest. As regularly happens in FTC actions, multiple class actions have also been filed against BetterHelp. It’s not an isolated incident either: this enforcement comes right on the heels of FTC’s 1.5 million dollar fine against GoodRx for sharing users' health data with Facebook, and Google.
In this day and age, a company getting in trouble for violating its privacy promises is (sadly) not that surprising. But there’s a reason we wanted to highlight this case -- it provides good insight for companies in any industry who rely on advertising to grow their business.
Unpacking BetterHelp’s Response
Perhaps ironically given the company’s goals of helping people identify and overcome their struggles, Betterhelp’s public response to the FTC settlement digs in its heels, arguing essentially it did nothing wrong:
The FTC alleged we used limited, encrypted information to optimize the effectiveness of our advertising campaigns so we could deliver more relevant ads and reach people who may be interested in our services. This industry-standard practice is routinely used by some of the largest health providers, health systems, and healthcare brands. Nonetheless, we understand the FTC's desire to set new precedents around consumer marketing, and we are happy to settle this matter with the agency. This settlement, which is no admission of wrongdoing, allows us to continue to focus on our mission to help millions of people around the world get access to quality therapy.
To clarify, we do not share and have never shared with advertisers, publishers, social media platforms, or any other similar third parties, private information such as members' names or clinical data from therapy sessions."
You don’t have to be a licensed therapist to notice how defensive this PR statement is, or how it repeatedly downplays the FTC’s allegations – “No admission of wrongdoing!” (sure) “This practice is industry-standard!” (not particularly) “The FTC is setting new precedent!” (it’s not) “We never shared any private info!” (if that were true, you wouldn’t be paying a $7.8m fine!) Is this just spin, or is there a more fundamental disconnect happening here? Digging into this deeper, here are our 3 main takeaways.
Takeaways
1) An email address can be very sensitive depending on who has it. BetterHelp argues that only “private” information like member names or clinical data is sensitive enough to count as “private.” But as the FTC points out, most people visited BetterHelp primarily to seek mental health assistance. Therefore, the very fact that BetterHelp had their info revealed that they were experiencing mental health struggles, which is inherently sensitive. As the FTC says: “Context counts.”
2) A picture is worth a thousand (misleading) words. BetterHelp had the following certification mark on its website:
The FTC held that the second logo in particular, which depicted the medical caduceus and the term “HIPAA,” implied to an ordinary consumer that BetterHelp’s practices met the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Protected Health Information is information that is considered sensitive and is protected by federal health privacy laws in certain contexts, including HIPAA. Of course, BetterHelp was not HIPAA compliant.
3) Don’t fall for the myth of the “magic crypto box.” Many adtech partners over the years who have fallen for the fallacy of what we like to call “the magic crypto box.” At a very high level, social networks know they can’t just ingest raw personal data like email addresses, so they create special “magic crypto boxes” instead. Advertisers (like BetterHelp) upload their lists of consumer data into one end of the box, and the box scrambles up the data using complicated algorithms and state-of-the-art cryptographic techniques (things like “hashing,” “salting,” and “sligning”). On the other side, social networks have their own lists of customers, and they put them into the other side of the box. The magic crypto box looks for matches between the two sets of scrambled data, and when it finds one, it serves an ad to that user on the social network. By design, no one is supposed to be able to see inside the magic cryptic box or be able to trace back the matches to an individual user.
This is why BetterHelp claims that the data was “limited” and “encrypted.” In their eyes, they saw this:
But the FTC just saw this:
According to the FTC, “BetterHelp knew that third parties like Facebook would effectively undo the hashing” and “easily match [BetterHelp’s email list] to the email[s] of people with Facebook accounts.” The point is clear – it doesn’t matter how sophisticated the magic crypto box is – at the end of the day, it’s still a disclosure to a third party made for the purposes of serving ads, and therefore still subject to privacy laws.
Conclusion
This case should be a wake-up call to health companies to carefully review their privacy practices, especially any consumer information that is being shared with third parties for Marketing purposes. In particular, companies that offer health-related services should be held to the highest standard possible, because consumers are not always in the state of mind to carefully read every disclosure and morsel of information in a time of crisis (especially consumers seeking mental health treatment).
Regardless of your industry, it’s a smart move to have a privacy and advertising lawyer review your privacy promises as well as your adtech practices to help ensure you are in sync with the FTC’s expectations.
***
Tyz Law Group is a boutique litigation and IP counseling firm comprised of former big law and in-house attorneys with highly specialized expertise in the technology sector. If you have any questions about the issues discussed in this article, please do not hesitate to contact us at (415) 868-6900 or contact@tyzlaw.com.
The above article may constitute attorney advertising. For more information, please see: www.tyzlaw.com/attorney-advertising-notice.