The FTC is taking enforcement action against GoodRx, a prescription drug discount provider. The action is under its Health Breach Notification Rule and claims that GoodRx has failed to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.
In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.
According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms — contrary to its privacy promises — and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:
Shared personal health information with Facebook, Google, Criteo and others: Since at least 2017, the FTC claims that GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information — including its users’ prescription medications and personal health conditions — with third party advertising companies and advertising platforms like Facebook, Google and Criteo.
Used personal health information to target its users with ads: According to the FTC, GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
Failed to limit third-party use of personal health information: According to the FTC, GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
Misrepresented its HIPAA compliance: According to the FTC, GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
Failed to implement policies to protect personal health information: According to the FTC, GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written or standard privacy or data sharing policies or compliance programs in place.
Health Breach Notification Rule violation
According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track and receive alerts about their prescriptions, refills, pricing and medication purchase history.
GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.
Proposed order
In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:
Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
Limit retention of data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
Implement mandated privacy program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.
The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing.