FTC directs Cerebral to limit sharing of consumer data
.jpg?1713982088)
The Federal Trade Commission (FTC) has mandated that Cerebral, Inc. limit its use and disclosure of sensitive consumer data and provide consumers with an easy way to cancel services. The order aims to resolve FTC allegations that the telehealth company failed to adequately protect sensitive health data.
As per the proposed order filed by the Department of Justice following notification and referral by the FTC, Cerebral will also have to pay over $7 million for allegedly sharing consumers’ sensitive personal health information and other data with third parties for advertising purposes, in addition to not honoring its cancellation promises. The court must approve the order for it to become effective.
Cerebral offers online mental health services on a negative option basis, where consumers are automatically charged unless they cancel the services. To sign up and use the services, consumers provide extensive personal data including addresses, medical histories, payment details, and more.
The complaint alleges that Cerebral and its previous CEO failed to uphold privacy promises, misled consumers about cancellation policies, and violated the Opioid Addiction Recovery Fraud Prevention Act of 2018. The company allegedly shared sensitive data with third parties for advertising without clear disclosure to consumers.
Specifically, the complaint states that Cerebral shared personal information of around 3.2 million consumers with platforms like LinkedIn, Snapchat, and TikTok through tracking tools on its website or apps. These tools collected and transmitted data to offer advertising and data analytics services to the platforms. Additionally, Cerebral reportedly lacked proper data security measures.
Aside from privacy and security issues, the complaint accuses Cerebral of breaching the Restore Online Shoppers’ Confidence Act by not clearly disclosing its cancellation policies to consumers. The company made it difficult for users to cancel services, resulting in additional charges.
Under the proposed order, Cerebral will pay nearly $5.1 million in refunds to impacted consumers and a civil penalty of $10 million, with $2 million to be paid initially. The order will also prevent Cerebral from sharing consumer information with third parties without consent, require the implementation of a privacy and data security program, and mandate clear disclosure of cancellation policies.
