Recent Privacy Enforcement: Settlements and Regulatory Actions
Survey of major FTC and state AG settlements in tracking pixel and health data privacy cases. Learn what regulators and courts are targeting industry-wide.
The money has gotten real. Over the past three years, the FTC and state attorneys general have extracted hundreds of millions of dollars from healthcare companies, telemedicine platforms, and analytics vendors. The cases follow a pattern: a company deploys tracking pixels on its website without clear consent. Regulators or plaintiffs catch it. Settlements hit $5 million to $200 million. Other companies watch and get nervous.
The trend is clear. Regulators have decided that vague privacy policies do not constitute consent. Technical elegance is not a defense. And healthcare is the priority.
The FTC's Three Big Healthcare Cases
BetterHelp, Cerebral, and GoodRx set the tone. All three settled in 2023. All involved transmitting sensitive health data to advertising platforms.
BetterHelp is an online mental health platform. Therapy sessions conducted via video. Intake forms disclosing diagnoses. The company deployed Meta Pixel, TikTok Pixel, and Google Analytics to track user behavior. None of this was disclosed in its privacy policy. The FTC found that BetterHelp's privacy language was vague--it mentioned "analytics partners" but never named Meta or TikTok or explained that therapy-seeking behavior would be transmitted to advertising platforms.
The settlement was $7.8 million. BetterHelp agreed to obtain explicit, affirmative consent before deploying tracking pixels that transmit health data.
Cerebral was similar. Telehealth platform. Mental health and substance abuse treatment. Meta Pixel was running on the site collecting data about patient intake. The company advertised confidential treatment but was quietly sharing patient data with Meta. The FTC alleged deception. Cerebral settled for $7 million.
GoodRx helps patients find discounted medications. When a user searches for HIV medication, erectile dysfunction drugs, or antidepressants, they're disclosing sensitive health information. Google Analytics was capturing these searches and transmitting them to Google. The user had no notice this was happening. The privacy policy said analytics were used for "site improvement." Google was also using the data for ad targeting. GoodRx settled for $1.5 million and agreed to mask medication searches in analytics.
The message: transmitting health data to advertising platforms without explicit, specific consent violates the FTC Act.
What Mount Sinai and Kaiser Tell Us
Healthcare organizations face the highest exposure. Two cases show why.
Mount Sinai Health System runs one of New York's largest hospital networks. Its website includes Google Analytics. Patients searching for "cancer treatment," "HIV testing," "mental health therapy" had those searches captured by Google. The health system's privacy policy said they use "analytics to understand our users." It did not say those analytics would transmit health-related searches to Google. A class action followed. Mount Sinai paid $5.26 million and agreed to either remove Google Analytics or mask sensitive health information.
Kaiser Permanente is one of the nation's largest integrated healthcare systems. Its settlement exceeded $200 million, though it addressed multiple issues including data breaches. But a significant portion related to analytics and tracking tools. Kaiser agreed to conduct a full audit of all tracking, obtain explicit patient consent before deploying certain trackers, and implement technical safeguards to prevent transmission of sensitive health information.
These are sophisticated companies with compliance teams. They still got caught. They still paid.
State Attorneys General Are Also Moving
New York's Attorney General opened an investigation into telehealth and mental health platforms deploying Meta Pixel and other trackers. Multiple platforms agreed to disable or restrict tracking without formal settlements. The signal to industry: state AGs now view tracking pixel practices as enforcement priorities.
California opened investigations into session replay tools and tracking pixels at healthcare companies, leveraging its strong privacy laws (CCPA and COPPA). Settlements required explicit consent before deploying trackers on sensitive health information.
Texas' consumer protection division began scrutinizing healthcare companies' tracking practices. The question: does transmitting Texas residents' health data to out-of-state advertising platforms violate the Texas Deceptive Trade Practices Act? Several platforms received investigative demands.
Advocate Aurora Health, a Midwest health system, settled with Wisconsin and other state AGs for $650,000 over Meta Pixel and Google Analytics on its website. The settlement required disabling Meta Pixel, restricting Google Analytics, and obtaining explicit opt-in consent.
What Regulators Actually Care About
Three things emerge from the enforcement actions.
Data minimization. If you're using a session replay tool that captures passwords, credit card numbers, and SSNs when you could achieve your business goal with less invasive analytics, the FTC views that as unfair. Why collect what you don't need?
Real consent. A privacy policy saying "we use analytics partners" does not constitute consent. Consent must be affirmative (the visitor actively agrees), specific (you name the tool and what it captures), and informed (the visitor understands the implications). If the visitor hasn't read it or actively agreed to it, the FTC won't accept it.
Technical safeguards. The FTC expects companies to implement available technical controls. Mask sensitive fields. Disable tracking on sensitive pages. Use privacy-preserving analytics alternatives. If you don't implement available safeguards, regulators view you as indifferent to privacy.
The Broader Regulatory Landscape
The U.S. Department of Health and Human Services Office for Civil Rights enforces HIPAA. It has issued guidance warning healthcare providers that deploying tracking pixels without adequate safeguards may violate the HIPAA Privacy Rule. Several enforcement actions targeted healthcare organizations with inadequate Business Associate Agreements with analytics vendors.
Emerging state privacy laws in California, Virginia, Colorado, Connecticut, and Utah grant consumers rights to know what data is collected and to whom it's disclosed. Some provide private rights of action. Healthcare companies operating across multiple states deal with an increasingly complex privacy landscape.
The European GDPR is influential even though it applies only to EU residents. The FTC and state AGs frequently cite GDPR principles--strict consent, data minimization, purpose limitation--when justifying their own enforcement actions. The U.S. is moving toward similar standards.
What This Means for Your Website
If you operate a healthcare, financial, or legal website, assume regulators are watching.
Identify every tracking tool. Where does the data go? What does each tool capture? If you can't answer these questions, delete the tool.
Rewrite your privacy policy. Name specific tools. Explain what they capture and where data flows. Don't hide behind vague language.
For invasive tools--especially session replay--implement affirmative consent. The visitor must opt in before the tool runs. A pre-checked box is not consent. A buried option in a settings menu is not consent.
Enable field masking in your analytics and session replay tools. Passwords, credit cards, SSNs--these should not be transmitted anywhere.
Consider alternatives. Privacy-focused analytics platforms like Plausible and Fathom don't transmit visitor data to advertising networks. The insight you gain is less granular, but your exposure is lower.
Document your privacy decisions. Keep records of what tools you deployed, when you disabled them, what consent mechanisms you implemented. If you ever face an investigation, this demonstrates good faith.
If you collect sensitive data, get privacy counsel involved. HIPAA compliance is complex. CCPA compliance is complex. The overlap is messier.
The Settlement Amounts Are Climbing
BetterHelp: $7.8 million. Cerebral: $7 million. GoodRx: $1.5 million. Mount Sinai: $5.26 million. Kaiser: $200+ million. Advocate Aurora: $650,000.
Even smaller healthcare platforms now face $1 million+ exposure. The baseline is rising. The FTC and state AGs have made clear that inadequate privacy governance around tracking technologies carries real financial consequences.
Companies that implement field-masking, consent mechanisms, and data minimization are viewed more favorably in investigations and settlements. But they still settle. The bar is: you should not have deployed that tracking technology the way you did.