Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million

Cerebral, Inc. has agreed to an order that, will restrict how the company can use or disclose sensitive consumer data and require it to provide consumers with a simple way to cancel services to settle Federal Trade Commission charges that the telehealth firm failed to secure and protect sensitive health data.

Under the proposed order, filed by the Department of Justice upon notification and referral from the FTC, Cerebral will also be required to pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises. The order must be approved by the court before it can go into effect.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

Cerebral provides online mental health and related services on a negative option basis, which means consumers are automatically charged unless they cancel those services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.

The complaint charges that Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies. The complaint also charges that Cerebral and Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in unfair and deceptive practices with respect to substance use disorder treatment services.

To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies. In fact, according to the complaint, the company claimed in many instances that it would not share users’ data for marketing purposes without obtaining consumers’ consent. The complaint alleges that these practices originated under the direction of its former CEO, Robertson, and continued after his tenure.

Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps. Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.

The complaint says that Cerebral, and Robertson, while he was CEO, also failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in sloppy security practices. As described in the complaint, Cerebral’s practices included:

• Engaging in Careless Marketing: Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards;
• Allowing Former Employees to Access User Data: From May to December 2021, the company failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records;
• Using Insecure Access Methods: The company used a single sign-on method for accessing its patient portal that in numerous instances exposed confidential medical files and patient information such as diagnoses, medications, email addresses, and phone numbers, to other patients when those users signed onto the portal at the same time; and
• Failing to Implement Adequate Policies and Training: The company failed to restrict access to consumer data to only those employees who needed it, implement proper procedures and training related to the handling of sensitive data, and develop and implement adequate information security standards, policies, and procedures.

In addition to its privacy and data security failures, the complaint alleges that Cerebral also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers. Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges. When it first implemented an easier cancellation button in April 2020, the company removed it after only two weeks at Robertson’s direction after seeing cancellations rise, according to the complaint.

The proposed order, which must be approved by a federal court before it can go into effect, only applies to Cerebral. Robertson has not agreed to a settlement, and the charges against him will be decided by the court.

Under the proposed order, Cerebral will pay nearly $5.1 million, which will be used to provide partial refunds to consumers impacted by its deceptive cancellation practices, as well as a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. The proposed order also will:

• Permanently ban Cerebral from using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes, and generally require the company to obtain consumers’ consent before disclosing such information to outside parties;
• Prohibit the company from misrepresenting its privacy and data security practices;
• Require the company to implement a comprehensive privacy and data security program that, among other things, addresses the specific problems outlined in the complaint;
• Require the company to post a notice on its website alerting users to the allegations outlined in the complaint and detail the steps it is required to take under the order;
• Require the company to implement a data retention schedule and to delete most consumer data not used for treatment, payment, or health care operations unless consumers consent to its retention, and provide consumers with a clear mechanism to request that their data be deleted; and
• Prohibit the company from misrepresenting any negative option and cancellation policies or practices and also require it to provide consumers with an easy method to cancel services.

The Commission voted 3-0 to refer the complaint against Cerebral and Robertson and a stipulated final order with Cerebral to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Southern District of Florida.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

FTC’s lead attorneys on this matter are Joshua Millard and Christopher Erickson in the FTC’s Bureau of Consumer Protection.