In a significant regulatory action, the U.S. Federal Trade Commission (FTC) has fined mental telehealth startup Cerebral over $7 million for major privacy violations, highlighting the importance of safeguarding users’ personal medical data. The FTC order prohibits Cerebral from using or disclosing personal medical data for advertising purposes, following charges that the company shared sensitive health information with third-parties without adequate disclosure to users.
According to the FTC, Cerebral and its former CEO, Kyle Robertson, repeatedly breached privacy promises and misled consumers about the company’s cancellation policies. The agency accused Cerebral of engaging in deceptive practices by failing to clearly disclose that users’ information would be shared with third-parties for advertising purposes, despite claiming to offer “safe, secure, and discreet” services.
Furthermore, the FTC complaint alleged that Cerebral provided the sensitive information of nearly 3.2 million consumers to third-parties such as LinkedIn, Snapchat, and TikTok since its founding in October 2019. The company’s integration of tracking tools within its websites and apps enabled the sharing of names, medical histories, addresses, phone numbers, and other health information with third-party platforms for advertising and data analytics functions.
To address these violations, Cerebral has been ordered to implement a comprehensive privacy and data security program, including measures to prevent unauthorized access to user data and ensure compliance with privacy regulations. Additionally, the company must post a notice on its website informing users of the FTC order and provide a mechanism for users to request the deletion of their data not essential for treatment, payment, or healthcare operations.
This enforcement action by the FTC underscores the importance of transparency and accountability in handling users’ sensitive medical data, sending a clear message to companies in the telehealth industry to prioritize consumer privacy and compliance with regulatory standards.
