The Federal Trade Commission is penalizing GoodRx for sharing users’ sensitive health information with advertisers, in the agency’s first enforcement action under the Health Breach Notification Rule.
The FTC filed an order with the Department of Justice on Wednesday that would prohibit GoodRx from sharing user health data with third parties for advertising purposes, among other guardrails. GoodRx has also agreed to pay a $1.5 million fine, though the company admitted no wrongdoing. The order needs to be approved by a federal court in order to go into effect.
Regulators are increasingly trying to crack down on companies profiting from users’ health information in the gray area of data practices not protected by existing law. The U.S.’ lack of comprehensive privacy legislation has resulted in plethora of data sharing, including that of highly sensitive medical information, between organizations and advertisers — especially as health apps, which track everything from diabetes to fertility to heart health to sleep, collect more and more data from consumers.
As a result, regulators are leaning on new levers such as the Health Breach Notification Rule to tamp down on the practice. The HBNR requires health apps and other connected devices to notify consumers and the FTC when their data is disclosed or acquired without the consumers’ permission.
FTC officials said in a briefing Tuesday that enforcing the HBNR to protect people’s health privacy is a high priority for the agency, and other health apps should pay close attention to their obligations under the rule or expect government action.
Officials declined to comment on other investigations that might be underway.
California-based GoodRx offers prescription drug discounts, telehealth visits and other health services through a digital health platform. The company collects personal and health information about its users, generated both from them and from their pharmacy benefit managers when a consumer buys a medication using a GoodRx coupon.
Since January 2017, more than 55 million people have visited or used GoodRx’s website or apps, according to the FTC.
According to the government’s complaint, GoodRx illegally shared users’ information with advertisers such as Google and Facebook for years, in violation of its privacy promises and without reporting the unauthorized disclosures. GoodRx also shared user data with online advertiser Criteo, customer acquisition platform Branch and web engagement company Twilio.
GoodRx monetized users’ personal health information, and used data it shared with Facebook to target the same users with personalized health-specific advertisements on Facebook and Instagram. For example, in 2019 GoodRx compiled lists of users who had bought medication like those to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook so the site could identify their profiles and target them with ads, the FTC said.
GoodRx also falsely claimed that it complied with principles requiring companies to get consent before using health information for advertising, while allowing third parties that it shared data with to use it for advertising and research and development.
The company also misrepresented its compliance with the HIPAA privacy law. The homepage of the GoodRx’s telehealth website included a seal falsely suggesting that it complied with HIPAA — a violation of deceptive and unfair business practices, FTC officials said.
Along with the $1.5 million penalty, the FTC’s proposed order would permanently ban GoodRx from disclosing user health data with third parties for the purposes of advertising.
It would require GoodRx to get users’ affirmative consent before sharing their data for any other reason. Consent needs to be clear, conspicuous and easily understandable, and issued separately from a privacy policy or terms of service, FTC officials said.
The order would also limit how long GoodRx can retain users’ information, and require GoodRx to direct third parties to delete users’ health data that was shared with them.
GoodRx says the data-sharing issue was addressed almost three years ago, before the FTC inquiry began, and that it agreed to the settlement to avoid the time and expense of litigation.
“We do not agree with the FTC’s allegations and we admit no wrongdoing,” a spokesperson told Healthcare Dive.
The Biden administration has been more aggressive in regulating data sharing than past regimes. Enforcement has ramped up even further since the Supreme Court last summer overturned the constitutional right to an abortion, resulting in concerns that data could be used to prosecute people who receive or help facilitate abortions.
In August, the FTC sued data broker Kochava for selling geolocation data for hundreds of millions of mobile devices that could be used to track consumers’ physical locations, including to and from sensitive areas like reproductive health clinics.
Since the Supreme Court’s decision, a number of data brokers and tech companies have announced plans to stop selling access to geolocation data around reproductive health clinics or other sensitive areas, including data brokers SafeGraph and Placer.ai. Meanwhile, Google pledged to automatically delete location data showing whether consumers visited an abortion clinic.
But some advocates argue tech giants aren’t doing enough to protect consumers. In November, 10 state attorneys general asked Apple to enact stricter privacy controls for third-party apps on its app store that collect sensitive medical information.
And it could soon become more difficult to collect, analyze and profit from Americans’ information. The FTC proposed rulemaking last summer to enact stronger protections for Americans’ data privacy by cracking down on businesses that collect and sell consumer data.
The agency has received more than 11,000 comments on the proposal to date.
Editor’s Note: This story has been updated to include comments from GoodRx.