Digital healthcare platforms using third-party tracking pixels should be on alert in light of the recent post issued by the Federal Trade Commission's new Office of Technology and the FTC's latest enforcement actions against two digital healthcare platforms, GoodRx and BetterHelp, strictly limiting the use of third-party tracking pixels for the unauthorized sharing of user health data for marketing and advertising. The FTC alleged that the third-party tracking pixels had enabled both platforms to collect, analyze, and infer information about user activity, facilitating targeted advertising.
GoodRx Enforcement Action
The FTC's enforcement action against GoodRx concerned alleged violations of the Health Breach Notification Rule (HBNR) for unauthorized disclosures of sensitive personal health information for years concerning prescription drug discounts, telehealth visits, and other health services. Specifically, the FTC claimed GoodRx failed to notify consumers and others of the unauthorized disclosures of consumers' personal health information to social media and other companies. GoodRx agreed to pay a $1.5 million fine and is prohibited from using health information for targeted advertising or sharing health information with third parties without user consent or notice. This enforcement action furthered the trend of the FTC taking an expansive – perhaps questionable – interpretation of the scope of what constitutes a "personal health record" for purposes of the HBNR.
BetterHelp Enforcement Action
The FTC's enforcement action against BetterHelp concerned the sharing of consumer health data, including information about seeking mental health services, for advertising purposes. The FTC alleged BetterHelp's data-sharing practices violated Section 5 of the FTC Act. BetterHelp agreed to pay $7.8 million to consumers to settle these charges and is prohibited from sharing health information for advertising purposes or disclosing other personal information for re-targeting purposes.
FTC Identifies Specific Concerns with the Use of Third-Party Pixel Tracking
The FTC provided guidance on specific concerns the agency holds regarding the use of third-party pixel tracking, which include:
- The widespread use of tracking pixels by companies with no avoidance mechanism available to consumers to effectively opt out of being tracked.
- Lack of transparency regarding how consumer data is being collected and used via pixel tracking.
- Inability to fully remove a consumer's personal information when obtained through certain pixel-tracking methods.
Considerations in Light of the FTC's Enforcement Actions and Focus on Third-Party Pixel Tracking
In light of the FTC's enforcement actions against GoodRx and BetterHelp, along with its posture toward third-party pixel tracking, digital health companies should consider the following:
- If your company's website or app has pixel tracking in place that collects health-related information, take steps to effectively monitor how those pixel trackers are utilized, what specific user information is being collected, and how that information is used internally or conveyed to third parties.
- Consider disabling or reconfiguring pixel trackers to mitigate the risk of collecting and disclosing health-related information even if "hashed" because hashes can be reversed or used to link data across different databases.
- Review whether any uses or disclosures of health information could be deemed a violation of your company’s privacy policies or could be treated as occurring without user consent because many consumers may not realize that tracking pixels are in place since they are invisibly embedded within web pages with which users might interact.
- As a policy matter, decide whether your company will accept the FTC's broad interpretation of what is considered a "personal health record" and, if so, proactively create and implement HBNR breach notification policies and procedures that err on the side of providing breach notification to the FTC and consumers for the expanded set of personal health records.