Data Privacy Happenings

**Hello and welcome to Mine PrivacyOps' brand new monthly newsletter, The Privacy Mindset! 👋

BetterHelp, a company that’s seeking to expand access to mental health resources in America, was fined $7.8 million by the FTC in early March for improperly sharing customers’ sensitive health data with third parties for advertising purposes, including social media platforms.

If you’ve spent any amount of time on Youtube over the past few months, you’ve come across some of BetterHelp’s cringe-worthy preroll ads. With the revelation that the company was sharing sensitive data to try and improve digital advertising between 2017 and 2020, the ubiquitous presence of those ads is all the more sinister. 

Of course, despite the 8-figure agreement, BetterHelp maintains it did nothing out of the ordinary, releasing a statement in response to the fine that’s full of pushback. It features language like, “The FTC alleges…” and “this settlement, which is no admission of wrongdoing, allows us to continue to focus on our mission.” 

BetterHelp’s reasoning is that sharing encrypted data for advertising purposes is “industry-standard practice.” While that may be true, BetterHelp had explicitly promised not to share such information, and did so anyway. 

Reading the FTC’s complaint, that deceit is the main basis for the massive fine, not the fact that they shared sensitive data. 

The agreement now bans BetterHelp from revealing future sensitive customer data, but the damage to the brand is done. Brands who pay lip service to the importance of data protection and trust, especially when those brands are in the healthcare industry (🤦‍♂️) , are only burning customers and making people angrier when they engage in unsavory data-sharing practices.

BetterHelp knew the value of data protection, which is why they set privacy promises to begin with, but the company clearly didn’t take the repercussions of breaking those promises seriously enough, either because they didn’t think people would ever find out or they simply valued the advertising more than users’ right to privacy. 

On one hand, this case highlights the need for reform and modernization to regulations surrounding data privacy in healthcare, as many in the industry do share customer data with third parties. 

On the other, let this be a wake-up call for companies that are not living their values. 

It’s 2023: everyone knows the value of data and everyone knows the vast majority of people don’t want theirs shared willy-nilly for profit. Companies should be reflecting these beliefs within their privacy programs.

If a company says one thing and does another in spite of that awareness, it’s the worst offender of the bunch. Be better than BetterHelp.

Product Spotlight

The bigger a company and the more data it holds, the more DPOs will need help to understand why systems are being used and how to best manage risk. While they could certainly hunt down and ask around about SaaS usage, that isn’t an efficient way of understanding a data system, which is why we've released our Teammate feedback functionality.

Teammate feedback is within our Radar, so DPOs can confirm details on data sources right on the platform itself. DPOs can write directly to the AI-identified power user to inquire about any system to better ensure compliance, communication, and full oversight.

Regulation Focus

VCDPA section 59.1-574(A)(5)

A controller shall ... Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act.

California’s CPRA gets the lion’s share of the attention on the American data privacy front, but Virginia, the 2nd state to pass comprehensive data protection regulations, went into effect on the same day as the CPRA amendments (Jan 1, 2023), inviting natural comparisons.

In some ways, Virginia’s law, the VCDPA, was actually ahead of the original CCPA. VCDPA defined what a “data controller” is clearly from the beginning, while the CCPA didn’t clarify that until the CPRA amendments (and some folks are still unclear about a few CPRA definitions).

What the VCDPA did lay out better was the article above categorizing sensitive personal data, which the CCPA left undefined until the 2023 CPRA amendments. 

The key difference in how the regulations treat sensitive personal data? VCDPA requires an opt-in from consumers before businesses process that data, the same way the GDPR lays it out. CPRA however takes a different approach, as sensitive personal data instead has an opt-out, meaning consumers can prohibit the processing of that data, but they do not need to give express consent before it is processed. 

Keeping track of whether states favor opt-outs or opt-ins will be notable as more American states pass data protection regulations. 

Founder's Corner 

CPO & co-founder Kobi Nissan

Q: What are your thoughts on ChatGPT and AI generative tools catching fire recently? What’s the difference between those and the AI utilized within the Mine platform?

A: AI is revolutionary when used correctly, but it needs to work within a context to be reliable and consistent, which is why we trained ours on hundreds of thousands of pages of privacy policies and documentation.

Broad AI models like LLMs are having trouble because they have gone through so much data and can’t keep track of where each bit is from. Considering they also can’t attribute sources properly and the scale of work that's going to soon be created by generative AI, we may end up with massive implications for Intellectual Property. Of course people are going to use it, but I’d caution anyone about how much to trust these new generative AI tools at this point in time.

Upcoming Events

Join us Thursday, March 30 at 3 PM GMT for the latest in our customer webinar series. We'll be joined by Zyte's Victoria Vlahoyiannis to explore all the angles of why data mapping matters now more than ever. Register here to save your spot!

We're always around

to talk data privacy.

Get in touch at press@saymine.com 

How did you like this month's issue?