The FTC has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

UNITED STATES OF AMERICA, United States Department of Justice Consumer Protection Branch (450 5th St. NW, Suite 6400,Washington, DC 20001), Plaintiff, v. MONUMENT, INC., a Delaware limited liability company, (350 7th Ave. New York, NY 10001), Defendant.

Case No. 24-1034

COMPLAINT FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF

SUMMARY OF THE CASE

• Plaintiff, the United States of America, brings this action against Defendant Monument, Inc. for violating Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (“OARFPA”), 15 U.S.C § 45d. These violations are related to Monument’s advertising, marketing, promotion, offering for sale, or sale of alcohol addiction treatment services. Plaintiff seeks a permanent injunction, civil penalties, and other relief, pursuant to Sections 5(m)(1)(A), 13(b), and 19 of the FTC Act, and OARFPA. Monument is alleged to have disclosed users’ personal and health information to third parties without their consent, in violation of its privacy promises.

JURISDICTION AND VENUE

• This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355.
• Venue is proper under 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(1), (c)(2), and (d), 1395(a), and 15 U.S.C. § 53(b).

PLAINTIFF

• The United States of America, acting upon notification and referral by the FTC, brings this action under Section 16(a)(1) of the FTC Act. The FTC is an independent agency responsible for enforcing Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC also enforces OARFPA, which governs unfair or deceptive acts or practices related to substance use disorder treatment products and services.

DEFENDANT

• Monument, Inc., a Delaware corporation with its principal office in New York, NY, operates an online alcohol addiction treatment platform. Monument transacts business in this District and across the United States.

COMMERCE

• At all times relevant to this Complaint, Monument has maintained a substantial course of trade in or affecting commerce, as defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

MONUMENT’S BUSINESS ACTIVITIES

• Monument has developed, advertised, marketed, promoted, offered for sale, and sold its Service, which is Monument’s sole product, through its website since January 2020. Monument offers two versions of its Service:

  • A Community Membership for $14.99/month, which provides access to online support groups and forums related to overcoming alcohol addiction.
  • Insurance-covered therapy and access to physicians who can prescribe medications to treat alcohol addiction. For those without coverage, the fees are:
    • $100 per physician appointment.
    • $149 per month for bi-weekly therapy.
    • $249 per month for weekly therapy.

• Prior to July 2023, the Community Membership was provided for free.

• Consumers signing up for the Service must provide their email address, agree to Monument’s Terms of Use and Privacy Policy, choose a username, and complete an intake survey. To access therapy or physician services, additional personal information is required, such as:

  • First and last name
  • Date of birth
  • Legal sex
  • Phone number
  • Address
  • Government-issued ID
  • Medical history and/or insurance information

• Monument also collects consumers' IP addresses and device IDs.

• Monument has used various third parties for advertising, including AdRoll, Amazon, Google, Meta, and others. Between January 2020 and December 2022, Monument spent over $3 million on Meta platforms and nearly $2.4 million on Google advertising.

• Monument’s user base has grown significantly:

  • In 2020, 10,773 consumers signed up for Community Memberships, and 2,375 accessed physician and therapist services.
  • In 2021, 16,573 consumers signed up for Community Memberships, and 4,548 accessed physician and therapist services.
  • In 2022, 37,276 consumers signed up for Community Memberships, and 8,132 accessed physician and therapist services.

MONUMENT MISREPRESENTED ITS DISCLOSURES OF USERS’ HEALTH INFORMATION

• Between January 2020 and December 2022, Monument falsely claimed to keep users’ personal and sensitive health information private. Monument promised it would not disclose such information to third parties without users’ written consent and asserted compliance with HIPAA. Examples of these misrepresentations include:
  • Since January 2020, the FAQ section on Monument’s website stated that only a user’s nickname would be shared within the platform, emphasizing the anonymity of users and claiming to comply with relevant privacy laws.
  • From May 3, 2021, to April 30, 2023, Monument’s insurance page claimed that Monument was "fully HIPAA-compliant" and would not share information with any third party without the user’s explicit written consent.
  • From February 8, 2022, to April 30, 2023, Monument displayed a representation during the sign-up process stating that "any information you enter with Monument is 100% confidential, secure, and HIPAA compliant." an image of that representation is below:
    
  • Monument routinely distributed representations claiming that its services were "Anonymous" and "confidential." These claims were featured prominently in advertisements, including ads placed on platforms such as Google.
    
    
• Monument's users have frequently asked about the privacy of their personal information. And, since no later than August 2020, Monument employees have regularly responded to these inquiries with representations that it keeps users' personal information private, does not disclose it to third parties without their written consent, and is HIPAA compliant. Examples include:
  • In August 2020, Monument’s Operations and Compliance Manager responded to a consumer asking about the privacy of their personal information, stating: "[a]ll of your Protected Health Information (PHI) in addition to Personally Identifiable Information (PII) is kept private under HIPAA and state medical record laws."
  • In April 2022, a Monument customer service representative told a customer inquiring about the privacy of their information: "[W]e also abide by HIPAA regulations which means we are not allowed to share any of your medical information on Monument without your written consent to do so."
  • In July 2022, a Monument customer service representative told a consumer: "We are fully HIPAA-compliant and do not provide information to third parties unless a member requests that we do so and sends us permission in writing to contact outside persons."
• As described below, each of these representations was false or misleading.
• Notably, Monument’s Privacy Policy contradicted the above representations, stating: “We may disclose Personal Data that we collect or you provide as described in this privacy policy: to affiliates, contractors, service providers, and other third parties we use to support our business. The services provided by these organizations include providing IT and infrastructure support services, and marketing[.]” However, as shown in the image below, this statement was buried in the middle of Monument’s voluminous, densely worded privacy policy, and, in any event, it does not cure the express misrepresentations that it keeps users’ personal information private.

MONUMENT DISCLOSED CONSUMERS’ HEALTH INFORMATION TO THIRD PARTIES

• On December 1, 2022, HHS’s Office for Civil Rights published business guidance titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” which “provid[ed] a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies.” Monument had, since January 2020, been using such tracking technologies on its website to transmit users’ personal information to third-party platforms, such as Meta and Google, for advertising and the platforms’ own purposes. Shortly after reviewing HHS’s guidance, Monument removed all such tracking technologies from its website and stopped transmitting users’ personal information to these third-party advertising platforms.

