What BetterHelp did
BetterHelp is a direct-to-consumer mental-health platform. New users complete an intake form before being matched with a therapist. The form asks about depression, anxiety, history of suicidal thoughts, current medications, and reason for seeking therapy.
The FTC's complaint described how BetterHelp shared that intake data with several ad platforms. The company sent hashed email addresses, hashed phone numbers, and signals about whether the user was seeking help for mental health to Facebook for ad targeting. Similar data went to Snapchat, Pinterest, and Criteo.
Hashing is a process that scrambles a value into a fixed-length code. It looks like de-identification, but it isn't — Facebook and the other ad platforms already had hashed versions of nearly every U.S. email address, so the hash worked as a perfect join key. The FTC's position was that hashing didn't change the nature of the disclosure.
The privacy promises BetterHelp broke
BetterHelp's website made a series of claims the FTC said were false:
- "We do not sell or rent any information you share with us"
- "Your information is kept private and secure"
- A claim that the service met HIPAA requirements, even though BetterHelp wasn't a covered entity
- A "verified by HIPAA" badge displayed on the site
The FTC said all of these were either false or materially misleading given the actual data sharing.
The settlement
The order has four main components.
The $7.8M consumer redress is the headline figure. It was distributed in the form of refunds to consumers who had used BetterHelp during the period covered by the order.
A permanent ban on sharing health information with third parties for advertising purposes.
A requirement to notify the third parties (Facebook, Snapchat, Pinterest, Criteo) and request that the previously-shared data be deleted.
A 20-year compliance program with regular reporting to the FTC, similar to the GoodRx order.
Why mental-health data was treated differently
The FTC's analysis emphasized that mental-health information is especially sensitive. People seeking therapy for depression or suicidal ideation have heightened privacy expectations. The disclosure of that information to ad platforms could lead to discrimination in employment, insurance, or relationships.
This sensitivity rationale showed up again in the Cerebral case (telehealth, including mental health) and Monument (alcohol addiction). The FTC treats health-data privacy as more than just regulatory compliance — it’s a consumer-protection priority.
What it means for telehealth and DTC health platforms
Two patterns from BetterHelp recur in every later FTC case.
The first is the gap between privacy policy and reality. Companies say they don't share data. They share data. The FTC charges them under Section 5 (deceptive practices) for the gap, regardless of whether HIPAA applies.
The second is the use of hashing as a defense. Hashing doesn't work as defense. Every ad platform has the reverse map. The FTC has been explicit on this point in multiple cases.
If your DTC health platform shares data with ad platforms — pixels, conversions APIs, SDKs, or hashed-email matching — the FTC's case theory now reaches you.
What it means for HIPAA-covered providers
BetterHelp isn't a covered entity, but the same fact pattern shows up at therapy practices, addiction-treatment centers, and behavioral-health clinics that are HIPAA-covered. The Deer Oaks Behavioral Health $225K OCR settlement in July 2025 and the Manasa Health Center settlement in 2023 followed the same pattern: digital tools that disclosed mental-health PHI to third parties.
The legal regime is different (HIPAA instead of FTC), but the technical exposure is identical.