CCPA Headway
Pre-Breach Era: A New Right of Action, Same Controls
Case Overview:
In 2024, a case involving Therapymatch, Inc., the owner of the mental health platform Headway, had significant legal questions regarding the handling of sensitive user information. Headway used Google Analytics to collect users’ mental health data without explicit disclosure in its privacy policy. Doing so led to legal challenges under the California Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).
M.G.v. Therapymatch, Inc. highlights the necessity for businesses to provide clear notice to their consumers about the sharing of personal and medical information with third parties. This case emphasizes the importance of transparency and robust security measures as well as affirming that a private right of action under the CCPA can arise without a data breach.
What Happened? A Privacy Mismatch
Therapymatch, Inc. is a private company with an online mental health and therapy platform, Headway, which provides users with easier access to mental health providers. Platform users can search Headway’s provider database based on specific preferences, including race, gender, ethnicity, mental health concerns, diagnoses, location, and more. Headway embeds Google Analytics code on its website, allowing Google to intercept and collect users’ mental health information keyed into the search fields on the website. Headway did not disclose the sharing of mental health information to Google Analytics in its privacy policy.
Users of the platform provided personal and sensitive mental health information, including searches for help with specific mental health issues, prior diagnoses, names, addresses, cellular phone numbers, health insurance providers, group identification numbers, and employers. Google intercepted this information to provide analytics services to Headway and improve its own algorithms and marketing services. As a result, one platform user, identified as M.G. in the case, filed a class action lawsuit against Headway, alleging violations of both the CMIA and CCPA, among other laws.
Legal Considerations: CMIA vs. CCPA
Understanding CMIA’s Requirements
The Confidentiality of Medical Information Act (CMIA) is a California state law that adds to HIPAA’s federal protection of personal medical records. CMIA protects the confidentiality of individually identifiable medical information obtained by a health care provider.
To meet CMIA’s definition of medical information, individuals may need to disclose specific sensitive medical details. M.G. mentioned seeking therapy for two mental health conditions but did not specify which ones, leading the court to find that general references to mental health are insufficient under CMIA.
Ultimately, the court dismissed the CMIA claims against Headway, stating it was unclear what specific medical information M.G. disclosed.
Interpreting the CCPA’s Scope
M.G. also brought a CCPA claim, based on Headway disclosing platform users’ personal information, including sensitive medical and health insurance information to Google.
Headway argued that CCPA claims required a data breach, however, the court disagreed, citing a previous case where the court found a plausible CCPA claim where personal and medical information was accessible over the Internet despite no theft or inadvertent exposure of the data.
The court found that Headway could not show that the allegations were insufficient to file a private right of action under the CCPA.
Implications for Businesses: Why This Case Matters
This case highlights the ambiguity around what constitutes medical information, especially regarding mental health. Specific details are required for proper adjudication, although this poses challenges as disclosing sensitive information in court filings makes it public and more accessible.
Considering this, businesses should contemplate labeling mental health information as sensitive in their standard operating procedures and security controls.
Businesses should also be aware that a private right of action under the CCPA can arise without a data breach. This is based on the disclosure of information online without adequate security measures (although this interpretation may evolve with future case filings and legal developments).
Key Takeaways for Risk Mitigation
Takeaways from M.G.v. Therapymatch, Inc.:
- Clear Notice: No Surprises in Data Sharing
Users need to be given notice that their personal information, specifically looking at medical information and medical-adjacent information, is being shared with a third-party. Emphasizing that ALL third parties need to be disclosed. - Specifics Matter: General Mentions Are Not Enough
General mental health information may not be sufficient to claim medical information under California law. Specifics need to be given to properly adjudicate a case like this, although it can be tricky as disclosing sensitive information in a court filing can make that information public and more readily discoverable by the general public. - CCPA’s Reach: No Breach Required for Legal Action
A private right of action can arise out of the CCPA without the need for a data breach to occur. There can be cause for a private right of action simply by disclosing information over the internet without proper security measures, yet this conclusion seems to have room for evolution with further filings in this case and in future CPPA cases.
Recommendations to Minimize Your Organization’s Risk
- Transparency should always be every organization’s first priority when writing and posting privacy policies as well as procedures externally. Users need to be given notice of every avenue in which their information may be shared.
- Consider adding mental health information both generally and specifically to your organization’s definition of sensitive information and apply robust security and privacy controls accordingly.
For further information, we encourage you to review the ruling in its entirety, which can be found here.
