What the FTC Is Signaling in Recent Data Privacy Cases
Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Attorney Kirk Nahra on Where FTC Is Headed in Disputes Such as GoodRx, BetterHelp Marianne Kolbasuk McGee (HealthInfoSec) • March 17, 2023 Kirk Nahra, attorney, WilmerHale
The Federal Trade Commission’s recent actions against two companies in separate health data privacy cases underscore the agency’s “aggressive push” to enforce violations involving disclosures of consumer health data to social media and other third parties, said privacy attorney Kirk Nahra of the law firm WilmerHale.
See Also: State of Brand Protection Report
The FTC is “building law through enforcement activity,” Nahra said. “They’re pushing for federal legislation. But they’re also saying, ‘We’re going to take enforcement action without a rule and without a statute, because we’re just going to push in that direction.'”
One of the cases involved an FTC $1.5 million civil monetary fine against GoodRx, a telehealth and discount prescription drug provider, for failing to tell consumers that it had shared their information with third parties, including Facebook and Google. That was also the FTC’s first enforcement of its 14-year old Health Data Breach Notification Rule.
The FTC warned through policy guidance in September 2021 that it would enforce the rule in matters involving health apps and connected devices that collect or use consumers’ health information.
That is a much broader range of health data than what was generally thought to fall under the FTC’s “personal health records” definition that pertained to the rule, Nahra said.
In the other case, the FTC hit BetterHelp, an online talk therapy company, with a $7.8 million civil monetary penalty after settling allegations that the firm had shared sensitive identifying information with social media platforms including Facebook.
As part of the settlement agreement, BetterHelp must instruct the third parties that received customer information to delete it. The company also must implement a privacy program and agree to undergo a third-party privacy assessment every two years for the next two decades.
“I think what’s the most interesting part of BetterHelp is the sanctions at the end of the FTC orders,” Nahra said. “They basically said, ‘You cannot do this anymore. You cannot use health data for advertising without explicit permission of the individual consumer.'”
But “there is no law that says that anywhere at this point,” he added. “They have basically used that as a remedy when there was a prior violation of something else that they wanted to piggyback on.”
Together, the two cases spotlight the FTC’s evolving interpretation of what falls under the Health Data Breach Notification Rule, as well as what constitutes deceptive and unfair acts and practices under Section 5 of the FTC Act, especially in the absence of a national privacy law, Nahra said.
“Both of the two cases: Look at the sanctions at the end, and look at the orders at the end. This is where the FTC wants to go. They’re using these cases to start getting there,” he said.
In the video interview, Nahra also discusses:
- Legal and regulatory issues involving other potential privacy matters concerning health and location data;
- Other critical considerations concerning the GoodRx and BetterHelp cases and other, similar cases;
- Advice for entities using web tracking tools or related technologies for advertising or marketing activities.
Nahra is a partner with WilmerHale in Washington, D.C., where he co-chairs the global cybersecurity and privacy practice. He analyzes the requirements of privacy and security laws across the country and internationally, providing advice on data breach issues, enforcement actions, big data issues, contract negotiations, business strategy and overall privacy, data security and cybersecurity compliance.