Online pharmacy GoodRx has agreed to pay $1.5 million in civil penalties for years of sharing the health information of consumers with third parties like Facebook, Google and Criteo for advertising purposes, the Federal Trade Commission said Wednesday.
In a complaint filed in a California federal court, the FTC accused the healthcare and telemedicine giant of failing to notify consumers that their personal health information — collected while using its website and services — would be shared with third parties.
The FTC said GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” but “repeatedly violated this promise,” including by monetizing the data it collected to target its own users with targeted health and medication-specific ads. The FTC said that GoodRx has been doing this “for years.”
TechCrunch reached out to GoodRx for comment and it has responded:
“At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it. The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began,” said a spokesperson. “We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.” You can read more of the response here.
This is the first enforcement action taken under the FTC’s Health Breach Notification Rule — a decade-old guideline that had not been previously used until today.
GoodRx is a prime example of how the rules might be violated, but with the proliferation of online healthcare services in recent years — which got a boost in particular with the arrival of the COVID-19 pandemic — there are signs that we may start to see more enforcements of the rule.
The FTC warned as recently as 2021 (and laid out that warning more formally a year ago) that the rule also applies to app developers and fitness device makers, and that it would take action against companies that fail to tell consumers that their health data would be shared for advertising or user analytics.
The rule is particularly important in light of the fact that there are ever more healthcare services coming online. Just last week, Amazon launched RxPass, a Prime add-on that lets people fill all of their prescriptions for a set of conditions using generic prescription drugs for one flat monthly fee. TechCrunch reached out to Amazon to specify its own policies with customer data and will update this post with any responses.
‘Do not cash in on extremely sensitive health information’
According to the FTC’s complaint, GoodRx was sharing the names of medications and associated health conditions that users were searching on GoodRx with adtech players like Meta, Google and Criteo, which manage billions of dollars of advertising not just on platforms like Google.com, Facebook and Instagram, but on other sites and apps as well.
An FTC official told reporters on a call Tuesday that some of this information contained sensitive details about people’s health conditions.
The FTC also said GoodRx compiled lists of its users who bought certain medications — heart disease and blood pressure, specifically — and uploaded their email addresses, phone numbers and pseudonymized device advertising IDs to Facebook so that GoodRx could identify who they were and target them with health-related advertisements.
The agency also accused GoodRx of “falsely suggesting” to consumers that the company was compliant with the U.S. health privacy law, Health Insurance Portability and Accountability Act, or HIPAA. The FTC official said consumers were misled into thinking their data was protected when much of GoodRx’s business was not covered by the law.
Under the order, GoodRx will be banned from disclosing users’ health information with third parties for advertising purposes. It will also be required to limit how long it can retain personal and health information “according to a data retention schedule” and it needs to detail to users what it collects and why. It also needs to implement a privacy program to protect consumers’ data in the future.
The FTC will also require GoodRx to seek the deletion of data by contacting the companies with which it shared users’ data. But the FTC official conceded that its enforcement action binds GoodRx, and does not compel the companies who received the data to comply with the deletion request. GoodRx must also establish a comprehensive privacy program and “conspicuously” detail what data it will disclose to third-parties.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, the director of the FTC’s consumer protection bureau, in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Much of GoodRx’s tracking behavior — as described by the FTC — was first revealed by Gizmodo in 2020. Some 55 million consumers have visited GoodRx’s website since 2017.
The FTC’s order is subject to approval by the federal court.
Updated with response from GoodRx.