FTC orders GoodRx to stop sharing consumer health data with advertisers, fines $1.5 million

The Federal Trade Commission fines GoodRx for sharing sensitive consumer health information with advertisers, in the agency’s first action under the Health Breach Notification Rule.

The Federal Trade Commission filed an order with the Justice Department on Wednesday that would bar GoodRx from sharing consumer health data with third parties for advertising purposes, among other safeguards. GoodRx also agreed to pay a $1.5 million fine, although the company did not admit wrongdoing. The order must be approved by a federal court to take effect.

Regulators are increasingly trying to crack down on companies that profit from consumers’ health information in the gray area of ​​data practices that aren’t protected by existing law. The lack of comprehensive privacy laws in the U.S. has led to an abundance of data sharing, including that of highly sensitive medical information, between organizations and advertisers — especially as health apps that track everything from diabetes to fertility to heart health to sleep collect more and more data from users.

As a result, regulators are relying on new levers like the Health Violation Notification Rule to curtail the practice. The HBNR requires health apps and other connected devices to notify users and the FTC when their data is disclosed or acquired without users’ permission.

FTC officials said at a briefing Tuesday that the implementation of the HBNR protecting people’s health privacy is a high priority for the agency, and other health apps must pay close attention to their obligations under the rule or face government action.

Officials declined to comment on other investigations that may be underway.

California-based GoodRx offers discounts on prescription drugs, telehealth visits and other health services through a digital health platform. The Company collects personal and health information about its users, generated by both them and their pharmacy managers, when a user purchases a drug using a GoodRx coupon.

Since January 2017, more than 55 million people have visited or used GoodRx’s website or apps, according to the FTC.

According to the government’s complaint, GoodRx illegally shared user information with advertisers such as Google and Facebook for years, in violation of its privacy promises and without reporting unauthorized disclosures. GoodRx also shared user data with online advertiser Criteo, customer acquisition platform Branch and web engagement company Twilio.

GoodRx monetizes users’ personal health information and uses data it shares with Facebook to target those same users with personalized health-related ads on Facebook and Instagram. For example, in 2019, GoodRx compiled lists of users who bought drugs such as those for heart disease and blood pressure and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook so the site could identify their profiles and target them with ads, the FTC said.

GoodRx also falsely claims to adhere to principles requiring companies to obtain consent before using health information for advertising, while allowing third parties with whom it shares data to use it for advertising and research and development.

The company also misrepresented its compliance with the HIPAA privacy law. Home page of GoodRx’s telehealth The website included a seal falsely suggesting it was HIPAA compliant — a violation of deceptive and unfair business practices, FTC officials said.

Along with the $1.5 million penalty, the FTC’s proposed order would permanently bar GoodRx from disclosing consumer health data to third parties for advertising purposes.

Leave a Comment

Your email address will not be published. Required fields are marked *