• In March 2023, Monument sent a notice to its users stating that, following OCR’s publication of this business guidance, Monument reviewed its own policies, practices, and procedures concerning the disclosure of users’ personal information via tracking technologies to advertising platforms. According to the notice:

  Monument’s internal review concluded that some information may have been shared with those third parties without the appropriate authorization, consent, or agreements required by law. The internal review concluded that this activity commenced in January of 2020. The information shared may have included name, date of birth, email address, telephone number, address, Monument ID, insurance member ID, IP address, unique digital ID, URL, photograph, selected services or plan, assessment or survey responses, appointment-related information, and associated health information.

• Around the same time, Monument similarly notified its therapists about the internal review, stating:

  During our internal review, we discovered that some member information may have been shared with third-party tracking services without the required authorization, consent, or agreements. This activity began in January 2020 for Monument. The information shared may have included name, date of birth, email address, telephone number, address, Monument ID, insurance member ID, IP address, unique digital ID, URL, photograph, selected services or plans, assessment or survey responses, appointment-related information, and associated health information.

Disclosures of health information through Custom Events

• Since January 2020, Monument has, contrary to its privacy promises, disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, known as pixels and application programming interfaces (“APIs”), which Monument integrated into its website. Monument disclosed this information to advertise on the third parties’ platforms—specifically to re-target users with advertisements for Monument’s services (primarily to encourage Community Membership users to sign up for therapist and physician services), as well as to find and target potential new users with advertisements.

• Monument used these pixels and APIs to track “Standard Events,” records of routine website functions, such as when a consumer visited a webpage, as well as “Custom Events,” records of user-website interactions unique to Monument’s website, such as when a consumer signed up for the Service.

• Monument gave the Custom Events descriptive titles that included health information about users’ enrollment in the Service and therapy, such as “Paid: Weekly Therapy” when a user signed up for the Service and included weekly therapy. By including users’ health information in the titles of these Custom Events and then sharing the events with third-party advertising platforms, Monument conveyed this health information to the recipient advertising platforms. Monument disclosed users’ email addresses, IP addresses, and other identifiers along with these Custom Events, so that the third parties could identify the users and associate the Custom Events with specific individuals.

• Monument estimates that it disclosed Custom Events containing health information to third-party advertising platforms for as many as 84,468 users.

• Monument’s disclosures of these Custom Events directly contradicted its statements that it would not share users’ personal information with third parties without users’ knowledge or written consent.

Disclosures of health information to Meta

• Beginning in January 2020, Monument disclosed users’ personal information, including their health information, to Meta in the form of Custom Events through both the Meta pixel and a Meta API, known as “Conversions API”—both of which Monument had placed on its website. Monument gave these Custom Events titles that conveyed that the users with which they were associated had signed up for the Service and were therefore seeking and/or receiving treatment for alcohol addiction, including therapy: “Sign Up,” “Paid: Med Management,” “Paid: Bi Weekly Therapy,” “Paid: Weekly Therapy,” “Text a therapist sign up,” “Call a therapist signup,” “Paid – Total Care with Bi-Weekly Therapy,” and “Paid – Total Care with Weekly Therapy.” Monument sent the events to Meta along with users’ IP addresses, email addresses, first names, and identifying Facebook cookies so that Meta could match the Custom Events with users’ Facebook accounts for advertising.

• Notably, Monument “hashed” users’ email addresses (i.e., converted the email addresses into a sequence of letters and numbers through a cryptographic tool) before disclosing them to Meta (and other third parties). Monument knew, however, that third parties such as Meta would effectively undo the hashing and reveal the email addresses of those users with accounts on the respective third parties’ platforms, which is how Meta matched these email addresses with Facebook user IDs. Indeed, Meta’s standard terms of service, to which Monument agreed, explained that Meta would use hashed email addresses it received from Monument to match users with their Facebook user IDs for advertising purposes, among other things. Thus, Monument knew that by sending these hashed email addresses to third parties, it was telling these third parties which of their users were obtaining alcohol addiction treatment.

• In June 2020, Meta notified Monument that its Custom Events conveyed health information, instructing Monument not to include therapy or specific plan names in the event titles. In response, Monument limited the Custom Events it sent to Meta to “Sign Up,” “Paid,” “Paid – A” (which replaced “Paid – Total Care with Bi-Weekly Therapy”), and “Paid – B” (which replaced “Paid – Total Care with Weekly Therapy).” However, even with these limitations, the titles of these Custom Events still effectively disclosed to Meta every time a consumer signed up for the Service. Furthermore, in January 2022, a Monument engineer explained to Meta that the “Paid – A” event represented “Bi-Weekly Therapy (new)” and the “Paid – B” event represented “Weekly Therapy (new),” thereby disclosing to Meta that all users associated with these events had signed up for the Service and therapy with Monument.

• In January 2022, one of Monument’s engineers raised an alarm that the company was sending users’ health information to Meta, suggesting that Monument stop sending users’ hashed email addresses to Meta. However, Monument did not take the recommendation and continued sending Custom Events, along with users’ email addresses, IP addresses, and other identifiers to Meta through at least December 2022.

• Monument did not take sufficient steps to adequately track, map, or inventory the personal information it collects, uses, and discloses to third-party advertising platforms. Monument, therefore, did not know how many users’ health information it has disclosed to Meta—only that it is as many as 84,468 users. For example, from June 2021 to November 2022, Monument sent the following Custom Events to Meta:

  • At least 25,110 Custom Events titled “All signups including paid,” along with users’ IP addresses and Meta cookies, and often their email addresses and first names.

  • At least 1,765 Custom Events titled “Paid,” along with users’ IP addresses and Meta cookies, and often their email addresses and first names.

  • At least 627 Custom Events titled “Paid A,” along with users’ IP addresses and Meta cookies, and often their email addresses and first names.

  • At least 843 Custom Events titled “Paid B,” along with users’ IP addresses and Meta cookies, and often their email addresses and first names.

• Between January 2020 and December 2022, Monument used Meta’s advertising platform to group the users it had identified to Meta via Custom Events into groups known as “audiences.” Oftentimes, Monument gave these audiences names in the advertising platform that further identified to Meta that they had signed up for the Service (and thus alcohol addiction treatment), such as “Paid sign up past 180 days,” “sign up 180 days,” “Paid B conversion 180 days,” “Paid – A conversion 180 days.” Monument sent advertisements to users via these audiences, as well as used the audiences to find similar Facebook users and target them with advertisements for the Service.

