Peter A Clarke

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose.

Despite Monument’s promises to keep users’ personal information private, the complaint, filed by the Department of Justice upon notification and referral from the FTC, alleges that Monument failed to ensure it was complying with its promises and in fact disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

New York-based Monument offers users, depending on membership levels that cost from $14.99 to $249 a month, access to online support groups, community forums, online therapy, and access to physicians who can prescribe medications that assist in treating alcohol addiction. The company collects personal information from consumers when they sign up for the service including their name, email addresses, date of birth, phone numbers, addresses, copies of their government issued IDs, and information about their alcohol consumption and medical history, as well as their IP addresses and device IDs when they start using the service.

The complaint says that from 2020-2022, Monument claimed on its website and/or in other communications with consumers that users’ personal information would be “100% confidential” and that the company would not disclose such data to third parties without users’ consent. The company also claimed it complied with the Health Insurance Portability and Accountability Act (HIPAA), which protects health information held by entities covered by HIPAA and their business associates, when in fact an outside assessor hired by the company found that it had not fully complied with HIPAA’s requirements.

According to the complaint, the company contradicted its privacy promises. From 2020-2022, the company allegedly disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, known as pixels and application programming interfaces (APIs), which Monument integrated into its website. Monument used the information to target ads for its services to both current users who subscribe to the lowest cost memberships and to target new consumers, according to the complaint.

Monument used these pixels and APIs to track “standard” and “custom events,” meaning instances in which consumers interacted with Monument’s website. The FTC says that Monument gave the custom events descriptive titles that revealed details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. Monument disclosed this custom events information to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, which enabled third parties to identify the users and associate the custom events with specific individuals, according to the complaint.

Monument disclosed information of as many as 84,000 users, though it did not have a precise number because it did not adequately track or inventory the personal information it collected and disclosed to third-party advertising platforms like Meta, according to the complaint.

The complaint alleges that these practices violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which prohibits deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.

In addition to the ban on sharing data with third parties for advertising, the proposed order with Monument, which must be approved by a federal court before it can go into effect, also prohibits the company from misrepresenting its data collection and disclosure practices and imposes a $2.5 million civil penalty for violating OARFPA, which will be suspended due to the company’s inability to pay. If the company is found to have misrepresented its finances, it will be required to pay the full amount. Other provisions of the proposed order require Monument to:

• • Seek deletion of data: Monument must identify all the user data it shared with third parties and direct those third parties to delete the personal data that was shared with them.
  • Inform Consumers: Monument must inform consumers who have yet to be notified by the company about the disclosure of their health information to third parties for advertising.
  • Implement Mandated Privacy Program: Monument must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data and address the issues the FTC identified in its complaint. The program must include limits on how long Monument can retain personal and health information according to a data retention schedule.

The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the District of Columbia.

Under the order:

