On April 15, 2024, the U.S. Department of Justice, upon referral from the Federal Trade Commission, filed a complaint and stipulated order against telehealth company Cerebral, Inc. The claims related to the company’s sharing personal data without consumer consent and making it very difficult for consumers to cancel their subscriptions to this telehealth service. As part of the order, the company agreed to post “clearly and conspicuously” on its websites and apps for the next two years:
Between October 2019 and [date], we shared the personal of information of consumers visiting our website and apps with other companies without their permission. Specifically, we shared details about consumers (including contact information, birthdates, IP addresses, and other demographic information); any intake questionnaire responses they provided (including selected services and other personal health information); location information; and subscription or other treatment information (including appointment dates, clinical information, and insurance and pharmacy information) with approximately two-dozen outside firms, including social media firms such as Facebook / Meta and Tik Tok, and other businesses such as Google.
In brief, the company agreed to settle the charges—without admitting or denying the allegations—for a civil payment of $10 million (partly suspended) plus $5 million in civil relief, as part of a 20-year stipulated order. The order also requires that the company destroy personal data for which it had not received consent and to create a document retention and destruction policy.
Background
According to the complaint, Cerebral offered telehealth services, including mental health treatment and/or medication management services, through websites and mobile apps since October 2019. As indicated in the paragraph quoted above, the company collected some very sensitive personal information. Its privacy policy stated that the company would treat the data confidentially, and the company would not share data without user consent. In December 2020, the company revised its privacy policy (increasing its size to 15 pages) and added a statement that it used Facebook Pixel, a web analytics and advertising service by Facebook, Inc. that “uses cookies, pixel tags, and other storage and tracking technology to collect or receive information from [Cerebral’s] [w]ebsites and [a]pps based on [consumers’] usage activity.” The company also, according to the complaint, used the consumer data for targeted advertisement services that “relied on exploiting user PHI in order to (1) re target current Cerebral users with additional advertisements for Cerebral services, and (2) target new, potential users who were demographically similar to existing Cerebral users.” The complaint stated: “By permitting tracking tools on Cerebral’s websites and apps, Defendants caused a massive disclosure of consumers’ remarkably sensitive PHI directly or indirectly to twenty or more third parties, including Linkedin, Snapchat, and TikTok.”
Then, according to the complaint:
In March 2023, over three years after it began to unlawfully share its patients’ PHI with third parties as alleged above, Cerebral filed a notice with the U.S. Department of Health and Human Services (“HHS”) acknowledging that its inappropriate use of tracking tools on its websites and apps constituted a breach of unsecured health information protected under HIPAA. Cerebral disclosed that its breach impacted nearly 3.2 million consumers between October 2019 and March 2023.
The company also admitted “that it disclosed consumers’ sensitive PHI to entities that were not able to meet all legal requirements to protect consumers’ health information.”
The complaint alleged that the company’s data handling practices also resulted in unauthorized disclosures of personal information. For example, the government alleged that the company placed personal information “in a shared electronic folder, which unauthorized persons whom Cerebral has been unable to identify accessed multiple times” In addition, “former employees and contractors accessed 266 patient files using access credentials Cerebral failed to revoke.”
The complaint alleged that Cerebral’s conduct constituted unfair and deceptive acts or practices in violation of Section 5 of the Federal Trade Commission Act, plus a claim for violation of the Restore Online Shoppers’ Confidence Act (ROSCA) due to its complex cancellation of subscription processes, plus a claim for violation of the federal Opioid Act, with respect to a substance use disorder treatment service.
The Stipulated Order
In addition to the $10 million penalty and $5 million civil relief, the 20-year order places several additional obligations on the company, including the website notice described above, third-party assessments, an information security program, express consent requirements with respect to personal information, certifications by third parties to which personal information is disclosed, and required disclosures with respect to negative option subscriptions.
The order also, in Section IX, set forth data destruction requirements and a data retention policy. The company has 60 days to delete all personal data collected without appropriate consent unless it obtains affirmative express consent. The order defines “Deletion” to mean “to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.” With respect to a data retention policy, the order states:
- Within seven days of entry of this Order, Defendant must document and adhere to a retention schedule for Covered Information in compliance with this Order. Such schedule shall set forth: (1) the purpose or purposes for which each type of Covered Information is collected; (2) the specific business needs for retaining each type of Covered Information; (3) a specific timeframe for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) limited to the shortest time necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information or retention beyond 10 years; and (4) a true and accurate explanation of why the set timeframe for Deletion is the shortest time reasonably necessary for the specific business needs cited.
The order also requires Cerebral to permit individuals to access or delete their data, and the company has 30 days to respond to such as request, which can be extended for an additional 30 days when “reasonably necessary.” Cerebral has 30 days from the date of the order to submit to the FTC a listing of all third parties that received the covered information “in any form, including in hashed or encrypted form.” The company has 60 days from the date of the order to contact those third parties and direct them to delete the data unless the data is necessary for the treatment, payment or health care operations of patients. In addition, the order requires the company, for each product or service, to develop policies and procedures that include, among other things, “the data retention limit set for each type of Covered Information and the technical means for achieving Deletion.”
Our Take
It is becoming routine for U.S. regulators to require companies who have a data breach and/or mishandle consumer personal information, to implement a meaningful record retention program that focuses on deletion of personal information. We are seeing order after order in the U.S. pushing back on indefinite retention of information.
Mature privacy programs must coordinate with their information governance counterparts to develop guidance that actually helps their employees organize their data and effectively delete information they no longer need. Vague assertions of legal or business need are no longer enough to continue to store personal information for extended periods of time. Here, the Stipulated Order was focused on tying specific retention periods to demonstratable business or legal requirements.
As with any compliance program, the most difficult part is not generating the guidance, policies or procedures, but cost-effectively changing people’s behavior and measuring success. It is great if a company’s System of Record programmatically deletes records at specific time periods and intervals. This success, however, is undermined if employees easily download the same information and squirrel it away in fileshares, Sharepoint sites and hard drives.
Maturing and implementing meaningful record retention requires making incremental progress with your enterprise systems as well as employee behavior and distributed file storage. It will take time and record retention needs to be integrated into the business model of both your front-end and back -end operations.