Telehealth Advertising: Platform-by-Platform Compliance Guide
Three of the five largest FTC health data enforcement actions since 2023 targeted telehealth companies. BetterHelp ($7.8M), Cerebral ($7M), and Monument (advertising ban) all faced enforcement not for their clinical practices but for the tracking pixels on their marketing websites. Telehealth advertising does not carry more inherent compliance risk than other healthcare verticals. It carries more enforcement attention.
This attention exists because telehealth companies are digitally native. Their entire patient relationship begins with an online interaction: a search ad click, a social media landing page visit, a conversion event. That digital-first model means every step of the patient journey passes through marketing technology that can transmit health data to advertising platforms. For a hospital system, the marketing website is one piece of a broader operation. For a telehealth company, the marketing website is the front door to clinical care.
This guide walks through the specific challenges telehealth advertisers face on each major platform and how to configure campaigns that perform without creating the data exposure that has already cost this vertical tens of millions of dollars.
Why Telehealth Sits at the Center of FTC Enforcement
The FTC has treated telehealth companies as a testing ground for health data enforcement. Understanding why clarifies what telehealth advertisers need to do differently.
BetterHelp ($7.8M FTC, 2023) shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels. The company built Facebook lookalike audiences from users who had previously been in therapy. The FTC found that a recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook. Source
Cerebral ($7M FTC, 2024) had tracking pixels that sent patient names, medical histories, prescription information, and mental health symptom questionnaire answers to Meta. The breach affected 3.2 million individuals. The FTC imposed a first-of-its-kind ban on using health information for most advertising purposes. Source
Monument (FTC advertising ban, 2024) disclosed data of up to 84,000 users to ad platforms via tracking pixels. Custom pixel events had descriptive titles like "Paid: Weekly Therapy" and "Paid: Med Management," revealing specific services alongside email addresses and IP addresses. Source
The pattern across all three cases is identical. Standard marketing pixels were installed on telehealth websites. Those pixels transmitted health-contextual data to advertising platforms. The companies did not intend to share patient data. The pixels did what they were designed to do.
Google Ads: Search Intent Meets Conversion Tracking Risk
Google Search is the highest-intent channel for telehealth. Someone searching "online therapy near me" or "telehealth dermatologist" is actively seeking care. For telehealth companies, Google Ads often delivers the best cost-per-acquisition of any channel.
Healthcare and medicines policies. Google restricts healthcare advertising based on country and service type. In the US, telehealth advertisers can promote services but must comply with Google's healthcare and medicines policy. LegitScript certification is required for addiction treatment advertising. Prescription drug ads require separate certification.
Where the tracking risk lives. Google's recommended conversion tracking setup uses the Google Ads tag (gtag.js) or Google Tag Manager to fire conversion events in the browser. For a telehealth company, a conversion might be "completed intake form," "booked appointment," or "started subscription." Each of these events carries health context through the URL (e.g., "/anxiety-treatment/book"), the event name, and any custom parameters.
Compliant setup. Replace client-side Google Ads conversion tracking with server-side implementation through the Google Ads API. Use offline conversion imports or enhanced conversions for leads with server-side data submission. Strip health-specific URLs and event names before transmission. Send hashed identifiers only after consent has been verified server-side.
Google Performance Max considerations. Performance Max campaigns require robust conversion signals to optimize across Search, Display, YouTube, and Discovery. Running PMax without server-side conversion tracking means Google's automation receives health-contextual data from every surface. Implement server-side conversions before launching PMax campaigns.
Meta Ads: Sensitive Category Restrictions and the Pixel Problem
Meta remains a critical acquisition channel for telehealth companies despite the enforcement history. Its targeting capabilities and large user base drive significant patient volume.
Special Ad Category requirements. Meta classifies healthcare advertising under its Social Issues, Elections, or Politics category in some cases, and has specific restrictions on health-related targeting. Telehealth advertisers cannot target users based on health conditions, medical treatments, or health-related interests through Meta's restricted targeting parameters. However, broad demographic and interest targeting still works.
The Meta Pixel creates the same risk that triggered BetterHelp and Cerebral. Installing the Meta Pixel on a telehealth website sends page views, form submissions, and custom events to Meta's servers. Every URL on a telehealth site carries health context because the site exists to provide healthcare. A page view on "yourtelehealthsite.com/services/adhd-assessment" tells Meta that a specific user (identified by fbp cookie, IP address, and browser fingerprint) is researching ADHD assessment.
Compliant setup. Replace the Meta Pixel entirely with the Conversions API (CAPI). Do not run both simultaneously (Meta's "redundant" recommendation). Route conversion events from your server to Meta's CAPI endpoint. Strip health-specific URL paths, event names, and custom parameters. Gate all data transmission on server-side consent verification.
Audience building. Do not build Custom Audiences from website visitors to health-specific pages using Meta Pixel data. Instead, build audiences from server-side conversion data that has been stripped of health context, or use broad targeting combined with optimized creative to reach relevant users.
TikTok Ads: Reaching Younger Patients in Restricted Territory
TikTok's user demographics skew younger, making it relevant for telehealth companies serving mental health, dermatology, sexual health, and other specialties with younger patient populations.
Healthcare advertising policies. TikTok restricts healthcare advertising significantly. Prescription drug ads are prohibited. Over-the-counter health product ads face content restrictions. Healthcare service ads are allowed in some markets with restrictions on claims and imagery. Telehealth companies must navigate these policies carefully.
