Apr 16, 2024NewsroomPrivacy Breach / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has ordered the mental telehealth company Cerebral from using or disclosing personal data for advertising purposes.

It has also been fined more than $7 million over charges that it revealed users’ sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies.

“Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies,” the FTC said in a press statement.

While claiming to offer “safe, secure, and discreet” services in order to get consumers to sign up and provide their data, the company, FTC alleged, did not clearly disclose that the information would be shared with third-parties for advertising.

The agency also accused the company of burying its data sharing practices in dense privacy policies, with the company engaging in deceptive practices by claiming that it would not share users’ data without their consent.

The company is said to have provided the sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat, and TikTok by integrating tracking tools within its websites and apps that are designed to provide advertising and data analytics functions.

The information included names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information.

The FTC complaint further accused Cerebral of failing to enforce adequate security guardrails by allowing former employees to access users’ medical records from May to December 2021, using insecure access methods that exposed patient information, and not restricting access to consumer data to only those employees who needed it.

“Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards,” the FTC said.

Pursuant to the proposed order, which is pending approval from a federal court, the company has been barred from using or disclosing consumers’ personal and health information to third-parties for marketing, and has been ordered to implement a comprehensive privacy and data security program.

Cerebral has also been asked to post a notice on its website alerting users of the FTC order, as well as adopt a data retention schedule and delete most consumer data not used for treatment, payment, or health care operations unless they have consented to it. It’s also required to provide a mechanism for users to get their data deleted.

The development comes days after alcohol addiction treatment firm Monument was prohibited by the FTC from disclosing health information to third-party platforms such as Google and Meta for advertising without users’ permission between 2020 and 2022 despite claiming such data would be “100% confidential.”

The New York-based company has been ordered to notify users about the disclosure of their health information to third parties and ensure that all the shared data has been deleted.

“Monument failed to ensure it was complying with its promises and in fact disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol,” FTC said.

Over the past year, FTC has announced similar enforcement actions against healthcare service providers like BetterHelp, GoodRx, and Premom for sharing users’ data with third-party analytics and social media firms without their consent.

It also warned [PDF] Amazon against using patient data for marketing purposes after it finalized a $3.9 billion acquisition of membership-based primary care practice One Medical.

Feb 23, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users’ browsing data to advertisers after claiming its products would block online tracking.

In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third parties without their consent.

The FTC, in its complaint, said Avast “unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.”

It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users’ privacy, but failing to inform them that it would sell their “detailed, re-identifiable browsing data” to more than 100 third-parties through its Jumpshot subsidiary.

What’s more, data buyers could associate non-personally identifiable information with Avast users’ browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.

The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot’s “past, present, and potential clients.”

A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast’s browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.

The data, which includes a user’s Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person’s computer without seeking their informed consent.

“Browsing data [sold by Jumpshot] included information about users’ web searches and the web pages they visited – revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the FTC alleged.

Jumpshot described itself as the “only company that unlocks walled garden data,” and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.

The privacy backlash prompted Avast to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”

Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Jan 22, 2024NewsroomPrivacy / Technology

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.

The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.

“InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users’ assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.

The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users’ visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.

“If the user allows access, InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to [InMarket’s] servers,” the FTC complaint read.

This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.

The company, which was previously exposed by The Markup in September 2021, claims to provide its “customers with access to the most accurate and precise, permission-based, SDK-derived location data available today.”

The FTC further said InMarket did little to ensure that third-party apps that embed the company’s SDK have obtained users’ express consent, noting that it failed to notify third-party apps that the location data provided through its SDK will be combined with other data points to create profiles of consumers.

To make matters worse, the company’s five-year data retention policy was described as “unnecessary to carry out the purposes for which it was collected,” and that it put customers at risk by exposing the information to other kinds of misuse.

As mitigations, InMarket “will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data.”

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

On average, the company received data from 2,230 different companies for each of the 709 volunteers, with some identified by more than 7,000 companies. In all, the participants had their data shared by a whopping 186,892 companies.

One of those participants had their information coming from nearly 48,000 different companies, suggesting “unusual app usage habits” or possibly an appealing candidate for microtargeted advertising.

“The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679, or about 96%, of study participants,” the study said. “A large percentage of the approximately 186,000 companies that appeared in our data appeared to be either small retailers or non-national brands (or were unidentifiable by name).”

Jan 10, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company “sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It’s also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

“The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device,” the FTC said. “This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited.”

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users’ privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the “implications” of the FTC announcement, and there was no finding it misused location data.

“I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data,” U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

“In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors. While the FTC’s action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around the courts by buying our data from data brokers.”