The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Cerebral, Inc. has agreed to an order that will restrict how the company can use or disclose sensitive consumer data and require it to provide consumers with a simple way to cancel services to settle Federal Trade Commission charges that the telehealth firm failed to secure and protect sensitive health data.
Under the proposed order, filed by the Department of Justice upon notification and referral from the FTC, Cerebral will also be required to pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises. The order must be approved by the court before it can go into effect.
“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
Cerebral provides online mental health and related services on a negative option basis, which means consumers are automatically charged unless they cancel those services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.
The complaint charges that Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies. The complaint also charges that Cerebral and Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in unfair and deceptive practices with respect to substance use disorder treatment services.
To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies. In fact, according to the complaint, the company claimed in many instances that it would not share users’ data for marketing purposes without obtaining consumers’ consent. The complaint alleges that these practices originated under the direction of its former CEO, Robertson, and continued after his tenure.
Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps. Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.
The complaint says that Cerebral, and Robertson, while he was CEO, also failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in sloppy security practices. As described in the complaint, Cerebral’s practices included:
In addition to its privacy and data security failures, the complaint alleges that Cerebral also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers. Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges. When it first implemented an easier cancellation button in April 2020, the company removed it after only two weeks at Robertson’s direction after seeing cancellations rise, according to the complaint.
The proposed order, which must be approved by a federal court before it can go into effect, only applies to Cerebral. Robertson has not agreed to a settlement, and the charges against him will be decided by the court.
Under the proposed order, Cerebral will pay nearly $5.1 million, which will be used to provide partial refunds to consumers impacted by its deceptive cancellation practices, as well as a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. The proposed order also will:
The Commission voted 3-0 to refer the complaint against Cerebral and Robertson and a stipulated final order with Cerebral to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Southern District of Florida.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.
FTC’s lead attorneys on this matter are Joshua Millard and Christopher Erickson in the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.