Editor's Note: During a recent webinar, Manatt Health explored the latest social media advances in the context of the Health Insurance Portability and Accountability Act (HIPAA) and other consumer protection and privacy statutes. In a two-part series, Manatt Health summarizes the important information shared during the session. In part 1, which appeared in our October newsletter, we reviewed emerging technology trends, the critical role of legal and compliance teams and next steps. In part 2, below, we look at marketing, privacy and data security enforcement by the Federal Trade Commission (FTC) and attorneys general. Click here to view the webinar free, on demand—and here to download a free copy of the presentation. (Please see the next article to learn more about new guidance from the FTC and the Department of Health and Human Services Office for Civil Rights (OCR) on HIPAA and the FTC Act.)


Data is the coin of the realm in digital advertising. The two sides of this coin involve the use of the data and its security, and both are governed by the consumer protection laws regarding unfair and deceptive business practices. The Federal Trade Commission Act (FTCA) prohibits "unfair and deceptive business practices." Most states have adopted similar statutes, and while the FTC enforces the FTCA, most states have vested enforcement power of their "Little FTC Acts" in their attorneys general.

Unfair acts are ones that involve substantial harm, can't be avoided by the consumer, and for which there are no meaningful business reasons. Deception is much more straightforward, of course, and essentially addresses deceptive practices that deceive a reasonable consumer acting in a reasonable manner.

The Key Areas of Consumer Protection

The key areas of consumer protection include substantiation, endorsements and disclosures.

Claims substantiation has three core concerns—the claims in the ad must be accurate, the backup must exist before the ad is circulated, and reasonable ambiguities in the claim will be construed against the advertiser. In the context of healthcare providers, legal challenges have arisen around substantiation for wait times in emergency departments and rankings for doctors and hospitals.

For endorsements, advertisers must disclose to consumers that the ad they are seeing is, in fact, an ad. Material disclosures beyond endorsements—such as costs, fees, etc.—can be tricky given the limitations some channels impose, such as the limited space on a mobile screen or Twitter's 140 character restriction. Nevertheless, the FTC requires compliance with disclosures and mandates the development of a social media policy, if an advertiser chooses to use endorsements.

Collecting Data for Marketing Purposes

When collecting data for marketing purposes, organizations must give consumers notice and choice. The FTC brought a recent action wherein a company working with a healthcare provider asked consumers to provide data about their treatment. The company, however, failed to disclose to the consumers that their responses would be publicly posted, and the consumers eventually found some of their extremely sensitive and personal information publicly disclosed.

Data Security Concerns

Beyond issues around collecting data, there are additional consumer protection concerns regarding the security of data. In a major development this past summer, the FTC issued an opinion in a case involving a data breach with LabMD. (See our article in the August "Health Update" for more information on the LabMD decision and its implications.)

The issue in LabMD was whether the unauthorized disclosure of sensitive data could constitute "harm" under the unfairness analysis of the FTC Act. The FTC held that the "unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury" under the FTCA. Accordingly, security of data is an issue that can bring about the scrutiny of consumer protection regulators. This can add insult to injury in many circumstances, as the company which finds itself first the subject of a criminal hack is now being targeted for having negligently secured a consumer's data.

Of particular note is that this decision by the FTC is in contrast to recent developments in the ability of private plaintiffs to bring actions regarding data breaches. Courts now hold private litigants to strict requirements about identifying quantifiable harm. For the FTC and state attorneys general, now operating under this LabMD analysis, there is no such requirement.


In summary, when it comes to marketing, remember that claims must be backed up by data, and paid endorsements and other material terms must be disclosed. In addition, when collecting data for any use other than treatment, make sure always to disclose the purpose and keep the data secure.