TikTok Pixel and Events API. TikTok offers both a client-side pixel and a server-side Events API. The compliance approach mirrors Meta: replace the TikTok Pixel with the Events API entirely. Do not run both. Send conversion events from your server with health context stripped from event payloads.
Content compliance. TikTok's content policies for healthcare are strict about claims. Telehealth advertisers should focus on educational content, provider introductions, and service awareness rather than condition-specific claims that might trigger policy review.
YouTube Ads: Video Campaigns Without Viewer Health Profiles
YouTube sits within Google's advertising ecosystem, so Google Ads conversion tracking applies. YouTube-specific considerations include viewer engagement tracking and audience building from video interactions.
Where the risk compounds. YouTube campaign reporting can show which videos specific users watched, how long they watched, and what actions they took afterward. If a telehealth company runs a video ad about depression treatment and a viewer clicks through to the telehealth website, the path from YouTube view to website conversion creates a health-interest profile tied to the viewer's Google account.
Compliant setup. Use server-side conversion tracking for all YouTube campaign measurement. Avoid building retargeting audiences from viewers of health-specific video content. Focus on contextual targeting (placing ads on relevant channels or topics) rather than audience-based targeting built from health-interest signals.
LinkedIn, Pinterest, and Snapchat: Secondary Channels with Similar Architecture
LinkedIn is relevant for telehealth companies targeting employer health benefits, HR decision-makers, and B2B partnerships. LinkedIn's Insight Tag operates the same way as other platform pixels: client-side JavaScript that sends page view and conversion data to LinkedIn's servers. Replace with server-side conversion tracking through LinkedIn's Conversions API.
Pinterest drives health discovery behavior. The BetterHelp case explicitly named Pinterest as a recipient of health data. Replace the Pinterest Tag with the Pinterest API for Conversions.
Snapchat is relevant for telehealth companies targeting Gen Z patients. Replace the Snap Pixel with the Snapchat Conversions API.
The pattern is consistent across every platform: replace client-side tracking with server-side APIs, strip health context from event payloads, and gate data flows on consent.
The Compliance Infrastructure Telehealth Advertisers Need
Running compliant campaigns across multiple platforms simultaneously requires infrastructure that most telehealth companies do not build themselves.
A server-side data layer that sits between your website and all advertising platforms. When a conversion occurs, your server sends the event to each platform's API with appropriate data transformation for each destination.
A consent management system that verifies consent server-side before any data flows. This is not a cookie banner that checks a JavaScript variable. It is a server-side gate that confirms consent status before conversion events fire to any platform.
A comprehensive BAA with your tracking infrastructure vendor. Google, Meta, TikTok, LinkedIn, Pinterest, and Snapchat do not sign BAAs. The vendor that sits between your website and these platforms must sign a BAA that covers all marketing data in transit.
SOC 2 Type II with all five trust criteria. Your infrastructure vendor should maintain SOC 2 Type II covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most vendors certify only Security. All five criteria mean independent auditors verified healthcare-grade data handling.
Continuous site monitoring. A web scanner that crawls your site on an ongoing basis catches platform pixels that get reinstalled, third-party scripts that load additional tracking, and any new tags added during campaign launches. Every major telehealth enforcement case involved tracking that ran for months or years before discovery.
FAQ
Why are telehealth companies facing more enforcement than hospitals?
Telehealth companies are digitally native, meaning their entire patient acquisition funnel runs through marketing technology. Their websites inherently carry health context because the entire business is healthcare delivery. This creates more surface area for tracking-related PHI exposure. The FTC has also used telehealth cases to establish precedent under the Health Breach Notification Rule, which applies to entities not covered by HIPAA.
Can telehealth companies use retargeting on any platform?
Retargeting based on health-specific page visits creates PHI exposure because it connects individual identifiers to health interests. Telehealth companies can use retargeting based on general website visits (homepage, about page) or from server-side conversion audiences stripped of health context. The key is ensuring the retargeting audience segment does not associate identifiable users with health conditions or treatment interests.
Do telehealth startups need the same compliance infrastructure as large health systems?
Yes. The FTC does not differentiate enforcement based on company size. BetterHelp, Cerebral, and Monument were all venture-backed telehealth companies, not large health systems. The compliance requirements apply to any entity handling health data, and the enforcement history shows that telehealth companies face equal or greater scrutiny.
How should telehealth companies handle multi-platform attribution?
Server-side conversion tracking supports multi-platform attribution by sending conversion events to each platform's API. Use a unified server-side data layer that distributes events across Google, Meta, TikTok, and other platforms simultaneously. This preserves campaign-level attribution data while controlling what information reaches each platform.
What is the safest advertising platform for telehealth companies?
No platform is inherently safer than another. The compliance risk comes from the tracking architecture, not the platform. Google, Meta, TikTok, YouTube, LinkedIn, and Pinterest all offer server-side conversion APIs that enable compliant tracking. The "safest" setup is whichever combination of platforms your server-side infrastructure supports with proper consent gating and health context stripping.
Telehealth advertising compliance is not about choosing different platforms. It is about building different infrastructure. The channels that drive patient acquisition are the same ones that created tens of millions in enforcement liability for companies that used their default tracking setups. If your telehealth company is running paid campaigns, Ours Privacy provides the server-side infrastructure, consent management, and continuous monitoring that telehealth advertisers require.
Related reading:
Mental Health Practice Advertising: Navigating Sensitive Category Restrictions
Meta Conversion API for Healthcare: Step-by-Step Server-Side Implementation
Google Ads for Healthcare: The Complete HIPAA Compliance Setup Guide
TikTok Ads for Healthcare: Can You Advertise Medical Services on TikTok?
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.