Disclosures of health information to other third parties

• Monument similarly sent Standard Events and Custom Events containing as many as 84,468 users’ health information to several other third-party platforms for advertising during the same time frame. In all such instances, it accompanied the events with users’ IP addresses and/or email addresses so that the third parties could associate the events with individuals.

  • AdRoll – From August 2020 to February 2023, Monument sent events titled “Sign Up” and “Purchase” to AdRoll.
  • Amazon – From May 2020 to December 2022, Monument sent an event titled “Sign Up” to Amazon.
  • Google – From January 2020 to December 2022, Monument sent events titled “Sign Up” and “Activated” to Google.
  • Impact – From September 2021 to February 2023, Monument sent an event titled “Sign Up” to Impact.
  • LiveIntent – From October 2021 to December 2022, Monument sent the following events to LiveIntent for advertising: “Monument – Physician Sign Up Confirmation” for 3,537 users, “Monument – Total Care Sign Up Confirmation Biweekly” for 1,416 users, and “Monument – Total Care Sign Up Confirmation Weekly” for 1,842 users.
  • Microsoft – From August 2020 to December 2022, Monument sent an event titled “Sign Up” to Microsoft.
  • Pinterest – From August 2021 to December 2022, Monument sent events titled “Sign Up” and “checkout” to Pinterest.
  • PowerInbox – From July 2020 to December 2022, Monument sent an event titled “Sign Up” to PowerInbox.
  • Quora – From May 2020 to February 2022, Monument sent events titled “CompleteRegistration” and “Purchase” to Quora.
  • Reddit – From October 2020 to December 2022, Monument sent events titled “Sign Up” and “Purchase” to Reddit.

• In addition, Monument determined that it may have disclosed the insurance information, name, email address, address, and/or phone number of up to 2,436 users to Google via an integration of Google Analytics with Monument’s Jotform insurance information collection page.

Failure to limit third parties’ use of consumers’ health information

• In disclosing users’ health information to Meta, Google, and other third parties, Monument did not contractually limit how these third parties could use or disclose that sensitive information.

• Monument merely agreed to the third parties’ general terms of service, which either placed no restrictions on the third parties’ use and disclosure of the information or specifically permitted them to use the information for their own purposes.

  • For example, Meta’s Business Tools Terms, to which Monument agreed, stated that it “may also use Event Data . . . for research and development purposes, and to . . . improve the Facebook Company Products.” And Meta has in fact used the users’ personal information it received from Monument for its own purposes, including improving its advertising products, tracking suspicious activity on its platforms, and research and development.
  • Similarly, Pinterest’s Ad Data Terms provided: “We use Ad Data you give us for measuring ad effectiveness, ad delivery and reporting, improving safety and security on Pinterest, research and product development, and for other uses that you give us permission for.”
  • Google Analytics’s documentation regarding “Data sharing settings” explained: “When you turn this setting ON, Google can access and analyze data to better understand online behavior and trends, and use this data to improve Google products and services. For example, this data can be used to improve the Google Ads system tools that you use to create, manage, and analyze your ad campaigns.” This “data sharing setting” was enabled for 16 Monument properties, at least two of which were linked to Google Ad accounts.

Deceptive HIPAA Representations

• In December 2021, Monument hired an outside company to assess Monument’s compliance with HIPAA in a process known as a “HIPAA Gap Assessment.” The assessment took place from December 2021 to January 2022 and consisted of interviews with Monument staff, as well as a review of Monument’s policies, practices, and procedures. The assessor concluded that Monument was only 60% in compliance with HIPAA because the company had “not addressed” the following 10 categories:

  • Risk analysis
  • Risk management
  • Contingency plan
  • Disaster recovery plan
  • Testing and revision procedures
  • Application and criticality analysis
  • Contingency operations
  • Maintenance records
  • Emergency access procedures
  • Person or entity authentication

• Additionally, the assessor found that Monument had only “partially addressed” 23 more categories, which included:

  • Information access management
  • Access authorization
  • Security awareness and training
  • Protections from malicious software
  • Access controls and validation procedures
  • User identification
  • Encryption

• The assessor recommended 34 changes to Monument’s policies, practices, and procedures to bring Monument into compliance with HIPAA.

• In February 2022, Monument hired the same assessor to evaluate Monument’s data security practices, policies, and procedures concerning HIPAA compliance. In a November 2022 report, the assessor concluded that Monument’s data security policies, practices, and procedures were only 71% in compliance with HIPAA due to the company having “not addressed” two controls related to:

  • Risk management
  • Logical access

• Additionally, Monument had only “partially addressed” 11 more controls related to:

  • Security policy
  • Risk management
  • Physical security
  • Network security
  • Logical access
  • Operations management

• Despite the assessor’s findings that Monument had significant deficiencies in its HIPAA compliance program, Monument continued to represent to consumers that it was HIPAA compliant. By the summer of 2023, Monument received an assessment score of 94%.

MONUMENT FAILED TO IMPLEMENT REASONABLE PRIVACY MEASURES TO PREVENT DISCLOSURE OF HEALTH INFORMATION VIA ADVERTISING TECHNOLOGIES

Unfair privacy practices

• From no later than January 2020 to at least December 2022, Monument engaged in practices that failed to prevent the disclosure of users’ health information via tracking technologies to third-party advertising platforms. Monument:

  • Failed to assess adequately the privacy risks of third-party tracking technologies, including pixels and APIs, before incorporating those technologies into its website.
  • Failed to engage in audits, assessments, compliance reviews, or tests regarding the data collection and privacy practices of the third-party companies whose tracking technologies were incorporated into its website.
  • Failed to obtain users’ affirmative express consent to disclose their health information to third parties for advertising, as well as for the third parties’ own purposes, such as research and product improvement.
  • Failed to enforce or ensure compliance with its own privacy promises to consumers by failing to establish or enforce any internal privacy compliance programs, protocols, or policies regarding third-party tracking technologies.
  • Failed to contractually limit third parties from using users’ health information for their own purposes, including research and product improvement, without providing users notice or obtaining their consent.
  • Failed to develop policies, practices, and procedures to ensure the secure implementation of third-party tracking technologies and that these technologies complied with Monument’s privacy promises.
  • Failed to inventory or track the personal information collected from consumers via tracking technologies, including which users’ health information was disclosed to third parties for advertising purposes.

