On April 11, 2024, Monument, Inc. (“Monument”), settled claims brought by the Federal Trade Commission (“FTC”) alleging that it had committed certain health data privacy law violations. Monument provides online addiction treatment services, offering its clients access to online support groups, community forums, online therapy, and physician access. The Complaint, filed by the United States Department of Justice (“DOJ”) upon notice and referral by the FTC, alleged that Monument violated its customers’ health data privacy rights by disclosing their information to third parties without their knowledge and consent. Monument’s conduct, the FTC alleged, violated various statutes, including Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
As our readers are aware, the FTC has been actively cracking down on businesses that infringe upon consumer privacy rights. Pursuant to the terms of the settlement, Monument must, among other things, notify consumers of the unauthorized disclosure of their data, implement an extensive data privacy program, and pay a significant civil penalty.
What Were the Alleged Health Data Privacy Violations?
Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.” Misrepresentations or deceptive omissions of material fact constitute “deceptive acts or practices.” According to the FTC, Monument mislead and deceived its customers by guaranteeing the privacy of their health data, and then sharing it with third parties without their knowledge or consent.
During the account creation process, Monument assured its clients that its services were “100% confidential” and “HIPAA compliant” and that Monument would not disclose user confidential data to third parties without their knowledge and consent. Notwithstanding its health data privacy assurances, Monument disclosed sensitive user health information to third-party advertising platforms, including Meta and Google. This health data was gathered through the use of pixel tracking technology on Monument’s website. According to the FTC, this pixel software tracked the healthcare services that consumers utilized, and Monument then disclosed this activity, along with the consumers’ IP addresses, email addresses, first names, and other identifying information to Meta, Google, and other third parties.
According to the Complaint, Monument violated the health data privacy rights of as many as 84,468 consumers. Pursuant to the terms of the settlement agreement, Monument agreed to:
Disclose to its consumers the extent to which it collects and shares sensitive information;
Obtain affirmative express consent from consumers before sharing their health data;
Cease sharing health information for advertising purposes; and
Pay a civil penalty of $2,500,000, which was suspended due to inability to pay.
How does the Monument Case Affect your Business?
This proceeding serves as yet another reminder that businesses that come into possession of sensitive consumer information must carefully protect it, uphold promises to customers, and acquire consent before any third party disclosure. This is only the latest in a long list of FTC efforts to police the data privacy practices of United States businesses.
In light of recent governmental enforcement action, companies should retain attorneys that are experienced in marketing and consumer data privacy law compliance.
If you require assistance with preventing your business from becoming a defendant in an FTC investigation, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney advertising
Photo by National Cancer Institute on Unsplash
Similar Blog Posts:
FTC Guidelines on Negative Option Marketing Released
