Sharing 3.2 million consumers’ data: FTC takes action against telehealth firm Cerebral

The Federal Trade Commission (FTC) has filed a complaint against telehealth company Cerebral, Inc. and its former CEO, Kyle Robertson. Cerebral has settled the complaint via a series of commitments to privacy and security that clearly demonstrate the FTC’s high standards. 

The complaint alleges that Cerebral deceived users about its data sharing and security practices and misled consumers about its cancellation policies. As part of a proposed order, the FTC will ban Cerebral from sharing certain data for advertising purposes and pay $7 million in penalties and refunds. 

This article explains what went wrong for Cerebral and how the company’s data-sharing practices allegedly violated consumer protection law. 

‘Safe, secure, and discreet’ services 

Cerebral is an online therapy company that offered a “safe, secure, and discreet” service secured by “the latest information security technology.” 

Despite these assurances, the FTC alleges that Cerebral: 

• “Failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising.” 
• “Provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok.” 
• “Repeatedly mishandled and exposed that data in a series of data breaches.” 

The shared data allegedly included: 

• Names 
• Medical and prescription histories 
• Home and email addresses 
• Phone numbers 
• Birthdates 
• Demographic information 
• IP addresses 
• Pharmacy and health insurance information 
• “Other health information” 

Central to the FTC’s complaint is the allegation that Cerebral “provided consumers’ sensitive personal information” to third parties for marketing purposes without consent. The company collected and shared the data via “pixels” and other tracking technology. 

Particularly given the company’s promises about privacy and security, the agency alleges that this activity violates consumer protection law, the FTC Act. 

Data security failures 

The FTC also alleges that Cerebral engaged in harmful security practices, including: 

• Engaging in “careless marketing”: The FTC says Cerebral sent out postcards for marketing purposes to over 6,000 patients that included their names and “language that appeared to reveal their diagnosis and treatment.” 
• Weak access controls: Cerebral allegedly allowed former employees to access user data and used “insecure access methods” that exposed confidential medical files. 
• Lack of policies and training: The FTC claims Cerebral failed to implement “adequate policies and training” related to handling sensitive data. 

The FTC says that these data security practices also violated the FTC Act, which prohibits “unfair” commercial conduct. 

An activity can be “unfair” under the FTC Act if it causes or is likely to cause substantial injury to consumers that cannot reasonably be avoided and is not outweighed by benefits to consumers or competition. 

These alleged data security failings might also have violated the Health Insurance Portability and Accountability Act (HIPAA). Although the FTC does not regulate HIPAA directly, the agency’s complaint against Cerebral includes numerous allegations that these practices might fall short of HIPAA standards. 

‘Slow walking’ cancellation requests 

In addition to the privacy and security allegations outlined above, the FTC claims Cerebral violated another consumer protection law, the Restore Online Shoppers’ Confidence Act (ROSCA) by: 

• “Failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers.” 
• Promising consumers could “cancel anytime,” but requiring a “complex, multi-step, and often multi-day process to cancel.” 
• Continuing to charge consumers while “slow-walking” their cancellation requests, costing them “millions in additional charges.” 

These activities allegedly violate the ROSCA’s requirement to provide “clear, accurate information” about online services and refund policies. 

Proposed order and settlement 

To settle the FTC’s complaint, Cerebral agreed to a proposed order that includes: 

• A “first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.” 
• Paying $7 million, including $5.1 million for partial refunds and a $2 million civil penalty. 
• Implementing a comprehensive privacy and data security program. 
• Posting a notice on its website about the allegations and required steps. 
• Implementing a data retention schedule and providing a way for consumers to request data deletion. 
• Prohibiting misrepresentations about cancellation policies and providing an easy cancellation method. 

Cerebral’s case is just one example of how the US privacy, security, and consumer protection landscape is changing dramatically. 

The FTC has recently pursued several other companies for alleged privacy violations, including—so far this year alone—data aggregators X-Mode Social and InMarket, the antivirus company Avast, and the alcohol addiction clinic Monument. 

This enforcement activity comes as the FTC is also engaged in privacy-related rulemaking, including by amending the Health Breach Notification Rule and the Children’s Online Privacy Protection Act (COPPA) Rule. 

The FTC is clearly prioritizing privacy and security protections at the federal level – and the agency shows no signs of slowing down.