The Federal Trade Commission (FTC) recently announced two proposed settlement agreements (in the form of a stipulated order)1 (the “consent orders”) with Monument, Inc., an alcohol addiction treatment service, and Cerebral, Inc., a subscription-based online health care treatment service, signaling the FTC’s continued commitment to pursue digital health companies that the FTC believes have improperly used or disclosed consumers’ health information. The complaints focus on the companies’ disclosure of consumers’ health information to advertising platforms without the consumers’ consent, as well as Cerebral’s alleged failure to honor its “easy” subscription cancellation promises. Of note, the FTC complaint against Cerebral named its CEO personally liable for his alleged involvement with the counts raised in the complaint. The CEO has not agreed to a settlement and the case will proceed in the district court.
The consent orders build on other recent FTC settlements (e.g., Flo Health, GoodRx, BetterHelp, and Premom) and guidance to further define the FTC’s position on data sharing by digital health websites, apps, and other related services. This alert provides a summary and analysis of the Monument and Cerebral complaints and consent orders, as well as our takeaway observations.
Monument
Monument provides online addiction treatment services, offering its clients access to online support groups, community forums, online therapy, and physicians. According to the complaint preceding the FTC’s consent order,2 Monument made statements to its users through its customer service representatives, website, and marketing that information users shared with Monument would be kept confidential and that Monument was “HIPAA-compliant.” While Monument also made statements in its privacy policy that it shared users’ personal information for “marketing,” according to the complaint, Monument’s “voluminous, densely worded privacy policy” contradicted these statements and “buried” the fact that Monument discloses personal information to third parties (including advertising companies) through tracking technologies.
The complaint alleged that Monument:
- violated the Opioid Addiction Recovery Fraud Prevention Act (OARFPA) by misrepresenting that it would not disclose users’ personal information relating to alcohol addiction treatment services; and
- violated Section 5 of the FTC Act by: (i) failing to employ reasonable measures to prevent the disclosures of consumers’ health information via tracking technologies for advertising and third parties’ own purposes (Unfairness Count); (ii) failing to obtain consumers’ affirmative express consent before disclosing consumers’ health information to third parties for the third parties’ purposes and for Monument’s own advertising purposes (Unfairness Count); (iii) misrepresenting the fact that it disclosed users’ health information for advertising and without the consumers’ knowledge or consent (Deception Count); and (iv) misrepresenting its compliance with HIPAA (Deception Count).
Cerebral
Cerebral offers subscription-based online health care treatment services for treatment options, such as mental health, medication management, and substance use disorders. According to the complaint preceding the FTC’s consent order,3 through promotional materials, statements on Cerebral’s website, and as part of Cerebral’s enrollment process, Cerebral made assurances that users’ personal data would be confidential, not be used for marketing purposes without users’ consent, and would be secured in the company’s information security infrastructure. However, Cerebral allegedly disclosed nearly 3.2 million consumers’ sensitive health information to third parties for advertising purposes via tracking tools on its website and apps. Cerebral also allegedly engaged in other unauthorized data sharing practices, including releasing patient files to the wrong users, failing to revoke former Cerebral employees’ and contractors’ access to user information, revealing subscriber treatment information in postcards, and exposing patients’ log-in data as a result of data breaches. The complaint further alleged that Cerebral misled consumers about the ease of Cerebral’s subscription cancellation process and that their sensitive health information would be disclosed to third parties as part of signing up for a subscription.
Notably, the complaint alleged that Cerebral’s CEO was pivotal and directly contributed to the company’s information security, data sharing, marketing, and subscription cancellation practices. The FTC noted that the CEO shaped and approved Cerebral’s annual budgets, which “invested disproportionately in growth and marketing, but deprioritized compliance and data security functions,” notwithstanding his knowledge that privacy and security issues had dogged the company and these issues should have been paramount for a health-related company.
