FTC and Telehealth Marketing: The Compliance Rules Most Providers Ignore
The rule you’ve probably heard about, “Click-to-Cancel,” is dead. A federal court struck it down. But that’s not the same as telehealth subscription marketing being unregulated, and there’s a separate FTC rule with real penalties already attached that most providers have never heard of at all.
Is the FTC’s “Click-to-Cancel” Rule Actually in Effect?
No. The Eighth Circuit vacated it on July 8, 2025, on procedural grounds, the FTC skipped a mandatory cost-benefit analysis during rulemaking. The agency restored its older, narrower 1973 rule in February 2026, which only covers classic “book of the month” style prenotification plans, not the subscription and auto-renewal models most telehealth platforms actually use.
The FTC published an Advance Notice of Proposed Rulemaking in March 2026 to rebuild the record before trying again. Comments closed April 13, 2026. There’s no new rule yet and no confirmed timeline for one.
Does That Mean Your Subscription Model Is in the Clear?
No. The vacatur only killed the FTC’s new rulemaking, not the underlying law. ROSCA, the Restore Online Shoppers’ Confidence Act, independently requires the same core things: clear disclosure of material terms before billing, express informed consent, and a simple way to cancel. None of that went anywhere.
The FTC is still actively enforcing under ROSCA and Section 5 right now, including an ongoing case against Uber over its membership cancellation flow. On top of that, roughly 30 states have their own automatic-renewal laws, some considerably stricter than anything the federal rule ever required.
What’s the FTC Rule Most Telehealth Marketers Have Never Heard Of?
The Health Breach Notification Rule. It applies to telehealth and health apps that fall outside HIPAA, anything offered direct-to-consumer rather than through a formal patient-provider relationship covered by HIPAA’s rules. It defines “breach” broadly enough to include unauthorized disclosure, not just hacking, meaning sharing health data with an ad platform without proper authorization can itself count as a breach requiring notification.
This isn’t theoretical. GoodRx paid a $1.5 million penalty in 2023 for sharing user health data with Facebook and Google without authorization. BetterHelp paid $7.8 million the same year for sharing data with Facebook and Snapchat for advertising purposes. Both penalties came under this rule.
What Does This Mean for Your Marketing and Ad Pixels Specifically?
If your scheduling page, intake form, or marketing site shares identifiable health information with analytics or ad platforms, Meta Pixel, Google Ads conversion tracking, without clear consumer authorization, that’s the exact pattern that triggered both the GoodRx and BetterHelp penalties. This sits entirely separate from any HIPAA exposure your practice might have, it’s a marketing and consumer-protection issue, enforced by a different agency.
What Should Telehealth Marketers Do Right Now?
- Don’t assume Click-to-Cancel’s death means your signup and cancellation flow is unregulated. Match it against ROSCA’s disclosure, consent, and cancellation requirements, and check the auto-renewal law in any state where you have subscribers.
- Audit whether your marketing pages share identifiable health information with ad platforms without clear consumer authorization. This is exactly what triggered the GoodRx and BetterHelp penalties.
- Confirm whether your business counts as a “vendor of personal health records” or related entity under the Health Breach Notification Rule, even if you’re confident you sit outside HIPAA’s reach.
- Track the FTC’s negative option rulemaking, since some version of a click-to-cancel-style requirement could return.
- Consult your compliance counsel.
Source
FTC, 2024: FTC Truth in Advertising — Current Guidance and Enforcement
This post is for educational purposes only and does not constitute legal or compliance advice. Consult a qualified attorney or compliance professional before acting on this information.