• As a result, Monument misrepresented its practices concerning the disclosure of users’ health information for advertising and the recipient third parties' own purposes, and Monument failed to obtain users’ affirmative express consent before making such disclosures.

Consumer Injury

• Monument’s disclosure of thousands of users’ health information without reasonable privacy practices, safeguards, or users’ affirmative express consent caused or is likely to cause substantial injury to users. This health information—including the fact that users were receiving alcohol addiction treatment (including therapy and medication) along with identifying information, such as their email addresses and IP addresses—is highly sensitive.
• The disclosure of this information is likely to cause stigma, embarrassment, and/or emotional distress to the users. It may also negatively impact their ability to obtain or retain employment, housing, health insurance, or disability insurance.
• Monument’s users could not reasonably avoid these harms. Monument’s specific privacy representations, as described in Paragraphs 12-14, made it highly likely that users would rely on those claims and unlikely they would scrutinize the dense privacy policy for contradictory information.
• These harms were not outweighed by countervailing benefits to consumers or competition.

Monument is violating or about to violate laws enforced by the Commission

• Based on the facts and violations of law alleged in this Complaint, the FTC has reason to believe that Monument is violating or is about to violate laws enforced by the Commission because:
  • Monument engaged in its unlawful acts and practices repeatedly over a period of two years.
  • Monument continued its unlawful acts and practices despite internal concerns and warnings from Meta.
  • Monument continued to make misleading HIPAA representations even after learning of its HIPAA audit results.
  • Monument remains in the business of providing an alcohol recovery platform that requires the collection of substantial amounts of users’ personal information, including health information, and continues to advertise its products.
  • Monument maintains the means and ability to resume its unlawful conduct.

VIOLATIONS OF THE FTC ACT

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”
• Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.
• Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).

Count I. Unfair Privacy Practices

• In numerous instances, as alleged in Paragraphs 38-39, Monument failed to employ reasonable measures to prevent the disclosure of consumers’ health information via tracking technologies to third parties for advertising and the third parties’ own purposes.
• As described in Paragraphs 40-42, Monument’s actions caused or are likely to cause substantial injury to consumers that those consumers could not themselves reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.
• Therefore, Monument’s acts or practices as set forth in Paragraph 47 constitute unfair acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), (n).

Count II. Unfair Disclosure of Consumers’ Health Information for Advertising and Recipient Third Parties’ Own Purposes Without Affirmative Express Consent

• In numerous instances as alleged in Paragraphs 12-14, 17-34, 38-39, Monument failed to obtain consumers’ affirmative express consent before disclosing their health information to third parties for advertising and the third parties’ own purposes.
• As described in Paragraphs 40-42, Monument’s actions caused or are likely to cause substantial injury to consumers that consumers could not themselves reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.
• Therefore, Monument’s acts or practices as set forth in Paragraph 50 constitute an unfair act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), (n).

Count III. Privacy Misrepresentation – Disclosures of Health Information to Third Parties

• In numerous instances, as alleged in Paragraphs 12-14, Monument represented, directly or indirectly, expressly or by implication, that it would not disclose consumers’ health information to third parties without those consumers’ knowledge or consent.
• In fact, in numerous instances in which Monument made the representations set forth in Paragraph 53, Monument did disclose consumers’ health information to third parties, as set forth in Paragraphs 17-34, without those consumers’ knowledge or consent.
• Therefore, Monument’s representations as set forth in Paragraph 53 are false or misleading and constitute a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count IV. Misrepresentation – Compliance with HIPAA

• In numerous instances, as alleged in Paragraphs 12 and 14, Monument represented, directly or indirectly, expressly or by implication, that it was compliant with HIPAA.
• In truth and fact, in numerous instances in which Monument made the representations set forth in Paragraph 56, Monument was not compliant with HIPAA, as Monument acknowledged in its breach notification described in Paragraphs 17-19, and as its own assessor determined, as set forth in Paragraphs 35-36.
• Therefore, Monument’s representations as set forth in Paragraph 56 are false or misleading and constitute a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

VIOLATION OF THE OPIOID ADDICTION RECOVERY FRAUD PREVENTION ACT OF 2018

• The Opioid Addiction Recovery Fraud Prevention Act of 2018 (“OARFPA”), P.L. 115-271, 15 U.S.C § 45d, was enacted on October 24, 2018. OARFPA prohibits unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product. 15 U.S.C. § 45d(a). OARFPA defines “substance use disorder treatment product” to mean “a product for use or marketed for use in treatment, cure, or prevention of a substance use disorder, including an opioid use disorder.” P.L. 115-271 § 802, 15 U.S.C § 45d.
• As described in Paragraphs 8-14 above, Monument has advertised, marketed, promoted, offered for sale, and sold alcohol addiction treatment services. Furthermore, Monument has never advertised, marketed, promoted, offered for sale, or sold any service other than its alcohol addiction treatment services.
• Pursuant to 15 U.S.C. § 45d(b)(1), a violation of 15 U.S.C. § 45d(a) is treated as a violation of a rule under Section 18(a) of the FTC Act, 15 U.S.C. § 57a(a), regarding unfair or deceptive acts or practices.
• Section 19(b) of the FTC Act, 15 U.S.C. § 57b(b), and Section 8023(b) of the OARFPA, 15 U.S.C. § 45d(b), authorize this Court to grant such relief as the Court finds necessary to redress injury to consumers resulting from Defendant’s violations of OARFPA.
• Monument misrepresented its practices as to its disclosure of users’ personal information, including their health information, in connection with its advertisement, marketing, promotion, offering for sale, and sale of alcohol addiction treatment services.

Count V. Deceptive Privacy Claim

• In numerous instances in connection with the advertising, marketing, promotion, offering for sale, or sale of its alcohol addiction treatment services, including through the means described in Paragraphs 8-14, Monument represented, directly or indirectly, expressly or by implication, that it would not disclose users’ personal information, including their health information, to third parties without those consumers’ knowledge or consent.
• In truth and in fact, as set forth in Paragraphs 17-34, Monument disclosed users’ personal information, including their health information, to third parties without consumers’ knowledge or consent.
• Therefore, the making of the misrepresentations set forth in Paragraph 64 constitutes a deceptive act or practice with respect to a substance use disorder treatment product, in violation of Section 8023(a) of OARFPA, 15 U.S.C. § 45d(a).