The complaint alleged that Cerebral:
- violated the OARFPA by disclosing users’ personal information in connection with Cerebral’s advertisement, marketing, promotion, offer for sale, and sale of alcohol addiction treatment services;
- violated Section 5 of the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to meet ROSCA’s subscription cancellation requirements; and
- violated Section 5 of the FTC Act by (i) failing to employ reasonable measures to protect consumers’ personal information and using consumers’ personal health information for marketing purposes without first obtaining the consumers’ consent (Unfairness Count); (ii) failing to disclose that it used or disclosed consumers’ health information to third parties for advertising purposes or the third parties’ own uses, despite advertising that the information would remain confidential and secure (Deception Count); and (iii) marketing their cancellation process to allow users to “cancel anytime” when the process was extensive and otherwise deceptive (Deception Count).
Consent Orders
Under Cerebral’s consent order, Cerebral is ordered to pay almost $5.1 million to provide partial refunds to consumers impacted by Cerebral’s cancellation practices, as well as a $10 million civil penalty, which will be suspended to a $2 million penalty payment due to the company’s inability to pay the full $10 million civil penalty amount. Separately, under Monument’s consent order, Monument is ordered to pay a $2.5 million civil penalty for violating the OARFPA, but the payment is completely suspended due to Monument’s inability to pay.
Monument is prohibited from disclosing consumers’ sensitive health information to third parties for certain advertising purposes, including targeted advertising, unless Monument first obtains the user’s affirmative express consent. The FTC went a step further in the Cerebral order, which prohibits Cerebral from disclosing any users’ personal information (regardless of whether it is health-related or not) to third parties other than Cerebral’s service providers without first obtaining the user’s affirmative express consent.
Many of the other requirements of the consent orders are similar to the requirements imposed on other digital health companies that received FTC complaints and consent orders in the past year. For example, like in the Premom, BetterHelp, and GoodRx orders, both Monument and Cerebral would be required to:
- instruct third parties that obtained user health information from Monument and Cerebral without authorization to delete the information (Cerebral is also specifically required to delete all health information in its possession to the extent it was not collected for facilitating health care services, unless Cerebral obtains affirmative express consent from the individual to retain it);
- implement a comprehensive privacy and security program that protects the privacy, security, and confidentiality of users’ personal information, including their health information;
- establish, document, and adhere to a data retention schedule with details about the information the company collects and why such collection is necessary; and
- obtain an initial and biannual privacy and security assessment conducted by an independent, third-party professional that must be approved by the FTC.
Key Observations
- Digital Health Companies’ Use of Tracking Technologies Still Top of Mind. The Cerebral and Monument consent orders are two more in a long line of recent orders from the FTC relating to website and mobile app disclosure of health information to advertising platforms. The FTC has taken the position that digital health companies cannot disclose consumers’ sensitive health information to third parties (including to advertising platforms via tracking technologies) without the consumers’ affirmative express consent. Furthermore, the FTC has underscored that website and mobile apps should label their custom event fields in a manner that does not disclose consumers’ health information to advertising and analytics partners.
- Linking to Privacy Policy May Not Be Sufficient for Consent. The FTC made clear that, in its view, disclosures in a company’s privacy policy about its sharing of health-related information is not sufficient to obtain consumer consent, at least not where the company has made other contradictory statements about maintaining the confidentiality of consumers’ information.
- Individual Liability. The Cerebral complaint demonstrates the FTC’s continued interest in holding company leaders liable for unfair and deceptive privacy and security practices. Company executives should take note that the FTC may seek to hold them accountable for maintaining a privacy and security program reasonable for the size, resources, and information activities of their companies.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Tracy Shapiro, Hale Melnick, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1]The FTC commissioners unanimously voted to refer the complaint and stipulated final order to the U.S. Department of Justice for filing. The final order must be approved by the federal court to go into effect.
[2]The complaint was filed by the Department of Justice upon notification and referral from the FTC.
[3]The complaint was filed by the Department of Justice upon notification and referral from the FTC.