On April 15, 2024, the Federal Trade Commission (FTC) announced that it had issued a proposed order prohibiting Cerebral, Inc. from using or disclosing sensitive customer data for advertising purposes and failed to honor its easy cancellation promises in violation of the Federal Trade Commission Act (the FTC Act). Additionally, Cerebral will be required to pay more than $7 million in penalties.

Background to the proposed order

The FTC had notified the Department of Justice (DoJ) over complaints that Cerebral, providing online mental health and related services, had violated nearly 3.2 million customers' privacy by revealing their most sensitive mental health conditions to third parties by using or integrating tracking tools on its website or apps. Furthermore, Cerebral was also charged with misleading customers about the company's cancellation policies.

Findings of the FTC

In its complaint, the FTC found that Cerebral repeatedly mishandled and exposed data in a series of data breaches, including:

• unauthorized disclosure of hundreds of patient files to other patients, former employees and contractors, and former agents;
• unauthorized postcards revealing thousands of patients in treatment;
• engaging in careless marketing;
• using insecure access methods, causing unauthorized logins to other patients' files; and
• failing to implement adequate policies and training.

Therefore, the FTC found Cerebral violated Section 5(a) of the FTC Act. In addition, the FTC found Cerebral in violation of other laws, such as the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), by engaging in unfair and deceptive practices with respect to substance use disorder treatment services and the Restore Online Shoppers' Confidence Act.

Outcomes

In light of the above, the FTC issued a proposed order. The proposed order requires Cerebral to, among other things:

• pay nearly $5.1 million which will be used to provide partial refunds to impacted consumers, as well as a $10 million civil penalty which will be suspended after a $2 million penalty payment due to the company's inability to pay the full amount;
• permanently stop using or disclosing consumers' personal and health information to third parties for most marketing or advertising purposes;
• stop misrepresenting its privacy and data security practices;
• implement a comprehensive privacy and data security program;
• post a notice on its website alerting users to the allegations and orders outlined in the complaint;
• implement a data retention schedule and delete most consumer data not being used; and
• stop misrepresenting any negative option and cancellation policies or practices, and provide consumers with an easy method to cancel services.

Moreover, the FTC noted that Cerebral had agreed to the proposed order but would require approval from the court before it goes into effect.

You can read the press release here, the complaint here, and the proposed order here.