CONSUMER INJURY

• Consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Monument’s violations of the FTC Act. Absent injunctive relief by this Court, Monument is likely to continue to injure consumers and harm the public interest.

CIVIL PENALTIES

• Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), authorizes this Court to award civil penalties for each violation of OARFPA.
• Defendant violated OARFPA with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).

PRAYER FOR RELIEF

Wherefore, Plaintiff requests that the Court:

• Enter a permanent injunction to prevent future violations of the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act by Monument;
• Impose civil penalties on Defendant for each violation of OARFPA alleged in this Complaint; and
• Award any additional relief as the Court determines to be just and proper.

Respectfully submitted,

Dated: 4/11/24

STIPULATED ORDER FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and referral to the Attorney General by the Federal Trade Commission (“Commission”), filed its Complaint for Civil Penalties, Permanent Injunction, and Other Relief (“Complaint”) in this matter, pursuant to Sections 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 53(b), 56(a)(1), and 57b, and Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018, 15 U.S.C. § 45d (“OARFPA”). Defendant has waived service of the summons and the Complaint. Plaintiff and Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief (“Order”) to resolve all matters in dispute in this action between them.

THEREFORE, IT IS ORDERED as follows:

FINDINGS

• This Court has jurisdiction over this matter.

• The Complaint charges that Defendant participated in deceptive and unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in connection with Defendant’s failure to employ reasonable measures to prevent the disclosure of consumers’ health information via tracking technologies to third parties for advertising and the third parties’ own purposes; failure to obtain consumers’ affirmative express consent before disclosing their health information to third parties; misrepresentations that Defendant would not disclose consumers’ health information to third parties without those consumers’ knowledge or consent; and misrepresentations that Defendant was compliant with the Health Insurance Portability and Accountability Act (“HIPAA”). The Complaint also charges that Defendant’s deceptive acts or practices in connection with Defendant’s alcohol addiction treatment service violated Section 8023 of OARFPA.

• Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.

• Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorney fees.

• Defendant and Plaintiff waive all rights to appeal or to otherwise challenge or contest the validity of this Order.

DEFINITIONS

For purposes of this Order, the following definitions apply:

• "Affirmative Express Consent" means any freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the consumer, such as by a clear affirmative action, following a Clear and Conspicuous disclosure to the consumer of:
  • The categories of information that will be collected;
  • The specific purpose(s) for which the information is being collected, used, or disclosed;
  • The names or categories of Third Parties (e.g., “analytics partners” or “advertising partners”) collecting the information, or to whom the information is disclosed, provided that if Defendant discloses the categories of Third Parties, the disclosure shall include a hyperlink to a separate page listing the names of the Third Parties;
  • A simple, easily located means by which the consumer can withdraw consent; and
  • Any limitations on the consumer’s ability to withdraw consent.

The Clear and Conspicuous disclosure must be separate from any “privacy policy,” “terms of service,” “terms of use,” or other similar document. The following do not constitute Affirmative Express Consent:

• Inferring consent from hovering over, muting, pausing, or closing a given piece of content by the consumer; or

• Obtaining consent through a user interface that has the effect of subverting or impairing user autonomy, decision-making, or choice.

• "Clear(ly) and conspicuous(ly)" means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

  • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure is made in only one means.
  • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
  • An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
  • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
  • The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.
  • The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
  • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
  • When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group.

• "Covered Business" means Defendant or any business that Defendant controls, directly or indirectly.

• "Covered Incident" means any instance of a violation of Section I, II, or III of this Order.

• "Covered Information" means information from or about an individual consumer, including:

  • A first and last name;
  • A physical address, including street name and name of a city or town;
  • Geolocation information sufficient to identify street name and name of a city or town;
  • An email address or other online contact information, such as a user identifier or a screen name;
  • A telephone number;
  • A government-issued identification number, such as a driver’s license, military identification, passport, Social Security number, or other personal identification number;
  • Financial institution account number;
  • Credit or debit card information;
  • Data that depicts or describes the physical or biological traits of an identified or identifiable person, including depictions, descriptions, recordings, or copies of an individual’s facial or other physical features, finger or handprints, voice, genetics, or characteristic movements or gestures;
  • A persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, advertising ID, processor serial number, or any other persistent identifier that can be used to recognize a user over time and/or across difference devices, websites, or online services;
  • Health Information; or
  • Any individually identifiable information combined with any of the above.

• "Covered User" means any individual consumer who:

  • Created an account with Defendant before December 29, 2022; and
  • To whom Defendant did not send a breach notification on or about March 23, 2023.

• "Defendant" means Monument, Inc., doing business as Monument Health Services, its successors and assigns, and Tempest, Inc., and its successors and assigns.

• "Delete," "Deleted," or "Deletion" means to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved through physical or technical means.

• "Health Information" means individually identifiable information relating to the past, present, or future physical or mental health or condition(s) of a consumer, including:

  • Information concerning drug or alcohol addiction (including recovery from drug or alcohol addiction or treatment for drug or alcohol addiction) or alcohol or drug use;
  • Information concerning the consumer’s diagnosis;
  • Information concerning the consumer’s use of, creation of an account associated with, or response to a question or questionnaire related to, a service or product offered by Defendant or through one of any of Defendant’s online properties, services, or mobile applications;
  • Information concerning medical- or health-related purchases;
  • Information concerning the past, present, or future payment for the provision of health care to the consumer; or
  • Information derived or extrapolated from any of the above.

• "Personal Information" means information from or about an individual consumer, including:

  • A first and last name
  • A physical address, including street name and name of city or town
  • Geolocation information sufficient to identify street name and name of a city or town
  • An email address or other online contact information, such as a user identifier or a screen name
  • A telephone number
  • A government-issued identification number, such as a driver’s license, military identification, passport, Social Security number, or other personal identification number
  • Financial institution account number
  • Credit or debit card information
  • Data that depicts or describes the physical or biological traits of an identified or identifiable person, including depictions, descriptions, recordings, or copies of an individual’s facial or other physical features, finger or handprints, voice, genetics, or characteristic movements or gestures
  • A persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (IP) address, a mobile device ID, processor serial number, or any other persistent identifier that can be used to recognize a user over time and/or across different devices, websites, or online services
  • Health Information
  • Any individually identifiable information combined with any of the above.

