BetterHelp offers online counselling services under several names, each dedicated to service a specific group of consumers and each with its own site and app. Users pay to access mental health therapy from one of BetterHelp’s licensed therapists delivered by way of video, text, chat or call. The business has been very successful, reporting $720m in revenue in 2021 with 374,000 active users in the United States today.
Unfortunately, business success does not always go hand in hand with good information management practice. The FTC complaint against BetterHelp could easily be a case study for how not to treat users’ personal data.
In order to access any of the sites owned and managed by BetterHelp, users were required to complete an intake questionnaire. Needless to say the information submitted by users in this questionnaire was both confidential and highly sensitive. As the FTC blog states “in the hierarchy of health information, details about a person’s mental health may be among the most confidential”. Reading the FTC complaint against the company, it becomes very clear that this is not how BetterHelp viewed this data. Indeed, it is hard to believe, given the industry in which the company operates, just how cavalier the approach to personal data was.
“In the hierarchy of health information, details about a person’s mental health may be among the most confidential.”
FTC
As documented in the FTC complaint, users were offered repeated assurances, by way of deceptive statements on the site, many contained in unavoidable prompts, that the data that they provided to BetterHelp would stay “private” and that it would never be sold or shared. One of the prompts displayed on the BetterHelp site between August 2017 and December 2022 was worded even more strongly stating: “Your email address is kept strictly private. It is never shared, sold or disclosed to anyone. Even your counsellor won’t know your real email address.”
All of these assurances were deceptive and completely misrepresented the true state of affairs. The responses to the questionnaire, along with email and IP addresses, were then provided to Facebook for advertising and other purposes. Although the email addresses were “hashed” before being shared, Facebook was easily able to unpick this rudimentary protection layer in order to reveal them and match them to its own user email database.
Millions of user records shared
Between January 2017 and November 2020 millions of user records were shared with Facebook. Facebook then matched those records with Facebook user IDs linking information that was purportedly confidential with Facebook accounts. The information was then utilised to target users with specific advertising. User records were also shared with other third parties, including Pinterest, Snapchat and Criteo.
A startling detail uncovered by the FTC investigation is that in 2017 BetterHelp “delegated most decision-making authority over its use of Facebook’s advertising services” to a recent college graduate who was effectively given “carte blanche to decide which visitors’ and users’ health information to upload to Facebook and how to use that information.”
The consequence of this was that even in instances where the responses to the questionnaire were intentionally disguised in order to protect the privacy of users this inexperienced and inadequately trained employee revealed their meaning to Facebook. At no point did BetterHelp attempt to limit how Facebook or other third parties could use the data that they had obtained.
Falsehood
To add insult to injury, when the story about the sharing of users’ data by BetterHelp was eventually made public, BetterHelp continued in its denials, with senior employees answering user enquiries “with a variation on the same falsehood, claiming again and again that [BetterHelp] did not share any health information with third parties.”
As a result of these failings, the company will now be required to request the deletion of all improperly obtained data by the third parties holding it. It will also be required to overhaul its processes, including seeking express consent from users and putting in place “strong safeguards to protect consumer data”. And, in a first for the FTC, a payment of $7.8m levied from the company will be utilised to provide partial refunds to affected consumers.
A key takeaway for all businesses handling personal data, but particularly those sharing or selling it, is that having adequate systems, processes and policies in place is important. But just as important is having experienced and skilled resources able to provide an adequate level of oversight, ideally with an adequate level of seniority to be able to advise and guide management.