AI therapy apps: licensing rules, FTC enforcement, and the crisis-resources duty

Mental-health software has a regulatory stack that's deeper than founders usually realise. State psychology licensing boards police diagnosis and treatment claims. The FTC enforces against deceptive data-sharing. The FDA regulates anything that diagnoses or treats — even via chatbot. And both major app stores now require crisis-resources disclosure. Here's the enforcement record, the four-layer compliance stack, and what to ship before traffic scales.

The enforcement record so far

Multiple AI / chatbot mental-health products have been targets of recent enforcement. Each action shaped what the next generation of products needs to do at minimum.

• BetterHelp (FTC, 2023) — settled $7.8M over sharing mental-health intake data with Meta, Snap, and others via pixels. The remediation included granular data-sharing disclosure prescriptions that became the template for the category.
• Cerebral (FTC, 2024) — $5.1M settlement over prescribing controlled substances after light-touch online assessment and sharing patient data with advertising platforms.
• Monument (FTC, 2023) — $2.5M for sharing user mental-health and alcohol-treatment data with ad networks.
• Replika (Italian Garante, 2023) — banned in Italy for therapeutic claims and accessibility to minors without age verification or safeguards.
• Woebot, Wysa, Calm, Headspace — operating without enforcement actions; all carry the disclaimer-plus-crisis-resources pattern described below.

Layer 1 — State licensing boards

Every US state regulates the practice of psychology, psychiatry, counseling, and clinical social work. The statutes use language written for human practitioners but state boards have consistently applied them to software products that perform the same functions. The operative test is whether the software diagnoses, treats, or provides psychotherapy. "Treatment" is the term-of-art most boards focus on — and it's broader than founders assume.

• Diagnostic statements ("you have anxiety / depression / PTSD") are reserved to licensed clinicians in every state. Replace with experiential framing ("what you're describing is something many people associate with anxiety").
• The words "therapy", "psychotherapy", "counseling" are state-board sensitive. Use "support", "reflection", "self-help" instead.
• Prescription of psychiatric medication requires a licensed prescriber. Software-mediated prescribing (the Cerebral pattern) is what triggered FTC action.
• Equivalence claims ("replaces your therapist", "AI therapist") have triggered Italian, German, and US state-board actions.

Layer 2 — FTC + state AGs

The FTC has pursued mental-health apps on two recurring theories: (1) deceptive marketing (overclaiming clinical efficacy or independence) and (2) inadequate data-sharing disclosure (sharing mental-health data with ad networks without granular consent). Both BetterHelp and Monument settlements turn on the second theory. The remediation language in those consent orders is now the de-facto compliance template for the category.

Layer 3 — FDA (sometimes)

The FDA regulates software as a medical device (SaMD) when the software is intended to diagnose, cure, mitigate, treat, or prevent disease. Most mental-health support apps stay out of FDA scope by carefully avoiding diagnostic and treatment claims. Apps that diagnose, recommend treatment, or claim to treat specific conditions enter SaMD scope and require either FDA clearance (510(k)) or enforcement discretion under FDA's digital health guidance.

Practical implication: language matters here at exactly the same place state-board law cares about it. The phrase "treats anxiety" pulls you into both unlicensed-practice and SaMD scope; "supports people experiencing anxiety" stays out of both.

Layer 4 — App store policies

Apple and Google both require crisis-resources disclosure for apps in the mental-health, wellness, and self-help categories. Rejection at app review is the most common operational consequence — the practical floor is to include 988 (US Suicide & Crisis Lifeline) in every app and on every web page that touches mental-health content.

The four-line minimum every survivor ships

1. Crisis resources in the footer + in the chat interface header: "If you're in crisis, call or text 988 in the US, or visit findahelpline.com for international resources."
2. Disclaimer next to every interaction: "I'm a self-reflection tool, not a therapist. I can't diagnose or treat conditions."
3. Granular data-sharing disclosure on the home page and privacy policy: name every third party and exactly what category of data is shared with each.
4. No diagnostic language in any model output. Train the system prompt against "you have X" framings. Comply Code's scanner flags these in your rendered HTML.

EU and UK overlay

If you serve EU users, the EU AI Act treats mental-health systems with care: standalone diagnostic / treatment systems are likely high-risk under Article 6 + Annex III, requiring conformity assessment. The UK's MHRA regulates software-as-a-medical-device on essentially the same lines as the FDA. GDPR's Article 9 also makes mental-health data "special category" requiring explicit consent — granular data-sharing disclosure is mandatory, not best-practice, in EU scope.

What to do this week

1. Add 988 / findahelpline.com to your footer and chat header today. This satisfies both the duty-of-care argument and app-store review.
2. Audit every user-facing string in your product for the words: diagnose, treat, prescribe, therapy, psychotherapy. Replace each.
3. Document what mental-health data you share with every third party and write it into your home page in plain language — not buried in the privacy policy.
4. Re-scan after each change. Comply Code's mental-health rule pack catches the disclaimer absences, diagnostic-language patterns, and missing crisis resources described here.