• "Protected Health Information" means individually identifiable health information:

  • Except as provided in subsection (2) of this definition, that is:
    • Transmitted by electronic media;
    • Maintained in electronic media; or
    • Transmitted or maintained in any other form or medium.
  • Protected health information excludes individually identifiable health information:
    • In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g;
    • In records described at 20 U.S.C. § 1232g(a)(4)(B)(iv);
    • In employment records held by a covered entity in its role as employer; and
    • Regarding a person who has been deceased for more than 50 years.

• "Third Party" means any individual or entity other than:

  • Defendant;
  • A service provider of Defendant that:
    • Processes, uses, or receives Covered Information collected by or on behalf of Defendant for and at the direction of the Defendant and no other individual or entity;
    • Does not disclose Covered Information, or any individually identifiable information derived from such Covered Information, to any individual or entity other than Defendant or a subcontractor to such service provider bound to data processing terms no less restrictive than terms to which the service provider is bound; and
    • Does not use Covered Information for any purpose other than performing the services specified in the service provider’s contract with Defendant.
  • A therapist, counselor, physician, or other health-care provider employed by or contracted with Defendant;
  • An insurer, clearinghouse, or any other party to whom disclosure of Covered Information is necessary to submit or process an insurance claim; or
  • Any entity (including a service provider) that uses Covered Information only as reasonably necessary to:
    • Comply with applicable law, regulation, or legal process;
    • Detect, prevent, or mitigate fraud or security vulnerabilities;
    • Debug to identify and repair errors that impair existing intended functionality, provided that any such use is reasonably necessary and proportionate to achieve the purpose for which the Covered Information was collected or processed; or
    • Undertake internal research for the technological development and demonstration of Defendant’s products or services, provided that any such use is reasonably necessary and proportionate to achieve the purpose for which the Covered Information was collected or processed.

ORDER

I. Ban on Disclosure of Health Information for Advertising Purposes

IT IS ORDERED that:

• Defendant, Defendant’s officers, agents, employees, and attorneys who receive actual notice of this Order, whether directly or indirectly, are permanently restrained and enjoined from disclosing Health Information to Third Parties for Advertising Purposes.
• For purposes of this Section, “Advertising Purposes” means advertising, marketing, promoting, offering, offering for sale, or selling any products or services on, or through Third Party websites, mobile applications, or services.
• Advertising Purposes shall not include:
  • Reporting and analytics related to understanding advertising and advertising effectiveness, such as statistical reporting, traffic analysis, understanding the number of and type of ads served, or conversion measurement
  • Communications, services, or products requested by a consumer that are sent or provided to the consumer
  • Contextual advertising, meaning non-personalized advertising shown as part of a consumer’s current interaction with Defendant’s website or mobile applications, provided that the consumer’s Covered Information is not disclosed to another Third Party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interactions with Defendant’s websites or mobile application.

II. Requirement to Obtain Affirmative Express Consent for Any Other Disclosure  of Health Information

IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, prior to disclosing any consumer’s Health Information to any Third Party, must obtain the relevant consumer’s Affirmative Express Consent.

III. Prohibition Against Misrepresentations

IT IS FURTHER ORDERED that:

• Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with promoting or offering for sale any good or service, are permanently restrained and enjoined from misrepresenting, expressly or by implication:
  • The extent to which Defendant collects, maintains, uses, discloses, Deletes, or permits or denies access to any Personal Information, or the extent to which Defendant protects the privacy, security, availability, confidentiality, or integrity of any Personal Information
  • The purpose(s) for which Defendant, or any entity to whom Defendant discloses or permits access to Personal Information, collects, maintains, uses, discloses, or permits access to any Personal Information
  • The extent to which a consumer can maintain privacy, confidentiality, or anonymity when visiting or using any online properties, services, or mobile applications associated with Defendant
  • The extent to which Defendant is a HIPAA-covered entity, and the extent to which Defendant’s privacy and information practices, policies, and procedures comply with HIPAA.

IV. Data Deletion

IT IS FURTHER ORDERED that:

• Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with promoting or offering for sale any good or service, must, within 60 days after the effective date of this Order:
  • Identify all Third Parties that accessed, received, or acquired Covered Information from Defendant in any form, including hashed or encrypted Covered Information, without a consumer’s Affirmative Express Consent.
  • Identify what Covered Information was disclosed to each Third Party identified in sub-Section IV.A.1.
  • Submit a list of the information identified in sub-Sections IV.A.1-2 and the methodologies used to identify the information in sub-Sections IV.A.1-2 to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E.
• Within 90 days after the effective date of this Order, provide a copy of the Complaint and Order to all Third Parties identified in sub-Section IV.A.1, and instruct those Third Parties to Delete all Covered Information accessed, received, or acquired from Defendant.
  • Defendant’s instruction to each such Third Party shall include a list of the Covered Information identified in sub-Section IV.A.2 and shall demand written confirmation from each such Third Party that it has Deleted such Covered Information.
  • Defendant must provide all instructions sent to the Third Parties to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E.
• As of the issuance of this Order, Defendant shall not disclose any Covered Information in any form, including hashed or encrypted Covered Information, to any Third Party identified in sub-Section IV.A.1 until Defendant confirms each Third Party’s receipt of the instructions required by sub-Section IV.B.
  • This sub-Section is subject to the prohibitions set forth in Section I.
  • Defendant must provide all receipts of confirmation and any responses from Third Parties within five (5) days of receipt to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E

V. Notice

IT IS FURTHER ORDERED that:

• On or before 14 days after the effective date of this Order, Defendant must email all Covered Users, using the last known verified email address in Defendant’s possession, custody, or control, an exact copy of the notice attached hereto as Exhibit A (“Notice”).
  • Provided, however, that if Defendant does not have email information for any Covered User, Defendant must send the Notice to that Covered User through Defendant’s primary means of communicating with that user.
  • Defendant shall not include with the Notice any other information, documents, or attachments.

VI. Mandated Privacy Program

IT IS FURTHER ORDERED that any Covered Business, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within 60 days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (“Privacy Program”) that protects the privacy, security, availability, confidentiality, and integrity of such Covered Information. To satisfy this requirement, Defendant must, for each Covered Business, at a minimum:

• Document in writing the content, implementation, and maintenance of the Privacy Program.

• Provide the written program and any evaluations thereof or updates thereto to the Covered Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the Covered Business’s Privacy Program at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident.

