The online mental health company Cerebral has agreed to refrain from drawing on users' data for marketing or advertising purposes, in order to settle privacy charges brought by the Federal Trade Commission.
The settlement agreement -- which will also resolve charges that Cerebral thwarted consumers' attempts to cancel subscription fees -- additionally requires the company to pay $7 million.
“Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” FTC Chair Lina Khan stated Monday.
The FTC charges and proposed settlement, both unveiled Monday, largely stem from allegations that Cerebral's websites and apps used third-party tracking tools to collect consumers' health data -- including data about their activity on Cerebrals' sites and apps, contact information, and persistent identifiers.
advertisement
advertisement
That information was then used to "re-target current Cerebral users with additional advertisements for Cerebral services, and to target new consumers who were “demographically similar to existing Cerebral users,” according to the FTC.
The complaint includes a claim that Cerebral deceived users by promising to keep their information confidential, but then sharing with third-party analytics companies.
“By permitting tracking tools on Cerebral’s websites and apps, defendants caused a massive disclosure of consumers’ remarkably sensitive [personal health information] directly or indirectly to 20 or more third parties, including LinkedIn, Snapchat, and TikTok,” the FTC alleges in a complaint brought in U.S. District Court for the Southern District of Florida.
“That information includes names; home addresses; email addresses; phone numbers; birthdates; other demographic information; IP addresses; medical and prescription histories; pharmacy and health insurance information; and other health information, including treatment plans and treatment appointment dates,” the agency adds.
In March 2023, Cerebral disclosed that its “inappropriate use of tracking tools on its websites and apps” amounted to a breach of health data protected by the Health Insurance Portability and Accountability Act, the complaint alleges.
Cerebral stated Monday it agreed to “implement enhanced consumer protection, privacy, and compliance measures to further protect the personal information of our clients, increase transparency into our data practices, and implement enhanced data security protocols and tools to allow our clients control over their privacy settings.”
Meta Platforms is facing a separate privacy lawsuit by Cerebral users who claim their health data was sent to Meta through its Pixel tool -- analytics code that allegedly transmitted information about Cerebral visitors back to Meta.
In February, U.S. District Court Judge William Orrick in the Northern District of California rejected Meta's request to throw out the complaint.
“Cerebral is not simply a healthcare provider; it is a mental health services provider,” Orrick wrote, adding that even “somewhat innocuous information like name and zip code” could become sensitive given that “plaintiffs were seeking mental health services.”