Products Pricing Methodology Contact
Client Portal Contact Us
Cresthaven Analytics Intelligence Brief

FTC Privacy & Data Security Brief

April 6, 2026 · 12:05 UTC · FTC · US

By Cresthaven Analytics Research Desk

Headline

FTC issues proposed consent order imposing comprehensive data minimization requirements on health data aggregator following Section 5 complaint

Executive Summary

The Federal Trade Commission has issued a proposed consent order against a major health data aggregation platform resolving allegations of unfair and deceptive practices under Section 5 of the FTC Act arising from the company's collection, retention, and monetization of consumer health data obtained through third-party data broker relationships without adequate consumer notice or consent. The proposed order imposes a 20-year comprehensive data minimization and security program, requires deletion of all health data collected prior to the order, and mandates biennial third-party assessments of the company's data practices.

Key Regulatory Signals

  • Health Data Enforcement Priority: The FTC's action confirms health data privacy as a principal enforcement priority under the current Commission, extending the enforcement trajectory established by the 2023 GoodRx and BetterHelp consent orders to data aggregators operating outside the HIPAA-covered entity framework.
  • Data Minimization Standard Established: The proposed order's data minimization requirements establish a practical compliance benchmark for companies handling sensitive health data, requiring collection limitations, purpose limitations, and retention schedules that align with the FTC's proposed Surveillance Pricing Rule and pending commercial surveillance rulemaking.
  • Retroactive Deletion Requirement: The mandated deletion of all pre-order health data represents a significant remedial expansion beyond forward-looking compliance obligations, requiring companies in the health data ecosystem to assess their own data retention practices against this enforcement precedent.
  • Third-Party Data Broker Accountability: The complaint's focus on health data obtained through third-party broker relationships signals that the FTC will hold data recipients accountable for the adequacy of consent obtained upstream in the data supply chain, imposing due diligence obligations on all participants in the health data marketplace.
  • State Attorney General Coordination: The FTC's complaint references parallel investigations by state attorneys general in California, Illinois, and New York, indicating coordinated federal-state enforcement in the health data space that increases the cumulative compliance burden and litigation risk for companies in this sector.

Regulatory Delta

The FTC's health data enforcement posture has expanded significantly since the Commission's 2023 Health Breach Notification Rule enforcement actions and the GoodRx consent order, which established that the FTC Act's unfairness authority extends to health data practices outside the HIPAA regulatory perimeter. The current action extends that authority to data aggregators — entities that compile health information from multiple sources for commercial purposes — and imposes the FTC's most comprehensive data minimization requirements to date. The proposed order's 20-year duration and retroactive deletion mandate exceed the remedial scope of prior FTC health data orders and align with the Commission's October 2025 policy statement on commercial surveillance, which articulated a framework for applying Section 5 unfairness to data practices involving sensitive categories including health, financial, and location data.

Materiality Classification

High — FTC consent order establishing comprehensive data minimization and deletion requirements for health data aggregation with precedential implications across the health data ecosystem and the broader commercial surveillance enforcement agenda.

Time Horizon

Immediate — Proposed consent order is subject to 30-day public comment period; companies in the health data supply chain should assess their practices against the order's requirements and prepare for potential enforcement attention.

Intelligence Outlook

Monitor the FTC for final consent order adoption following the comment period. Track the pending FTC commercial surveillance rulemaking for codification of data minimization requirements applicable beyond the health data context. Assess state attorney general enforcement actions for coordinated or parallel proceedings.

Source FTC — Enforcement Actions ↗

This is a sample intelligence brief from Cresthaven Analytics. Live subscribers receive briefs like this on a daily or weekly cadence depending on tier.

More briefs in Technology, AI & Competition