• “Advertising Purposes” means advertising, marketing, promoting, offering, offering for sale, or selling any products or services on, or through Third Party websites, mobile applications, or services but not:
  • reporting and analytics related to understanding advertising and advertising effectiveness, such as statistical reporting, traffic analysis, understanding the number of and type of ads served, or conversion measurement; or
  • communications, services, or products requested by a consumer that are sent or provided to the consumer; or
  • contextual advertising, meaning non-personalized advertising shown as part of a consumer’s current interaction with Defendant’s website or mobile applications, provided that the consumer’s Covered Information is not disclosed to another Third Party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interactions with Defendant’s websites or mobile application.
• Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them permanently restrained and enjoined from misrepresenting, expressly or by implication:
  • the extent to which Defendant collects, maintains, uses, discloses, Deletes, or permits or denies access to any Personal Information, or the extent to which Defendant protects the privacy, security, availability, confidentiality, or integrity of any Personal Information;
  • the purpose(s) for which Defendant, or any entity to whom Defendant discloses or permits access to Personal Information, collects, maintains, uses, discloses, or permits access to any Personal Information;
  • the extent to which a consumer can maintain privacy, confidentiality, or anonymity when visiting or using any online properties, services, or mobile applications associated with Defendant; and
  • the extent to which Defendant is a HIPAA-covered entity, and the extent to which Defendant’s privacy and information practices, policies, and procedures comply with HIPAA.
• the Defendant had to within 60 days:
  • identify all Third Parties that accessed, received, or acquired Covered Information from Defendant in any form, including hashed or encrypted Covered Information, without a consumer’s Affirmative Express Consent;
  • identify what Covered Information was disclosed to each Third Party identified in sub-Section IV.A.1;
    submit a list of the information identified in sub-Sections IV.A.1-2 and the methodologies used to identify the information in sub-Sections IV.A.1-2 to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E; and
• the Defendant had to within 60 days:
  • provide a copy of the Complaint and Order to all Third Parties and instruct them to Delete all Covered Information accessed, received, or acquired from Defendant. Defendant’s instruction to each such Third Party shall include a list of the Covered Information and demand written confirmation from each such Third Party that it has Deleted such Covered Information.
• the Defendant not disclose any Covered Information in any form, including hashed or encrypted Covered Information, to any Third Party iit confirms each Third Party’s receipt of instructions
• any Covered Business, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within 60 days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (“Privacy Program”) that protects the privacy, security, availability, confidentiality, and integrity of such Covered Information. To satisfy this requirement, Defendant must, for each Covered Business, at a minimum that includes:
  • document in writing the content, implementation, and maintenance of the Privacy Program;
  • provide the written program and any evaluations thereof or updates thereto to the Covered Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the Covered Business’s Privacy Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;
  • designate a qualified employee or employees, who report(s) directly to an executive, such as the Chief Executive Officer, Chief Compliance Officer, or Chief Legal Officer, to coordinate and be responsible for the Privacy Program; and keep the executive and the Board of Directors informed of the Privacy Program, including all actions and procedures implemented to comply with the requirements of this Order, and any actions and procedures to be implemented to ensure continued compliance with this Order;
  • assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks in each area of the Covered Business’s operations to the privacy, security, availability, confidentiality, and integrity of Covered Information that could result in the unauthorized access, collection, use, destruction, or disclosure of, or provision of access to, Covered Information; design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information identified by the Covered Business in
  • design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, Deletion, disclosure of, or provision of access to, the Covered Information. Such safeguards must also include:
    • policies, procedures, and technical measures to systematically inventory Covered Information in the Covered Business’s control and Delete Covered Information that is no longer reasonably necessary and in accordance with applicable retention laws and regulations;
    • policies, procedures, and technical measures to prevent the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information inconsistent with the Covered Business’s representations to consumers;
    • audits, assessments, and reviews of the contracts, privacy policies, and terms of service associated with any Third Party to which the Covered Business discloses, or provides access to, Covered Information;
    • policies and technical measures that limit employee and contractor access to Covered Information to only those employees and contractors with a legitimate business need to access such Covered Information;
    • mandatory privacy training programs for all employees with access to Covered Information in connection with the Covered Business on at least an annual basis, with such training covering any internal or external risks identified by Defendant ;
      6.
      a data retention policy that, at a minimum, includes: i
      a retention schedule that limits the retention of Covered Information to the shortest time necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be Deleted, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order; and
      ii a requirement that Defendant documents, adheres to, and makes publicly available on its terms of service/use a retention schedule for Covered Information, setting forth: (1) the purposes for which the Covered Information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe in accordance with applicable laws and regulations for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) that precludes indefinite retention of any Covered Information;
    • audits, assessments, reviews, or testing of each mechanism by which the Covered Business discloses Covered Information to a Third Party or provides a Third Party with access to Covered Information (including but not limited to web beacons, pixels, and Software Development Kits); and
    • for each product or service offered by any Covered Business, Clearly and Conspicuously disclose the categories of Covered Information collected from consumers, the purposes for the collection of each category of Covered Information, and any transfer of Covered Information to a Third Party.
    • For each such transfer of Covered Information, the disclosure must, at a minimum, include:
      • the specific categories of Covered Information transferred;
      • the identity of each Third Party receiving the transfer;
      • the purposes for which the Covered Business transferred the Covered Information to each Third Party;
      • the purposes for which each Third Party receiving the Covered Information may use the Covered Information, including but not limited to the purposes for which the Third Party reserves the right to use such Covered Information; and
      • whether each Third Party receiving the Covered Information reserves the right to transfer the Covered Information to other entities or individuals.
• assess, at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information, and modify the Privacy Program based on the results;
• test and monitor the effectiveness of the safeguards at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, and modify the Privacy Policy based on the results;
• select and retain service providers capable of safeguarding Covered Information they receive from the Covered Business, and contractually require service
  providers to implement and maintain safeguards for Covered Information; and
• evaluate and adjust the Privacy Program in light of any material changes to the Covered Business’s operations or business arrangements, the results of the testing and monitoring required by sub-Section VI.G, a Covered Incident, and any other circumstances that the Covered Business knows or has reason to believe may have a material impact on the effectiveness of the Privacy Program or any of its individual safeguards (including but not limited to new or more efficient technological or operational methods to control for the risks identified in sub-Section VI.D). The Covered Business may make this evaluation and adjustment to the Privacy Program at any time, but must, at a minimum, evaluate the Privacy Program at least once every 12 months and modify the Privacy Program as necessary based on the results.
•  Business that collects, maintains, uses, discloses, or provides access to Covered Information, Defendant must obtain initial and biennial assessments (“Assessments”):
• The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who:
  • uses procedures and standards generally accepted in the profession;
  • conducts an independent review of the Privacy Program;
  • retains all documents relevant to each Assessment for 5 years after completion of such Assessment; and
  • will provide such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or any similar claim.
• the  reporting period for the Assessments must cover:
  • the first year after the issuance date of the Order for the initial Assessment; and
  • each 2-year period thereafter for 20 years after the issuance date of the Order for the biennial Assessments.
• each Assessment must, for the entire assessment period:
  • determine whether Defendant has implemented and maintained the Privacy Program
  • assess the effectiveness of Defendant’s implementation and maintenance
  • identify any gaps or weaknesses in the Privacy Program, or instances of material noncompliance ;
  • .address the status of gaps or weaknesses in the Privacy Program, as well as any instances of material non-compliance  that were identified in any prior Assessment required by this Order; and
  • identify specific evidence (including, but not limited to, documents
• the Defendant must have annual certification