The Federal Trade Commission (FTC) recently announced two proposed settlement agreements (in the form of a stipulated order)1 (the “consent orders”) with Monument, Inc., an alcohol addiction treatment service, and Cerebral, Inc., a subscription-based online health care treatment service, signaling the FTC’s continued commitment to pursue digital health companies that the FTC believes have improperly used or disclosed consumers’ health information. The complaints focus on the companies’ disclosure of consumers’ health information to advertising platforms without the consumers’ consent, as well as Cerebral’s alleged failure to honor its “easy” subscription cancellation promises. Of note, the FTC complaint against Cerebral named its CEO personally liable for his alleged involvement with the counts raised in the complaint. The CEO has not agreed to a settlement and the case will proceed in the district court.
The consent orders build on other recent FTC settlements (e.g., Flo Health, GoodRx, BetterHelp, and Premom) and guidance to further define the FTC’s position on data sharing by digital health websites, apps, and other related services. This alert provides a summary and analysis of the Monument and Cerebral complaints and consent orders, as well as our takeaway observations.
Monument
Monument provides online addiction treatment services, offering its clients access to online support groups, community forums, online therapy, and physicians. According to the complaint preceding the FTC’s consent order,2 Monument made statements to its users through its customer service representatives, website, and marketing that information users shared with Monument would be kept confidential and that Monument was “HIPAA-compliant.” While Monument also made statements in its privacy policy that it shared users’ personal information for “marketing,” according to the complaint, Monument’s “voluminous, densely worded privacy policy” contradicted these statements and “buried” the fact that Monument discloses personal information to third parties (including advertising companies) through tracking technologies.
The complaint alleged that Monument:
Cerebral
Cerebral offers subscription-based online health care treatment services for treatment options, such as mental health, medication management, and substance use disorders. According to the complaint preceding the FTC’s consent order,3 through promotional materials, statements on Cerebral’s website, and as part of Cerebral’s enrollment process, Cerebral made assurances that users’ personal data would be confidential, not be used for marketing purposes without users’ consent, and would be secured in the company’s information security infrastructure. However, Cerebral allegedly disclosed nearly 3.2 million consumers’ sensitive health information to third parties for advertising purposes via tracking tools on its website and apps. Cerebral also allegedly engaged in other unauthorized data sharing practices, including releasing patient files to the wrong users, failing to revoke former Cerebral employees’ and contractors’ access to user information, revealing subscriber treatment information in postcards, and exposing patients’ log-in data as a result of data breaches. The complaint further alleged that Cerebral misled consumers about the ease of Cerebral’s subscription cancellation process and that their sensitive health information would be disclosed to third parties as part of signing up for a subscription.
Notably, the complaint alleged that Cerebral’s CEO was pivotal and directly contributed to the company’s information security, data sharing, marketing, and subscription cancellation practices. The FTC noted that the CEO shaped and approved Cerebral’s annual budgets, which “invested disproportionately in growth and marketing, but deprioritized compliance and data security functions,” notwithstanding his knowledge that privacy and security issues had dogged the company and these issues should have been paramount for a health-related company.
The complaint alleged that Cerebral:
Consent Orders
Under Cerebral’s consent order, Cerebral is ordered to pay almost $5.1 million to provide partial refunds to consumers impacted by Cerebral’s cancellation practices, as well as a $10 million civil penalty, which will be suspended to a $2 million penalty payment due to the company’s inability to pay the full $10 million civil penalty amount. Separately, under Monument’s consent order, Monument is ordered to pay a $2.5 million civil penalty for violating the OARFPA, but the payment is completely suspended due to Monument’s inability to pay.
Monument is prohibited from disclosing consumers’ sensitive health information to third parties for certain advertising purposes, including targeted advertising, unless Monument first obtains the user’s affirmative express consent. The FTC went a step further in the Cerebral order, which prohibits Cerebral from disclosing any users’ personal information (regardless of whether it is health-related or not) to third parties other than Cerebral’s service providers without first obtaining the user’s affirmative express consent.
Many of the other requirements of the consent orders are similar to the requirements imposed on other digital health companies that received FTC complaints and consent orders in the past year. For example, like in the Premom, BetterHelp, and GoodRx orders, both Monument and Cerebral would be required to:
Key Observations
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Tracy Shapiro, Hale Melnick, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1]The FTC commissioners unanimously voted to refer the complaint and stipulated final order to the U.S. Department of Justice for filing. The final order must be approved by the federal court to go into effect.
[2]The complaint was filed by the Department of Justice upon notification and referral from the FTC.
[3]The complaint was filed by the Department of Justice upon notification and referral from the FTC.