FTC Cracks Down on Unauthorized Disclosure of Health Information for Advertising: A Roundup of Recent Enforcement Actions

Lately, the Federal Trade commission (FTC) has taken an increased interest in protecting the consumers’ digital health information by cracking down on companies deploying unfair and deceptive practices to share user health data with third parties for marketing. Through its recent enforcement actions, the FTC has highlighted the need for companies working in the digital health space to prioritize the protection of consumer data privacy.

What is the FTC?

The FTC is an independent federal agency of the US government responsible for promoting consumer protection and preventing anticompetitive business practices. The agency investigates and prosecutes companies and individuals that engage in fraudulent or deceptive business practices, including false advertising, deceptive pricing, unauthorized billing, etc.

FTC’s Recent Enforcement Actions

In the past three months, the FTC has brought enforcement actions against two companies dealing with the personal health data of consumers based on their unauthorized use of health information for marketing purposes.

On February 1, 2023, a telehealth and prescription drug discount provider platform became the target of the FTC's first enforcement action under the Health Breach Notification Rule for failing to inform consumers and other individuals of its unauthorized disclosures of consumer personal health information to Facebook, Google, and other companies. As per the proposed federal court order, the company has agreed to pay a $1.5 million civil penalty and will not be allowed to share user health information with applicable third parties for advertising purposes.

The proposed order further prohibits the company from engaging in deceptive marketing practices detailed in the complaint and calls for the company to abide by the Health Breach Notification Rule. The proposed order:

• prohibits the company from sharing health data for ads;
• requires users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes;
• requires the company to direct the third parties to delete consumer’s health data and inform the consumers about the breaches and the FTC’s enforcement action against the company;
• limits how long the company can retain personal and health information according to a data retention schedule;
• implement a comprehensive privacy program that includes strong safeguards to protect consumer data.

A month later, on March 2, 2023, the FTC announced another proposed action banning an online counseling service from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising purposes. As per the proposed order, the company is fined $7.8 million, which it must pay to consumers to settle claims for sharing their sensitive data with third parties such as Facebook and Snapchat for advertising despite agreeing to keep such information private.

In addition, the proposed order requires the company to:

• obtain affirmative express consent before disclosing personal information to certain third parties for any purpose;
• implement a comprehensive privacy program that includes strong safeguards to protect consumer data;
• direct third parties to delete the health and other personal data being revealed to them; and
• how long the company can retain personal and health information according to a data retention schedule.

Following the enforcement actions, the FTC Office on Technology released a new guidance emphasizing the dangers of using pixel technology to track individuals' online activities and collect personal information. The FTC has determined that “companies using tracking pixels that impermissibly disclose an individual’s personal information (which may include health information) to third parties may be violating the FTC Act, the FTC’s Health Breach Notification Rule, the HIPAA Privacy, Security, and Breach Notification Rules, other state or federal statutes involving the disclosure of personal information, and [their] privacy promises to consumers.”

The FTC’s enforcement actions set a strong precedent for the digital healthcare companies and other organizations in control of consumers’ personal health data to safeguard the information and not endeavor to leverage the data in violation of their legal obligations as well as representations being made to the consumers.

The enforcement actions also highlight the FTC’s commitment to go against the corporations that violate their data privacy obligations, lack the data security infrastructure, and deceive customers by utilizing their personal data without obtaining their express consent for purposes other than its initial intended purpose.

Best Practices for Companies Dealing with Health Data

Companies dealing with health data have a legal obligation to protect the privacy and confidentiality of this sensitive information and ensure compliance with relevant laws and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC’s Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.

Ensuring compliance fundamentally comes down to implementing best practices such as:

Conducting Risk Assessments

Organizations should create a risk management strategy to identify and mitigate any risks to health data's availability, confidentiality, and integrity.

Implementing Appropriate Security Measures

Organizations should implement security measures such as access controls, encryption, and regular data backups to protect health data from unauthorized access or disclosure.

Training Employees

The company's policies and procedures for protecting health data should be made clear to all personnel who handle it. Employees are at the forefront of a business and hence must be aware of standard operating procedures when handling data.

Developing a Breach Response Plan

In the event of a data breach or other security issue involving health data, organizations should have a mechanism in place for handling it, including notifying affected individuals and regulatory authorities as required by law.

Regularly Auditing and Monitoring Compliance

Organizations should routinely review and audit their compliance with regulations and, if necessary, take corrective action to resolve any deficiencies or vulnerabilities.

Ensuring Swift Compliance and Avoiding FTC’s Enforcement Action

Section 5 of the FTC Act prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. Businesses dealing with personal data, including the health information of the consumers, can avoid FTC’s enforcement actions by complying with the applicable laws and regulations as well as adopting the following general guidelines::

Establish Transparency

Publish a Privacy Policy and be transparent with your customers about your business practices, including the collection and use of their data, and make sure your marketing claims are truthful and not misleading. Additionally, create policies to comply with channel-specific requirements such as CAN-SPAM, call center compliance, telemarketing sales rules, and Do Not Call.

Document Compliance

Establish, implement, and monitor compliance programs. Document compliance with applicable laws and rules as appropriate documentation can be helpful in an investigation and litigation.

Monitor Affiliates

Monitor your affiliates and partners to ensure that they comply with FTC guidelines and do not engage in deceptive marketing or fraudulent business practices. Establish policies for compliance for third-party lead generators and affiliate marketers. Implement onboarding scanning procedures, monitor third parties’ activities, and take remedial action when necessary.

Obtain Consent

Obtain consent from customers before collecting or using their personal data, and provide them with clear options to opt-out if they do not wish to share their data. Companies may use cookie consent pop-ups to inform consumers about the usage of cookies and other tracking technologies on their websites and obtain explicit consent.

Implement Security Measures

Protect the data you collect by implementing appropriate security measures, and notify customers and the regulatory authority immediately if a data breach occurs.

Honor Commitment

Honor the commitment made to customers, including what’s mentioned in the privacy policies, refund policies, and guarantees.

Respond to Complaints

Identify trends in customer complaints, respond promptly and professionally to customer complaints and data subject requests, and take appropriate action to resolve any issues. Liberally refund dissatisfied customers, and make dissatisfied customers satisfied.

Stay Informed

Stay on top of new developments in the law, industry standards, and the FTC’s guidelines and expectations by regularly visiting their website, and ensure that your business practices comply with these evolving changes.

Compliance with the FTC and evolving data privacy laws that regulate business practices is essential to building trust with your customers, avoiding legal issues such as penalties, and ensuring the long-term success of your business. In today’s data-driven age, honoring data obligations necessitates using automation to handle the vast amounts of data being collected, processed, shared, and sold.

How Can Securiti Help?

Securiti, by harnessing the power of automation, enables organizations to leverage its Data Command Center and overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.

Securiti’s multiple automation modules, such as privacy policy and notice management, consent management, and third-party consent, enable you to comply with FTC’s rules and evolving data privacy laws and avoid non-compliance penalties.