• Designate a qualified employee or employees, who report(s) directly to an executive, such as the Chief Executive Officer, Chief Compliance Officer, or Chief Legal Officer, to coordinate and be responsible for the Privacy Program. Keep the executive and the Board of Directors informed of the Privacy Program, including all actions and procedures implemented to comply with the requirements of this Order, and any actions and procedures to be implemented to ensure continued compliance with this Order.

• Assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks in each area of the Covered Business’s operations to the privacy, security, availability, confidentiality, and integrity of Covered Information that could result in the unauthorized access, collection, use, destruction, or disclosure of, or provision of access to, Covered Information.

• Design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information identified by the Covered Business in response to sub-Section VI.D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, Deletion, disclosure of, or provision of access to, the Covered Information. Such safeguards must also include:

  • Policies, procedures, and technical measures to systematically inventory Covered Information in the Covered Business’s control and Delete Covered Information that is no longer reasonably necessary and in accordance with applicable retention laws and regulations.
  • Policies, procedures, and technical measures to prevent the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information inconsistent with the Covered Business’s representations to consumers.
  • Audits, assessments, and reviews of the contracts, privacy policies, and terms of service associated with any Third Party to which the Covered Business discloses, or provides access to, Covered Information.
  • Policies and technical measures that limit employee and contractor access to Covered Information to only those employees and contractors with a legitimate business need to access such Covered Information.
  • Mandatory privacy training programs for all employees with access to Covered Information in connection with the Covered Business on at least an annual basis, with such training covering any internal or external risks identified by Defendant in sub-Section VI.D, the safeguards implemented pursuant to sub-Section VI.E, and the requirements of this Order.
  • A data retention policy that, at a minimum, includes:
    • A retention schedule that limits the retention of Covered Information to the shortest time necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be Deleted, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order.
    • A requirement that Defendant documents, adheres to, and makes publicly available on its terms of service/use a retention schedule for Covered Information, setting forth:
      • The purposes for which the Covered Information is collected.
      • The specific business need for retaining each type of Covered Information.
      • A set timeframe in accordance with applicable laws and regulations for Deletion of each type of Covered Information (absent any intervening Deletion requests from consumers) that precludes indefinite retention of any Covered Information.
  • Audits, assessments, reviews, or testing of each mechanism by which the Covered Business discloses Covered Information to a Third Party or provides a Third Party with access to Covered Information (including but not limited to web beacons, pixels, and Software Development Kits).
  • For each product or service offered by any Covered Business, Clearly and Conspicuously disclose the categories of Covered Information collected from consumers, the purposes for the collection of each category of Covered Information, and any transfer of Covered Information to a Third Party. For each such transfer of Covered Information, the disclosure must, at a minimum, include:
    • The specific categories of Covered Information transferred.
    • The identity of each Third Party receiving the transfer.
    • The purposes for which the Covered Business transferred the Covered Information to each Third Party.
    • The purposes for which each Third Party receiving the Covered Information may use the Covered Information, including but not limited to the purposes for which the Third Party reserves the right to use such Covered Information.
    • Whether each Third Party receiving the Covered Information reserves the right to transfer the Covered Information to other entities or individuals.

• Assess, at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information, and modify the Privacy Program based on the results.

• Test and monitor the effectiveness of the safeguards at least once every 12 months, and promptly (not to exceed 30 days) following a Covered Incident, and modify the Privacy Program based on the results.

• Select and retain service providers capable of safeguarding Covered Information they receive from the Covered Business, and contractually require service providers to implement and maintain safeguards for Covered Information.

• Evaluate and adjust the Privacy Program in light of any material changes to the Covered Business’s operations or business arrangements, the results of the testing and monitoring required by sub-Section VI.G, a Covered Incident, and any other circumstances that the Covered Business knows or has reason to believe may have a material impact on the effectiveness of the Privacy Program or any of its individual safeguards (including but not limited to new or more efficient technological or operational methods to control for the risks identified in sub-Section VI.D). The Covered Business may make this evaluation and adjustment to the Privacy Program at any time, but must, at a minimum, evaluate the Privacy Program at least once every 12 months and modify the Privacy Program as necessary based on the results.

VII. Privacy Assessments by a Third-Party Assessor

IT IS FURTHER ORDERED that, in connection with its compliance with Section VI, for any Covered Business that collects, maintains, uses, discloses, or provides access to Covered Information, Defendant must obtain initial and biennial assessments (“Assessments”):

• The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who:

  • Uses procedures and standards generally accepted in the profession.
  • Conducts an independent review of the Privacy Program.
  • Retains all documents relevant to each Assessment for 5 years after completion of such Assessment.
  • Will provide such documents to the Commission within 10 days of receipt of a written request from a representative of the Commission.
  • No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.
  • The Assessor must have a minimum of 3 years of experience in the field of privacy and data protection.

• For each Assessment, Defendant must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in his or her sole discretion.

• The reporting period for the Assessments must cover:

  • The first year after the issuance date of the Order for the initial Assessment.
  • Each 2-year period thereafter for 20 years after the issuance date of the Order for the biennial Assessments.

• Each Assessment must, for the entire assessment period:

  • Determine whether Defendant has implemented and maintained the Privacy Program required by Section VI.
  • Assess the effectiveness of Defendant’s implementation and maintenance of sub-Sections VI.A-I.
  • Identify any gaps or weaknesses in the Privacy Program, or instances of material noncompliance with sub-Sections VI.A-I.
  • Address the status of gaps or weaknesses in the Privacy Program, as well as any instances of material non-compliance with sub-Sections VI.A-I, that were identified in any prior Assessment required by this Order.
  • Identify specific evidence (including but not limited to documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is:
    • Appropriate for assessing an enterprise of Defendant’s size, complexity, and risk profile.
    • Sufficient to justify the Assessor’s findings.
  • No finding of any Assessment shall rely solely on assertions or attestations by Defendant, Defendant’s management, or a Covered Business’s management.
  • The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Privacy Program and did not rely solely on assertions or attestations by Defendant, Defendant’s management, or a Covered Business’s management, and state the number of hours that each member of the Assessor’s assessment team worked on the Assessment.
  • To the extent a Covered Business revises, updates, or adds one or more safeguards required under sub-Section VI.E in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.

