Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

FTC Cracks Down on Unauthorized Disclosure of Health Information for Advertising: A Roundup of Recent Enforcement Actions

Contributors

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

This post is also available in: Brazilian Portuguese

Lately, the Federal Trade commission (FTC) has taken an increased interest in protecting the consumers’ digital health information by cracking down on companies deploying unfair and deceptive practices to share user health data with third parties for marketing. Through its recent enforcement actions, the FTC has highlighted the need for companies working in the digital health space to prioritize the protection of consumer data privacy.

What is the FTC?

The FTC is an independent federal agency of the US government responsible for promoting consumer protection and preventing anticompetitive business practices. The agency investigates and prosecutes companies and individuals that engage in fraudulent or deceptive business practices, including false advertising, deceptive pricing, unauthorized billing, etc.

FTC’s Recent Enforcement Actions

In the past three months, the FTC has brought enforcement actions against two companies dealing with the personal health data of consumers based on their unauthorized use of health information for marketing purposes.

On February 1, 2023, a telehealth and prescription drug discount provider platform became the target of the FTC's first enforcement action under the Health Breach Notification Rule for failing to inform consumers and other individuals of its unauthorized disclosures of consumer personal health information to Facebook, Google, and other companies. As per the proposed federal court order, the company has agreed to pay a $1.5 million civil penalty and will not be allowed to share user health information with applicable third parties for advertising purposes.

The proposed order further prohibits the company from engaging in deceptive marketing practices detailed in the complaint and calls for the company to abide by the Health Breach Notification Rule. The proposed order:

  • prohibits the company from sharing health data for ads;
  • requires users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes;
  • requires the company to direct the third parties to delete consumer’s health data and inform the consumers about the breaches and the FTC’s enforcement action against the company;
  • limits how long the company can retain personal and health information according to a data retention schedule;
  • implement a comprehensive privacy program that includes strong safeguards to protect consumer data.

A month later, on March 2, 2023, the FTC announced another proposed action banning an online counseling service from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising purposes. As per the proposed order, the company is fined $7.8 million, which it must pay to consumers to settle claims for sharing their sensitive data with third parties such as Facebook and Snapchat for advertising despite agreeing to keep such information private.

In addition, the proposed order requires the company to:

  • obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
  • implement a comprehensive privacy program that includes strong safeguards to protect consumer data;
  • direct third parties to delete the health and other personal data being revealed to them; and
  • how long the company can retain personal and health information according to a data retention schedule.

Following the enforcement actions, the FTC Office on Technology released a new guidance emphasizing the dangers of using pixel technology to track individuals' online activities and collect personal information. The FTC has determined that “companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and [their] privacy promises to consumers.”

The FTC’s enforcement actions set a strong precedent for the digital healthcare companies and other organizations in control of consumers’ personal health data to safeguard the information and not endeavor to leverage the data in violation of their legal obligations as well as representations being made to the consumers.

The enforcement actions also highlight the FTC’s commitment to go against the corporations that violate their data privacy obligations, lack the data security infrastructure, and deceive customers by utilizing their personal data without obtaining their express consent for purposes other than its initial intended purpose.

Best Practices for Companies Dealing with Health Data

Companies dealing with health data have a legal obligation to protect the privacy and confidentiality of this sensitive information and ensure compliance with relevant laws and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC’s Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.

Ensuring compliance fundamentally comes down to implementing best practices such as:

Conducting Risk Assessments

Organizations should create a risk management strategy to identify and mitigate any risks to health data's availability, confidentiality, and integrity.

Implementing Appropriate Security Measures

Organizations should implement security measures such as access controls, encryption, and regular data backups to protect health data from unauthorized access or disclosure.

Training Employees

The company's policies and procedures for protecting health data should be made clear to all personnel who handle it. Employees are at the forefront of a business and hence must be aware of standard operating procedures when handling data.

Developing a Breach Response Plan

In the event of a data breach or other security issue involving health data, organizations should have a mechanism in place for handling it, including notifying affected individuals and regulatory authorities as required by law.

Regularly Auditing and Monitoring Compliance

Organizations should routinely review and audit their compliance with regulations and, if necessary, take corrective action to resolve any deficiencies or vulnerabilities.

Ensuring Swift Compliance and Avoiding FTC’s Enforcement Action

Section 5 of the FTC Act prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. Businesses dealing with personal data, including the health information of the consumers, can avoid FTC’s enforcement actions by complying with the applicable laws and regulations as well as adopting the following general guidelines::

Establish Transparency

Publish a Privacy Policy and be transparent with your customers about your business practices, including the collection and use of their data, and make sure your marketing claims are truthful and not misleading. Additionally, create policies to comply with channel-specific requirements such as CAN-SPAM, call center compliance, telemarketing sales rules, and Do Not Call.

Document Compliance

Establish, implement, and monitor compliance programs. Document compliance with applicable laws and rules as appropriate documentation can be helpful in an investigation and litigation.

Monitor Affiliates

Monitor your affiliates and partners to ensure that they comply with FTC guidelines and do not engage in deceptive marketing or fraudulent business practices. Establish policies for compliance for third-party lead generators and affiliate marketers. Implement onboarding scanning procedures, monitor third parties’ activities, and take remedial action when necessary.

Obtain consent from customers before collecting or using their personal data, and provide them with clear options to opt-out if they do not wish to share their data. Companies may use cookie consent pop-ups to inform consumers about the usage of cookies and other tracking technologies on their websites and obtain explicit consent.

Implement Security Measures

Protect the data you collect by implementing appropriate security measures, and notify customers and the regulatory authority immediately if a data breach occurs.

Honor Commitment

Honor the commitment made to customers, including what’s mentioned in the privacy policies, refund policies, and guarantees.

Respond to Complaints

Identify trends in customer complaints, respond promptly and professionally to customer complaints and data subject requests, and take appropriate action to resolve any issues. Liberally refund dissatisfied customers, and make dissatisfied customers satisfied.

Stay Informed

Stay on top of new developments in the law, industry standards, and the FTC’s guidelines and expectations by regularly visiting their website, and ensure that your business practices comply with these evolving changes.

Compliance with the FTC and evolving data privacy laws that regulate business practices is essential to building trust with your customers, avoiding legal issues such as penalties, and ensuring the long-term success of your business. In today’s data-driven age, honoring data obligations necessitates using automation to handle the vast amounts of data being collected, processed, shared, and sold.

How Can Securiti Help?

Securiti, by harnessing the power of automation, enables organizations to leverage its Data Command Center and overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.

Securiti’s multiple automation modules, such as privacy policy and notice management, consent management, and third-party consent, enable you to comply with FTC’s rules and evolving data privacy laws and avoid non-compliance penalties.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New