Case Study: BetterHelp - How Behavioral Advertising Mistake Costed $7.8M in FTC Fine
By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering
Looking for a security engineer? Visit SecurityEngineer.com
Disclaimer: This article is for educational purposes only and does not constitute legal advice.
In March 2023, the Federal Trade Commission (FTC) finalized a $7.8 million enforcement action against BetterHelp, a prominent online mental health platform. This case reveals how modern ad tech — such as Meta Pixel, Google Tag Manager, and hashed user matching—can cross legal lines when deployed without adequate consent, disclosure, and contractual controls. Even when no Protected Health Information (PHI) is involved under HIPAA, the context of data collection and user expectations of privacy can elevate regulatory scrutiny under the FTC Act.
Timeline of Missteps: From Intake to Enforcement
Phase 1: Sensitive User Data Collection
- What Happened: Visitors arrived at BetterHelp’s homepage, completed mental health intake forms, and submitted contact information like names, emails, and ZIP codes. Many shared deeply personal concerns (e.g., anxiety, PTSD, grief).
- Legal Breakdown:
- While BetterHelp wasn’t a HIPAA-covered entity, it advertised itself as “HIPAA-compliant.”
- Users reasonably expected confidentiality akin to medical services.
- The FTC cited this as an enforceable deception under Section 5 of the FTC Act.
Phase 2: Ad Tracking Scripts Deployed Without Consent
- What Happened: BetterHelp used third-party tracking via Google Tag Manager:
- Meta Pixel tracked page visits and button clicks.
- Hashed email addresses were sent to Meta and Snapchat for audience matching.
- Conversion tags recorded partial or full completion of the therapy intake process.
- Legal Breakdown:
- These scripts collected and shared interaction data without upfront, affirmative consent.
- No clear disclosure explained the connection between form activity and third-party advertising.
Phase 3: Behavioral Retargeting Campaigns
- What Happened: Users who abandoned the sign-up process began receiving personalized ads on Facebook, Instagram, and Snapchat encouraging them to return and “get matched with a therapist.”
- Legal Breakdown:
- The FTC held that this retargeting campaign created a health-related inference.
- Even if the content was generic, the behavioral context (visiting therapy forms) constituted sensitive data disclosure.
- This activity lacked express opt-in authorization, breaching FTC’s deceptive practices standard.
Phase 4: Lack of Contractual Restrictions on Ad Platforms
- What Happened: BetterHelp didn’t restrict what Meta, Criteo, or Pinterest could do with the received user data.
- Legal Breakdown:
- Absence of Data Processing Agreements (DPAs) or downstream restrictions meant that user data could be retained, profiled, or reused beyond the original campaign.
Phase 5: FTC Enforcement and Compliance Mandates
- Date: March 2, 2023
- Resolution:
- $7.8 million restitution fund for affected users
- Prohibition on disclosing health-related information to advertising platforms without prior, express, and informed consent
- A mandated privacy compliance program, including third-party audit obligations and consent documentation practices
Technical Deep Dive: How the Infrastructure Worked
What Tools Were Used
- Google Tag Manager: A dynamic container used to load third-party scripts across BetterHelp’s web property.
- Meta Pixel: Monitored clicks, scrolls, and conversions. Used to trigger retargeting logic in Meta Ads.
- Hashed Email Matching: Email addresses were converted to SHA256 hashes and shared with ad platforms to identify existing user profiles.
- Snapchat Pixel, Pinterest Tag, and Criteo Tags: Allowed downstream platforms to log behavior and deliver performance-optimized ads.
Why It Mattered Legally
- Hashing ≠ Anonymization: The FTC emphasized that hashing is not a safeguard if the hashed data is used to identify a known user across platforms.
- No Real-Time User Control: There was no cookie banner, no toggle, and no upfront opt-in for users before their data was shared.
- Health Context Elevated Sensitivity: Even generic engagement data—when captured on a therapy intake form—became regulated under consumer protection rules.
Legal Lessons for Privacy and Cybersecurity Attorneys
1. “Health Data” Is Not Limited to HIPAA
If your client’s platform involves:
- Mental health,
- Reproductive care,
- Addiction,
- Counseling,
- or anything that implies emotional vulnerability— then FTC, CPPA, and state AGs may consider behavioral data as “health-affiliated,” regardless of HIPAA applicability.
2. Consent Must Be Purpose-Specific and Affirmative
- Passive references in privacy policies (e.g., “we may share data for marketing”) are insufficient.
- Sensitive data use must be disclosed at or before the point of collection and require a clear, opt-in affirmative action.
3. Retargeting on Sensitive Sites Requires Extra Caution
- A Meta Pixel embedded on a product checkout page ≠ the same pixel on a therapy form.
- The same technology used in one context can be unlawful in another.
4. Contractual Safeguards Are a Compliance Essential
- Without a DPA or platform-specific restrictions, your client loses control of:
- How long the data is retained
- Whether it is aggregated or modeled
- Whether it becomes subject to further ad delivery or analytics
5. Regulatory Language Must Be Matched with Internal Practice
- Do not allow use of phrases like “HIPAA-compliant,” “secure,” or “we do not share personal data” unless those claims can be technically and contractually defended.
Compliance Action Plan: Attorney’s Checklist
| Area | Key Questions | Required Actions |
|---|---|---|
| Disclosure | Is the data use clearly explained at point of collection? | Add in-line disclosures, layered notices, or just-in-time consent windows |
| Consent | Is opt-in consent required for sensitive advertising uses? | Implement toggles or modal dialogs before enabling retargeting tools |
| Third-Party Contracts | Are downstream data uses governed? | Execute DPAs with all ad tech vendors and restrict reuse/sale |
| Tag Management | Are ad tools running by default? | Use CMPs (Consent Management Platforms) to govern tag deployment |
| User Expectations | Does site design match the privacy message? | Avoid dark patterns or misleading badges (e.g., HIPAA-compliant) |
| Audit Trails | Can data use be traced and verified? | Maintain timestamped logs of consent, tag execution, and policy changes |
Conclusion
BetterHelp’s enforcement teaches a vital lesson: consumer data sensitivity is defined not just by content, but by context. In the age of predictive analytics and behavioral profiling, privacy attorneys must:
- Map out exactly what user data is collected and where it's sent
- Evaluate each use in light of user expectations, platform context, and regulatory definitions
- Translate ambiguous or technical practices into defensible disclosures and contracts
Because when regulators investigate, it’s not the intent that matters—it’s the effect.
Looking for a security engineer? Visit SecurityEngineer.com
Need a Cybersecurity Attorney?
Get top legal guidance in breach response, data privacy, and cybersecurity compliance. Connect with attorneys who know how to defend against audits, investigations, and liability.
👉 Hire a Cybersecurity Attorney