The Federal Trade Commission (FTC) imposed a $7.1 million fine on mental health startup Cerebral, upon allegations of consumer privacy violations and deceptive trading practices.
The company and its former CEO, Kyle Robertson, were accused of breaching privacy promises and disclosing protected health information (PHI) to third parties for advertising.
Specifically, the order filed by the Department of Justice alleges that Cerebral disclosed the personal data of its users to third parties, including patients' names, medical and prescription histories, home and email addresses, demographic information, and pharmacy and health insurance information.
Furthermore, it alleges that Cerebral misled consumers about easy cancellation policies. Cerebral consumers had to undertake a difficult, multi-step process to cancel their services, where the company allegedly delayed customers' cancellation requests and kept charging service fees, costing consumers millions of dollars in extra fees.
"As the Commission's complaint lays out, Cerebral violated its customers' privacy by revealing their most sensitive mental health conditions across the Internet and in the mail," said FTC Chair Lina M. Khan. "To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
"Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy," explained Cerebral in a statement about the FTC order.
According to an FTC press release, Cerebral shared the sensitive data of nearly 3.2 million consumers with third parties like Snapchat, TikTok, and LinkedIn. Cerebral is fined $5.1 million for consumer refunds and a $10 million civil penalty, partially suspended to $2 million due to the company's financial constraints.
The proposed order suggests rectifying the privacy breaches and deceptive practices identified in Cerebral's operations by permanently banning the unauthorized use or disclosure of consumers' PHI for marketing purposes.
It mandates a comprehensive privacy and data security program that addresses systemic weaknesses to protect consumer data from future breaches. It further requires Cerebral to post a notice on the company's website, informing users of the allegations in the complaint and detailing the steps mandated by the order.
Additionally, it mandates that Cerebral implements a data retention schedule and deletes most consumer data not needed for treatment, payment, or healthcare operations unless consumers explicitly consent to retention, while also providing a clear mechanism for consumers to request data deletion.
Finally, the proposed order prohibits the misrepresentation of cancellation policies and requires an easy method for consumers to cancel services.
Overall, the provisions outlined in the proposed order promote consumer privacy and hold companies accountable for their data-handling practices. This order aims to increase transparent data collection and usage, giving consumers more control over their personal information. Additionally, it provides clear guidelines for data security measures to prevent breaches and unauthorized access.
Read also: HIPAA compliant email marketing