BetterHelp Privacy Impact Assessment
Year
'25
Tools
LINDDUN, NIST PRAM, Figma
Role
Privacy Analyst
A systematic Privacy Impact Assessment of BetterHelp, examining how a widely-used mental health platform collects, processes, and shares sensitive user data and proposing concrete design interventions to rebuild user trust.
The Problem Space
When Mental Health Meets Data Exploitation
BetterHelp gives millions of people access to licensed therapists through video, phone, and messaging: a genuine public good. But its data practices tell a more complicated story.
In 2023, the FTC fined BetterHelp $7.8 million for sharing sensitive user health data with advertisers, including Facebook and Snapchat, without user consent. The data shared included mental health survey answers, email addresses, and IP addresses gathered during onboarding.
What BetterHelp collects:
Personal identifiers (name, email, location, IP address)
Mental health concerns, therapy history, and treatment preferences; gathered through onboarding questionnaires
Full communication logs between users and therapists
Payment and billing information
This creates a fundamental tension: users come to BetterHelp in moments of vulnerability, trusting that their most sensitive disclosures are protected. The platform's data practices have repeatedly violated that trust.
Research & Discovery
Our Approach
We conducted a structured Privacy Impact Assessment (PIA) using two established frameworks: LINDDUN (for privacy threat modeling) and NIST PRAM (for risk analysis); alongside a close reading of BetterHelp's own privacy policy, FTC enforcement documents, and GDPR/HIPAA compliance standards.
First-hand evidence
One team member's direct experience underscored the real-world gap between policy and practice: the first screen shown after downloading the BetterHelp app was a prompt to allow cross-app tracking. Before even creating an account, BetterHelp ads appeared on Instagram, suggesting behavioral data was already flowing to advertisers at the point of install.
Stakeholders mapped:
Users: provide highly sensitive data; often unaware of how it's used
BetterHelp / Teladoc Health: collects, stores, and monetizes data
Third-party service providers: AWS (hosting), Google Ads (marketing), analytics platforms
Therapists: rely on platform confidentiality to protect client privilege
Regulatory bodies: FTC, HIPAA, GDPR enforcement agencies
Investors: financial interests that may conflict with privacy-first decisions
Risk Analysis
Five Privacy Risks Identified
Through our data flow mapping and threat modeling, we identified five critical risk areas:
Risk | Likelihood | Impact | Level |
|---|---|---|---|
Excessive Data Collection | High | High | High |
Unauthorized Data Disclosure | High | High | High |
Algorithmic Opacity (matching) | Medium | High | High |
Inadequate Data Security | Medium | High | High |
Non-compliance with Retention Policies | High | Medium | High |
Risk 1: Excessive Data Collection
BetterHelp collects far more than what's necessary to match a user with a therapist. The onboarding questionnaire requests sexual orientation, religious preferences, and other intimate details; data whose collection may violate GDPR's data minimization principle.
Risk 2: Unauthorized Data Disclosure
BetterHelp spent close to $90 million on third-party integrations and advertising partnerships. This scale of data-sharing, including with Facebook and Google, goes well beyond what users would reasonably expect from a mental health service.
Risk 3: Algorithmic Opacity
The AI-powered therapist-matching algorithm is a black box. Users have no visibility into why they're matched with specific therapists, violating GDPR's right to explanation for automated decision-making.
Risk 4: Inadequate Data Security
Therapy sessions, chat logs, and session notes lack end-to-end encryption. All user-therapist communications are logged and accessible internally, creating real risk of unauthorized access or data leakage.
Risk 5: Data Retention
User data is retained indefinitely, even after account deactivation. BetterHelp's policy contains no clear deletion timeline, a direct conflict with GDPR's storage limitation principle.
Regulatory Compliance Gaps
Three frameworks, three failure points:
HIPAA: While BetterHelp claims compliance, historical data-sharing with advertisers suggests a gap between policy and practice. PHI (protected health information) was shared without Business Associate Agreements.
FTC: The 2023 $7.8 million fine confirmed that BetterHelp shared health data for advertising without explicit consent. The FTC order now bans this practice; but enforcement is reactive, not preventive.
GDPR: No explicit opt-in consent for data collection, no clear data deletion rights, no algorithmic transparency, and no demonstrated compliance with data minimization requirements.
Proposed Solution
Four Design Interventions
1. Consent Revamp: Granular Opt-In by Default
Replace buried opt-out language with modular, plain-language checkboxes at onboarding. Every data category (therapist matching, product improvement, advertising) gets its own explicit toggle. Default state: all off. Users opt in, not out.
2. End-to-End Encryption for All Therapy Communication
Implement E2EE across chat, video, and session notes; so only the user and their therapist can access the content. Internally, separate therapy-specific data (encrypted, role-restricted) from platform analytics (anonymized).
3. User-Facing Privacy Dashboard
Give users a single place to:
View all data collected about them
Understand how each data type is used
Revoke consent categories at any time
Request data deletion or export (per GDPR Articles 15-17)
Manage cookie and ad-tracking preferences
4. Independent Privacy & Ethics Oversight Board
Create an internal advisory body including data ethicists, privacy lawyers, therapists, and former BetterHelp users. Responsibilities: audit algorithm changes, review third-party partnerships, publish bi-annual transparency reports.
Implementation Roadmap
Priority | Action | Timeline | Owner |
|---|---|---|---|
High | Encrypt all therapy sessions | 0-3 months | CTO + Security |
High | Redesign consent flow (opt-in by default) | 0-6 months | Product + Legal |
Medium | Publish algorithmic matching guidelines | 6-12 months | Data Science |
Medium | Launch user data-deletion dashboard | 6-12 months | Engineering |
Low | Establish bug bounty program | 12+ months | Security + PR |
Reflection
What This Project Taught Me
Privacy design isn't just a compliance checkbox; it's a trust problem. BetterHelp's failures weren't primarily technical; they were decisions made at the product and business level, enabled by opaque policies and the absence of user-centered design in how consent was handled.
The most powerful realization from this project: the gap between what a privacy policy says and what a user understands is where most harm occurs. Designing for privacy means closing that gap; through plain language, visible controls, and defaults that protect rather than extract.
Challenge
BetterHelp collects some of the most sensitive data imaginable: mental health disclosures shared in moments of vulnerability. Yet in 2023, the FTC fined the platform $7.8 million for sharing that data with advertisers including Facebook and Snapchat, without meaningful user consent. The gap between what the privacy policy says and what users actually understand is where the harm lives.
Solution
Our PIA proposed a four-part privacy-by-design system: granular opt-in consent, end-to-end encryption for all therapy communications, a user-facing privacy dashboard, and an independent ethics oversight board. Together, these interventions close the gap between BetterHelp's stated policies and its actual data practices; putting control back in the hands of users.
EducAide