The Federal Trade Commission (FTC) recently entered into a settlement with Monument, Inc., an alcohol addiction treatment service, for allegedly disclosing users' personal health data to third-party advertising platforms without consumer consent and violating their own website claims to consumers with respect to the disclosure of such data. The action follows other settlements by the FTC focused on tracking technologies collecting sensitive health information through web pages and web portals. "This action continues the FTC's work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution."

The proposed settlement not only included a monetary penalty, but also banned Monument from disclosing health information for advertising purposes in the future. This is a clear signal that the FTC is willing to implement non-monetary penalties as a means to ensure compliance.

Companies should be taking steps to review their own practices relating to tracking technologies to avoid FTC enforcement actions. Key takeaways for companies to implement include:

  1. Honor Privacy Promises: Companies should ensure that they comply with their privacy policies and promises made to consumers regarding the confidentiality of their personal information. Health care entities need to undertake an assessment of tracking technologies being used on their web sites and web portals, ensuring that tracking technologies are not being employed without affirmative consent from individuals. Contradictions in the privacy policy to actual data collection and disclosure practices typically form the basis for FTC enforcement actions under the FTC Act. Aligning actual activity with respect to tracking technologies with what is stated in a privacy policy becomes key to avoiding FTC scrutiny.
  2. Transparency: Be transparent with consumers about data collection and sharing practices, including informing them if their data has been shared with third parties. Health care entities are not necessarily banned from collecting data for marketing purposes, but it must do so in compliance with HIPAA and other applicable laws and regulations. In the case of the FTC and the FTC Act, that includes being transparent with what data is being collected and where such data is being disclosed.
  3. Obtain Consent: Obtain affirmative consent from users before sharing their health information with third parties for any purpose. This is the most effective and simplest step to take if you are employing or want to employ tracking technologies and to disclose that data to third parties.

The FTC continues to focus on tracking technologies and sensitive health data. Companies that handle sensitive health information should be implementing assessments in order to ensure that they are being transparent and accurate in their privacy notices relating to collection practices and obtaining consents where necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.