On April 11, 2024, the Federal Trade Commission (FTC) announced that it had issued a proposed order prohibiting Monument Inc. (Monument), from disclosing health information for advertising to settle allegations that it disclosed users' health information to third-party advertising platforms without first obtaining informed consent from consumers in violation of the Federal Trade Commission Act (the FTC Act).

Background to the proposed order

The FTC conducted an investigation into Monument which provides access to online support groups and online community groups discussing how to overcome alcohol addiction, insurance-covered therapy, and access to a physician to obtain prescriptions for medications that treat alcohol addiction.

Findings of the FTC

In its complaint, the FTC noted that between January 2020 and December 2022, Monument promised to keep users' personal information, including their sensitive health information private, stating that it would not disclose such information to third parties without written consent. This includes asserting that Monument was compliant with the Health Insurance Portability and Accountability Act (HIPAA). However, the FTC highlighted that Monument's privacy policy contradicted the representations, disclosing that Monument may disclose personal data to affiliates, contractors, service providers, and other third parties, for purposes including IT and marketing. Likewise, the FTC outlined that Monument disclosed personal information to third-party advertising platforms via tracking technologies including application programming interfaces (APIs).

In doing so, the FTC stipulated that Monument failed to obtain users' affirmative express consent to the disclosure of their health information to third parties for targeted advertising. Monument was also considered to have failed to inventory or track the personal information collected from consumers via tracking technologies, including which information was disclosed to third parties for advertising.

In addition, the FTC detailed that Monument disclosed personal information to Meta through APIs. Although Monument 'hashed' user emails before disclosing personal information to Meta, the FTC noted that Monument knew that Meta would undo the hashing of user personal information and that Meta's standard terms of service explicitly explained that Meta would use hashed email addresses to match with user Facebook IDs for advertising purposes among other things. Notably, the FTC clarified that Monument also failed to contractually limit how third parties could use or disclose their sensitive information, which either placed no restrictions on the third parties' use or disclosure of information or specifically permitted third parties to use information for their own purposes.

The FTC also provided that Monument made deceptive HIPAA representations. Namely, that, although Monument was assessed by a third party in both December 2021 and February 2022, to be only 60% and 71% HIPAA compliant, and possessed significant deficiencies in its HIPAA compliance program, Monument continued to represent to consumers that it was HIPAA compliant.

Accordingly, the FTC found Monument to have violated Section 5(a) of the FTC Act for misrepresentations or deceptive omissions of material fact constituting deceptive acts or practices. The FTC also determined Monument to have violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) for unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.

Outcomes

In light of the above, the FTC proposed a civil penalty of $2.5 million for Monument's violation of OARFPA. The proposed order also requires Monument to:

• identify all user data shared with third parties and direct those third parties to delete the personal data that was shared with them;
• inform consumers who have yet to be notified by Monument about the disclosure of their health information to third parties for advertising; and
• implement a comprehensive privacy program that includes strong safeguards to protect consumer data, including:
  • designating a responsible employee/employees for the privacy program;
  • a data retention policy; and
  • selecting and retaining service providers capable of safeguarding covered information, and contractually requiring service providers to implement and maintain safeguards.

The FTC's proposed order also prohibits the sharing of data with third parties for advertising purposes, which includes:

• reporting and analytics related to understanding advertising and advertising effectiveness;
• communications, services, or products requested by a consumer that are sent or provided to the consumer; or
• contextual advertising, meaning non-personalized advertising shown as part of a consumer's current interaction with the defendant's website or mobile apps.

You can read the press release here, the complaint here, and the proposed order here.