In a recent proposed order, the Federal Trade Commission (“FTC”) limits the ability of an online mental health services provider from sharing individuals’ health data, including information about mental health, for marketing and advertising purposes.
In addition to requiring the provider to pay $7.8 million, The FTC alleges that the provider shared information with a number of third-party companies for marketing and advertising, including Meta’s Facebook, Snapchat, Pinterest, and Criteo. In its complaint, the FTC cited sharing information without consent from the individual subject of the information through manual and automated means, including individuals’ email addresses, IP addresses, and other persistent identifiers.
The FTC also placed specific emphasis on the use of web beacons, which presumptively refers in part to the Meta Pixel, a tracking technology provided by Meta that permits the collection of “events” that occur on a web page. These events can include one of over fifteen “universal” events but can also be customized to track custom events and activities.
The initial complaint cited eight counts, including unfair privacy practices, disclosure of health information for advertising and third parties’ own uses, the failure to disclose the use of health information for advertising, and misrepresenting the privacy of information shared with the provider. However, in all cases, the causes of action include failing to secure adequate consent before sharing information, failing to provide limitations on the use of the disclosed information, and misrepresenting in its online privacy policies how the provider would use and share sensitive information.
With this proposed settlement with the provider, the FTC indicates a pattern of heightened attention from federal government agencies with jurisdiction to the disclosure of sensitive information, including individually identifiable health information, through the use of marketing and tracking technologies.
For example, in December 2022, the agency primarily tasked with HIPAA enforcement, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”), published guidance for HIPAA-covered entities and their business associates that prohibited regulated entities from using tracking technologies in a manner that would permit an impermissible disclosure of HIPAA protected health information (“PHI”) to tracking technology vendors or any other violations of the HIPAA rules. In that guidance (and as noted in our piece analyzing the guidance), HHS OCR expressly provided that entities and activities outside the scope of HIPAA may still be subject to regulatory oversight and intervention by the FTC and other regulators where sensitive information is shared beyond the scope of authorization. Further, this is the FTC’s second order on these issues in a matter of weeks (as noted in another of our alerts). Finally, we understand that the State Attorneys General continue to exercise their jurisdiction in these matters, as well.
Accordingly, while the FTC’s proposed settlement in this instance applies immediately only to the provider, businesses of all sizes would be well-served to view this proposed settlement as part of a larger strategic effort by both state and federal regulators to crack down on the unauthorized sharing of information. The risk is clearly amplified when an entity is engaged in providing goods and services involving potentially sensitive information, such as healthcare or financial services.
While this provider’s practices may have been deficient, they are hardly uncommon. Users are seldom truly anonymous online and can be tracked through myriad technologies, including cookies, web beacons, session replay, IP address, device fingerprinting, and more. Organizations should carefully consider whether their existing privacy policies, information-sharing procedures, and third-party support are compatible with the tracking technologies that users may encounter online. This should include an analysis of tracking technologies utilized on their websites on a page-by-page basis, as well as how integrated third parties may attempt to leverage or collect that data for their own uses. Based on this analysis, organizations should tailor their disclosures and requests for consent accordingly, taking into consideration: (1) the potential sensitivity of the information to be collected, (2) the user’s constructive awareness that the information is being collected, (3) whether this information is being shared with or collected by third parties, (4) whether a user consented to, or is at least reasonably on notice of the sharing, and (5) the potential for error or misuse associated with the collection of the data.
Finally, organizations should carefully review their existing agreements with third parties to confirm which data can be collected, whether data can be shared (and if so, the purpose for which the sharing can occur), and to ensure that their own privacy practices are consistent with representations made by the data owner organization.