Cerebral, Inc. has agreed to a stipulated order with the Federal Trade Commission (FTC) to resolve allegations of deceptive practices and improper handling of sensitive consumer information.
Cerebral, Inc., an online healthcare service provider, faced charges from the FTC alleged misuse of consumer information and failure to adequately disclose the terms of its service charges, particularly concerning its subscription models. According to the FTC, Cerebral not only engaged in deceptive marketing practices but also mishandled sensitive health and billing information without obtaining proper consent from its users.
The case concerns the use of tracking technologies from tech giants, including Google, Meta (Facebook), and TikTok, which Cerebral determined in January 2023 that it inadvertently disclosed sensitive identifying and medical information to an extensive network of marketers and advertisers.
In March 2023, the company started sending notices to 3,179,835 people, informing them that their information had been exposed in a HIPAA privacy breach.
FTC’s action is very similar to the February 2023 decision against GoodRx Holding, that was fined $1.5 million for failing to report that they were sharing sensitive health information of its customers with Google, Facebook, Criteo, Branch, Twilio, and other third parties.
According to the FTC, Cerebral not only engaged in deceptive marketing practices but also mishandled sensitive health and billing information without obtaining proper consent from its users.
The key provisions of the stipulated order are as follows:
- Cerebral, Inc. is ordered to pay $5,087,252.89 as monetary relief to consumers and an additional $10,000,000 as a civil penalty (to be limited to $2,000,000). The payment is part of a larger settlement to address the profits gained from its alleged unlawful activities.
- The court has issued several injunctions against Cerebral, prohibiting the company from using consumer data for advertising purposes without explicit consent. The order also mandates comprehensive changes to how Cerebral handles consumer information, aiming to prevent future misuse.
- Under the order, Cerebral must establish a rigorous privacy and information security program. This includes conducting regular risk assessments and audits, providing extensive employee training on privacy standards, and implementing more robust data protection measures.
- Cerebral is required to submit detailed compliance reports to the FTC and undergo independent privacy assessments biennially for the next 20 years. These assessments will evaluate the effectiveness of the implemented privacy measures and ensure ongoing compliance with the stipulated order.
Consumers who were potentially affected by Cerebral’s practices may be eligible for restitution as part of the monetary relief efforts. The company is also tasked with ensuring more transparent communication about subscription terms and providing easier mechanisms for users to manage their consent and subscription preferences.
For individuals concerned about their data privacy, especially in dealing with health-related services online, this case serves as a critical reminder of the importance of understanding the terms of service and the privacy policies of online platforms.