Roadmap to Meet the New FTC Affirmative Express Consent Mandate

In the recent FTC vs. GoodRX and FTC vs. BetterHelp settlements, the FTC made it clear that they will begin to enforce a new standard for digital health companies called “Affirmative Express Consent.” The new standard is a significant departure from the current practice of writing vague privacy policies and making them available through a small link at the bottom of websites. Instead, digital health companies must now obtain user consent after notifying them of the specifics of what data they collect and use, who they share it with by name, and for what purposes.

The FTC also made it clear that companies must have a “program in place to ensure their practices live up to their promises.” This means ensuring that each time they collect, use, or share data, it is done exactly as it was disclosed to users. This seems like table-stakes, but presents a challenging problem at scale because digital health companies share data with dozens, if not hundreds, of third parties for a broad set of purposes. The new level of required specificity means that traditional programs that rely on legal or compliance documentation, training, and manual interventions are destined to fail.

To bolster their enforcement efforts, the FTC requested a $160M (37%) budget increase for 2024, stating they would use 300 new employees “to investigate and litigate more and increasingly complex matters, such as those involving health privacy.”

This article lays out a roadmap to compliance by (1) defining Affirmative Express Consent; (2) providing examples of user interfaces that both violate, and meet, the Affirmative Express Consent mandate; and (3) explaining the need to automate correct use and sharing at scale to achieve a bulletproof “program in place to ensure practices live up to promises.”

(1) Defining Affirmative Express Consent

According to the FTC, Affirmative Express Consent must include:

(1) Actual op-in consent, apart from terms and conditions, after notice of:

(2) The categories of data collected;

(3) The specific purpose for which information is collected or shared;

(4) Shared with whom by name;

(5) The ability to withdraw consent

The formal definition can be seen on page 2 of FTC vs. Betterhelp settlement here.

(2) Example Affirmative Express Consent Interfaces

The first common practice that violates Affirmative Express Consent is having users acknowledge privacy policies by signing up for the service. This is a violation because Affirmative Express Consent requires opt-in consent after being presented with details on data collection, sharing, and purpose.

The second common practice that violates Affirmative Express Consent are vague privacy policies that do not explain in plain language:

(1) The categories of data collected;

(2) The specific purpose for which information is collected or shared;

(3) If shared, with whom by name

Prior to Affirmative Express Consent, digital health companies would only be liable if they outright lied (e.g. say they don’t sell your data and do sell it). This led many attorneys advising digital health companies to write broad and vague disclosures that use a lot of “may” or “might” language and do not name third parties. The privacy policy below is a real-world example of a policy used by a digital health company that violates Affirmative Express Consent because it (1) does not explain how different categories of data are used or shared for different purposes; (2) does not provide the specifics of purpose; and (3) does not name third parties.

The first step to meet the new Affirmative Express Consent mandate is to complete an inventory of all data collected and to organize it into easy to understand categories (e.g. profile information category includes name, email, phone, address). The second step is to create a table that includes what data is collected and why, what data is shared, with who by name, and why.

The third step is to translate the table into a user interface. In this example, users can click each purpose to see details of the purpose, what categories of data are collected or shared, and with whom by name.

(3) Automating Correct Use and Sharing at Scale

In sections one and two we established what the front-end must include to meet the Affirmative Express Consent mandate. The next step is to build the program / backend infrastructure to support the new front-end requirements. Both GoodRX and Betterhelp failed to put programs in place to ensure that in practice they lived up to their promises to users. They failed because instead of automating correct use and sharing, they relied on someone to share data in line with privacy requirements and that manual process broke. In FTC vs. Betterhelp we learned they:

“Delegated most decision-making authority over its use of Facebook’s advertising services to a Junior Marketing Analyst who was a recent college graduate, had never worked in marketing, and had no experience and little training in safeguarding consumers’ health information when using that information for advertising.”

In FTC vs. GoodRX, their CTO stated in internal emails just prior to their IPO:

“We need to strengthen our policies and procedures to ensure that we are consistent about what data we share to whom.” and acknowledged, “What we do not have is the data we are sharing by partner along with its business purpose.”

Both are good examples of how the traditional manual processes of ensuring proper data use and sharing breaks at scale. It is very important to note that both of these cases were adjudicated under the easier FTC standard of “don’t lie” that did not require specifics on data collection, use, sharing, and purpose. Under Affirmative Express Consent it is now an FTC violation if a category of data is collected, used, or shared in a way that doesn’t match exactly how it was disclosed.

Digital health companies have a choice. Risk exposure by continuing manual training and documentation processes and attempt compliance through ad hoc implementation that typically can’t be proven correct, or invest in automating end-to-end purpose-driven data use and sharing. The latter is the only way to show the FTC, your customers, and your own compliance team correct use and commitment to best-in-class practices.

Once you’ve chosen to automate the process, your next decision is build-versus-buy. If you choose to build an automated, end-to-end solution, you have an uphill battle. It will require connecting many teams and technologies, and at a minimum you must:

· Create a machine-readable policy framework that is robust and flexible enough to model all applicable data use and sharing policies (e.g. user consents, state and federal regulations, contractual obligations)

· Create a system for managing these policies over time, tracking all revisions as regulations, back-end contracts, third-party relationships, and products evolve

· Create the ability to enforce policies in real-time to guarantee correct use and sharing, and to always enforce purpose-driven valid use

· Create an auditable record that clearly shows why use and sharing is consistent against policies, and make that audit trail shareable to partners, users, and regulators

· Create the ability to dynamically model Affirmative Express Consent so that each user that onboards is engaged with the right, personalized disclosures based on how they came to the platform (e.g. rules for sharing data back with their payer or employer might change based on the negotiated contract with those parties, and user access might change depending on state of residence)

· Create the ability to track user relationships over time, and ensure that what data is collected, how it is used, and how it is shared stays consistent with user consent (e.g. a user changes sponsor paying for the service, and is subject to different policies going forward)

· Create a tool that is capable of bridging and aligning the three teams that have to come together to make all of this work: (1) application developers on the front-end building user engagement; (2) compliance teams responsible for defining and auditing requirements; and (3) backend engineers responsible for data platform implementation and third-party exchange

We recommend that you don’t go that path. If you wanted to buy a purpose-built complete solution, there hasn’t been an option in the market until now. The challenge of ensuring that data is used and shared as intended was the foundational insight that led to our company founding in 2017. For the last two years, we have been tracking the increased scrutiny of digital health companies by the FTC, and validated the need for a specific Affirmative Express Consent solution by the FTC’s most recent actions.

To help digital health companies meet the new mandate, we decided in Q4 that the time was right to build a streamlined edition of our software purposefully tailored to meet Affirmative Express Consent. We will be announcing more details and releasing this new edition this Spring. If you would like an early look, please get in touch. We will help you automate proper data use and sharing with a bulletproof “program in place to ensure practices live up to promises.”