The Federal Trade Commission (FTC) is ramping up its enforcement activities in the context of companies sharing health data for advertising purposes. Most recently, the FTC announced a proposed order banning an online counseling service from sharing health data, including sensitive data about mental health, for advertising and re-targeting purposes. [1] In addition to the ban, the counseling service is also ordered to pay $7.8 million in the proposed order. During the signup process, the company had promised that health data would not be used or disclosed except for limited purposes, such as to provide the counseling services. For example, the company used statements such as, “Rest assured – any information provided in this questionnaire will stay private between you and your counselor.” The FTC alleges that the company repeatedly nudged individuals to fill out an intake questionnaire that would ask about sensitive health data through unavoidable prompts. For example, the questionnaire asked if people are “experiencing overwhelming sadness, grief, or depression,” if they’re having thoughts they “would be better off dead or hurting [themselves] in some way,” if they’re taking medication, and if they’ve been in therapy before. In addition to the user's email and IP address, this highly sensitive data was subsequently shared with third parties for advertising purposes.
In response, the company noted that it used limited, encrypted information to enhance the effectiveness of its advertising campaigns. The company further argued that this is an “industry-standard practice” used by other health providers, health systems, and healthcare brands. [2]
Previously, the FTC has taken action under the Health Breach Notification Rule against a telehealth and prescription drug discount provider for failing to notify customers and regulators of unauthorized disclosure of health data to other companies for advertising purposes. In that enforcement case, the FTC issued a strong statement warning that “[d]igital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information.” [3]
The company is prohibited from future misrepresentations about how it shares personal data and is further required to implement a comprehensive privacy program, limit retention of personal and health data according to a data retention schedule, and obtain opt-in consent before disclosing personal information to certain third parties.
The FTC notes that there are several takeaways for businesses. First, “personal information” may be “health information” simply due to the nature of the product or service. Thus, email or IP addresses constituted highly sensitive information in the context of the online counseling service. Second, companies should institute policies, practices, and procedures to protect health information. Third, companies should not use deceptive design to prompt users to turn over personal information. Fourth, hashing personal data is not a defense for privacy of personal data if third parties can un-hash the data. Fifth, companies should monitor data flows to third parties that may receive personal data through web beacons, pixels, or other tracking technologies. Lastly, companies should not use certification seals that falsely signal deceptive messages about certification with a government agency or third party.
While the FTC’s enforcement activities and guidance to businesses regarding health data may be unsurprising and standard in Europe, these enforcement activities may come as more of a surprise to US-based companies. Companies processing personal data, particularly health data, should brace themselves for more active enforcement in relation to using and disclosing personal data in manners compliant with the FTC’s guidance and settlement orders.
