On April 11, 2024, the Federal Trade Commission announced that it has banned an alcohol addiction treatment firm from disclosing health data for advertising purposes in order to settle agency charges that the company shared data with third-party advertising platforms without consent.

According to FTC attorneys, the agency took action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, the New York-based company will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third-parties for any other purpose.

Despite Monument’s promises to keep users’ personal information private, the complaint, filed by the Department of Justice upon notification and referral from the FTC, alleges that the company failed to ensure it was complying with its promises and disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

According to the FTC, the New York-based company offers users, depending on membership levels that cost from $14.99 to $249 a month, access to online support groups, community forums, online therapy, and access to physicians who can prescribe medications that assist in treating alcohol addiction. The FTC says that the company collects personal information from consumers when they sign-up for the service including their name, email addresses, date of birth, phone numbers, addresses, copies of their government issued IDs, and information about their alcohol consumption and medical history, as well as their IP addresses and device IDs when they start using the service.

The complaint alleges that from 2020-2022, the company claimed on its website and/or in other communications with consumers that users’ personal information would be “100% confidential” and that the company would not disclose such data to third parties without users’ consent. The company also claimed it complied with the Health Insurance Portability and Accountability Act, which protects health information held by entities covered by HIPAA and their business associates, when an outside assessor hired by the company found that it had not fully complied with HIPAA’s requirements, according to the agency.

According to the complaint, the company contradicted its privacy promises. From 2020-2022, the company allegedly disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, known as pixels and application programming interfaces, which the company purportedly integrated into its website. The company used the information to target ads for its services to both current users who subscribe to the lowest cost memberships and to target new consumers, according to the complaint.

According to the FTC, the company used the pixels and APIs to track “standard” and “custom events,” meaning instances in which consumers interacted with its website. The FTC says that the company gave the custom events descriptive titles that revealed details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. The FTC alleges that the company disclosed this custom events information to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, which enabled third parties to identify the users and associate the custom events with specific individuals.

The company disclosed information of as many as 84,000 users, though it did not have a precise number because it did not adequately track or inventory the personal information it collected and disclosed to third-party advertising platforms like Meta, according to the complaint.

The complaint alleges that these practices violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018, which prohibits deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.

In addition to the ban on sharing data with third-parties for advertising, the proposed order with the company, which must be approved by a federal court before it can go into effect, also prohibits the company from misrepresenting its data collection and disclosure practices and imposes a $2.5 million civil penalty for violating OARFPA, which will be suspended due to the company’s inability to pay. If the company is found to have misrepresented its finances, it will be required to pay the full amount.

Other provisions of the proposed order require the company to:

• Seek deletion of data: The company must identify all the user data it shared with third- parties and direct those third-parties to delete the personal data that was shared with them.
• Inform Consumers: The company must inform consumers who have yet to be notified by the company about the disclosure of their health information to third-parties for advertising.
• Implement Mandated Privacy Program: The company must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data and address the issues the FTC identified in its complaint. The program must include limits on how long the company may retain personal and health information according to a data retention schedule.

Takeaway: The settlement announced by the FTC - one of a number of recent regulatory enforcement actions in the digital health sector - illustrates that the agency continues to focus on the use and disclosure of consumer health data. It also demonstrates that the FTC will not hesitate to utilize all available rules (here, the OARFPA) in order to obtain monetary civil penalties. Consult with an experienced Ecommerce attorney in order to ensure that representations regarding privacy practices are truthful and not deceptive, that lawful consent is obtained for data sharing and use, and compliance with applicable legal regulations.