• Each Assessment must be completed within 60 days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit the initial Assessment to the Commission within 10 days after the Assessment has been completed via email to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E. All subsequent biennial Assessments must be retained by Defendant until the Order is terminated and provided to the Associate Director for Enforcement within 10 days of request.

VIII. Cooperation with Assessor

IT IS FURTHER ORDERED that Defendant, whether acting directly or indirectly, in connection with the Assessments required by Section VII, must:

• Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.
• Provide or otherwise make available to the Assessor information about all Covered Information in Defendant’s custody or control so that the Assessor can determine the scope of the Assessment.
• Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s:
  • Determination of whether Defendant has implemented and maintained the Privacy Program required by Section VI.
  • Assessment of the effectiveness of the implementation and maintenance of sub-Sections VI.A-I.
  • Identification of any gaps or weaknesses in, or instances of material noncompliance with, the Privacy Program required by Section VI.

IX. Annual Certification

IT IS FURTHER ORDERED that Defendant must:

• One year after the issuance date of this Order, and each year thereafter for 10 years, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of each Covered Business that:
  • The Covered Business has established, implemented, and maintained the requirements of this Order.
  • The Covered Business is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission.
  • Includes a brief description of any Covered Incident.
• The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.
• Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E.

X. Covered Incident Reports

IT IS FURTHER ORDERED that Defendant, within 30 days after Defendant’s discovery of a Covered Incident, must submit a report to the Commission. The report must include, to the extent possible:

• The date, estimated date, or estimated date range when the Covered Incident occurred.
• A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known.
• The number of consumers whose information was affected.
• The acts that Defendant has taken to date to:
  • Remediate the Covered Incident.
  • Protect Covered Information from further disclosure, exposure, or access.
  • Protect affected individuals from identity theft or other harm that may result from the Covered Incident.
• A representative copy of any materially different notice sent by Defendant to:
  • Consumers or
  • Any U.S. federal, state, or local government entity.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to the FTC’s Division of Enforcement, Bureau of Consumer Protection, in accordance with Provision XIV.E.

XI. Monetary Judgment for Civil Penalty and Suspension

IT IS FURTHER ORDERED that:

• Judgment in the amount of Two Million and Five Hundred Thousand Dollars ($2,500,000) is entered in favor of Plaintiff against Defendant, as a civil penalty.

• The judgment is suspended, subject to the sub-sections below.

  Plaintiff’s agreement to the suspension of the judgment is expressly premised upon the truthfulness, accuracy, and completeness of Defendant’s sworn financial statements and related documents (collectively, “Financial Representations”) submitted to the Commission, namely:

  • The Financial Statement of Defendant signed by Michael Russell, Chief Executive Officer, on October 12, 2023, including the attachments.
  • The additional documentation submitted by Defendant via counsel to Commission counsel on October 12, 2023, attaching the above-referenced Financial Statement of Defendant, 2020 Tax Return of Defendant, 2021 Tax Return of Defendant, and Consolidated Financial Statements of Defendant as of October 12, 2023 (including a Profit and Loss Statement, Balance Sheet, and Statement of Cash Flows since January 2020).
  • The additional documentation submitted by email from Defendant via counsel to Commission counsel dated October 30, 2023, attaching the 2022 Tax Return of Defendant.
  • The additional documentation submitted by Defendant via counsel to Commission counsel dated November 20, 2023.

  The suspension of the judgment will be lifted as to Defendant if, upon motion by the Plaintiff, the Court finds that Defendant failed to disclose any material asset, materially misstated the value of any asset, or made any other material misstatement or omission in the financial representations identified above.

  • If the suspension of the judgment is lifted, the judgment becomes immediately due as to Defendant in the amount specified in sub-section A above (which the parties stipulate only for purposes of this section represents the amount of the civil penalty for the violations alleged in the Complaint), less any payment previously made pursuant to this section, plus interest computed from the date of entry of this Order.

XII. Additional Monetary Provisions

IT IS FURTHER ORDERED that:

• Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
• The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Plaintiff or the Commission, including in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeable complaint in any bankruptcy case.
• The facts alleged in the Complaint establish all elements necessary to sustain an action by the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.
• Defendant agrees that the judgment represents a civil penalty owed to the government of the United States, is not compensation for actual pecuniary loss, and, therefore, it is not subject to discharge under the Bankruptcy Code pursuant to 11 U.S.C. § 523(a)(7).
• Defendant acknowledges that its Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers), which Defendant previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. §7701.

XIII. Order Acknowledgments

IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this Order:

• Defendant, within 7 days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

• For 3 years after entry of this Order, Defendant must deliver a copy of this Order to:

  • All principals, officers, directors, and LLC managers and members;
  • All employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; and
  • Any business entity resulting from any change in structure as set forth in Section XIV.

  Delivery must occur within 7 days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.

• From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.

XIV. Compliance Reporting

IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:

• One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury, which does the following:

  • Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant;
  • Identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses;
  • Describe the activities of each business;
  • Describe in detail whether and how Defendant is in compliance with each Provision of this Order; and
  • Provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

• For 10 years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following:

  • Any designated point of contact; or
  • The structure of Defendant or any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

• Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Defendant within 14 days of its filing.

• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on:” and supplying the date, signatory’s full name, title (if applicable), and signature.

• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:

  • Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: United States v. Monument, Inc. [X number].

XV. Recordkeeping

IT IS FURTHER ORDERED that Defendant must create certain records for 10 years after entry of the Order, and retain each such record for 5 years. Specifically, Defendant must create and retain the following records:

• Accounting records showing the revenues from all goods or services sold;
• Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s name, addresses, telephone numbers, job title or position, dates of service, and (if applicable) the reason for termination; and
• All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.

XVI. Compliance Monitoring

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance with this Order, including the financial representations upon which the judgment was suspended:

• Within 14 days of receipt of a written request from a representative of the Commission, Defendant must:
  • Submit additional compliance reports or other requested information, which must be sworn under penalty of perjury;
  • Appear for depositions; and
  • Produce documents for inspection and copying.

The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.

• For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview any employee or other person affiliated with any Defendant who has agreed to such an interview. The person interviewed may have counsel present.

• The Commission and Plaintiff may use all other lawful means, including posing, through their representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice.

Nothing in this Order limits the Commission’s or Plaintiff’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

XVII. Retention of Jurisdiction

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.

SO ORDERED.

Date: June 7, 2024

BERYL A. HOWELL
United States District Judge