“First-of-Its-Kind” FTC Breach Enforcement Case on Hot-Button Website Tracking Issue
On February 1, 2023, the Federal Trade Commission (“FTC”) announced that it filed a “first-of-its-kind proposed order”1 under its Health Breach Notification Rule promulgated pursuant to section 13407 of the American Recovery and Reinvestment Act of 2009 (“Recovery Act” or “the Act”) against a health care entity, for failing to notify of a breach of consumers’ personal health information related to the use of website tracking, marketing, and advertising technologies.
The order includes a $1.5 million civil penalty for violating the Rule for the health care entity’s disclosures of “sensitive personal health information” to Facebook, Google, Criteo, and other website tracking, marketing, and advertising vendors since at least 2017. Specifically, the FTC alleges that the health care entity in question shared personal health information with Facebook and Instagram to target ads and allowed third parties to use personal health information for their own purposes, including internal research, product development, and advertising improvements, among other alleged violations of FTC’s requirements.
Further, the FTC’s proposed order includes several requirements for the health care entity to come into compliance, including:
A permanent prohibition on disclosing personal health information to third parties for advertising purposes.
A requirement to obtain consumers’ affirmative express consent, without manipulation through “dark patterns,” before disclosing personal health information to applicable third parties for certain purposes after providing clear and conspicuous details to the users about such disclosures.
A requirement to direct third parties to delete the health care entity’s personal health information and inform consumers about the breaches and the FTC’s enforcement action against the health care entity.
A limitation on retention of personal health information, pursuant to a publicly posted data retention schedule.
A mandate for a “comprehensive privacy program that includes strong safeguards to protect consumer data.”
Finally, while the FTC does not have jurisdiction to enforce HIPAA requirements, the FTC made a point to state that the health care entity in this case allegedly violated FTC requirements when it “displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)”—a good reminder for all that health care entities should not purport to assert “HIPAA Compliance” on their website or elsewhere, in this case that shows the strong overlap between FTC and HIPAA requirements.
1 See https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising and https://www.ftc.gov/system/files/ftc_gov/pdf/goodrx_stipulated_order_for_permanent_injunction_civil_penalty_judgment_and_other_relief.pdf.