The Federal Trade Commission fines GoodRx for sharing sensitive consumer health information with advertisers, in the agency’s first action under the Health Breach Notification Rule.
The Federal Trade Commission filed an order with the Justice Department on Wednesday that would bar GoodRx from sharing consumer health data with third parties for advertising purposes, among other safeguards. GoodRx also agreed to pay a $1.5 million fine, although the company did not admit wrongdoing. The order must be approved by a federal court to take effect.
Regulators are increasingly trying to crack down on companies that profit from consumers’ health information in the gray area of data practices that aren’t protected by existing law. The lack of comprehensive privacy laws in the U.S. has led to an abundance of data sharing, including that of highly sensitive medical information, between organizations and advertisers — especially as health apps that track everything from diabetes to fertility to heart health to sleep collect more and more data from users.
As a result, regulators are relying on new levers like the Health Violation Notification Rule to curtail the practice. The HBNR requires health apps and other connected devices to notify users and the FTC when their data is disclosed or acquired without users’ permission.
FTC officials said at a briefing Tuesday that the implementation of the HBNR protecting people’s health privacy is a high priority for the agency, and other health apps must pay close attention to their obligations under the rule or face government action.
Officials declined to comment on other investigations that may be underway.
California-based GoodRx offers discounts on prescription drugs, telehealth visits and other health services through a digital health platform. The Company collects personal and health information about its users, generated by both them and their pharmacy managers, when a user purchases a drug using a GoodRx coupon.
Since January 2017, more than 55 million people have visited or used GoodRx’s website or apps, according to the FTC.
According to the government’s complaint, GoodRx illegally shared user information with advertisers such as Google and Facebook for years, in violation of its privacy promises and without reporting unauthorized disclosures. GoodRx also shared user data with online advertiser Criteo, customer acquisition platform Branch and web engagement company Twilio.
GoodRx monetizes users’ personal health information and uses data it shares with Facebook to target those same users with personalized health-related ads on Facebook and Instagram. For example, in 2019, GoodRx compiled lists of users who bought drugs such as those for heart disease and blood pressure and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook so the site could identify their profiles and target them with ads, the FTC said.
GoodRx also falsely claims to adhere to principles requiring companies to obtain consent before using health information for advertising, while allowing third parties with whom it shares data to use it for advertising and research and development.
The company also misrepresented its compliance with the HIPAA privacy law. Home page of GoodRx’s telehealth The website included a seal falsely suggesting it was HIPAA compliant — a violation of deceptive and unfair business practices, FTC officials said.
Along with the $1.5 million penalty, the FTC’s proposed order would permanently bar GoodRx from disclosing consumer health data to third parties for advertising purposes.
This will require GoodRx to obtain users’ affirmative consent before sharing their data for any other reason. Consent must be clear, obvious and easily understood and issued separately from the privacy policy or terms of service, FTC officials said.
The order will also limit how long GoodRx can keep consumer information and require GoodRx to order third parties to delete consumer health data that has been shared with them.
GoodRx says the data-sharing issue was addressed nearly three years ago, before the FTC’s investigation began, and that it agreed to the settlement to avoid the time and expense of litigation.
“We disagree with the FTC’s allegations and admit no wrongdoing,” a spokesperson told Healthcare Dive.
The Biden administration has been more aggressive in regulating data sharing than previous regimes. Enforcement intensified after the Supreme Court struck down the constitutional right to abortion last summer, leading to concerns that the data could be used to prosecute people who perform or help facilitate abortions.
In August, the FTC sued data broker Kochava for selling geolocation data on hundreds of millions of mobile devices that could be used to track users’ physical locations, including to and from sensitive areas such as reproductive health clinics.
Following the Supreme Court ruling, a number of data brokers and technology companies announced plans to stop selling access to geolocation data around reproductive health clinics or other sensitive areas, including data brokers SafeGraph and Placer.ai. Meanwhile, Google has promised to automatically delete location data showing whether users have visited an abortion clinic.
But some advocates say the tech giants aren’t doing enough to protect consumers. In November, 10 state prosecutors asked Apple to introduce stricter privacy controls for third-party apps in its app store that collect sensitive medical information.
And it may soon become more difficult to collect, analyze and profit from Americans’ information. The Federal Trade Commission (FTC) proposed the rules last summer to introduce stronger protections for Americans’ data privacy by cracking down on companies that collect and sell consumer data.
To date, the agency has received more than 11,000 comments on the proposal.
Editor’s note: This story has been updated to include comments from GoodRx.