Illustrated by Gabriella Turrisi/Axios
The FTC on Wednesday filed a court order against GoodRx for failing to notify users that it shared personally identifiable health data with Facebook and Google. It said it would permanently ban the company from sharing such information for advertising. .
Important reasons: first court order FTC Action Under Health Breach Notification Rule. It requires companies to notify users if their health data is compromised and includes several safeguards aimed at protecting consumer data.
- At a press conference about the order, an FTC official said, “We’re making it clear that apps that violate this rule must be clear to consumers when they inappropriately share sensitive data.
- Federal court approval is required for the order to take effect.
Zoom in: The health data GoodRx shares with technology companies includes personally identifiable data about users’ prescriptions and health conditions. Per complaint:
- In August 2019, GoodRx compiled a list of users who had purchased heart and high blood pressure medications and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook to identify their profiles. .
- GoodRx then used that information to target users with relevant ads.
detail: A court order filed by the Department of Justice on behalf of the FTC for the Northern District of California found that GoodRx shares data with companies including Facebook, Google, Criteo, Branch and Twilio. GoodRx found on the order:
- We monetized our users’ personal health data to target them with health and medicine-specific ads on Facebook and Instagram.
- Enable third parties with whom you share data to use the information for research, development, or advertising purposes without your consent.
- It misrepresented its HIPAA compliance and displayed a sticker at the bottom of its telemedicine site that falsely suggested that it was compliant with the law.
- Failure to maintain adequate policies or procedures to protect users’ personal health information.
State of play: GoodRx, a provider of prescription discount coupons and telemedicine services, allows users to track personal health data to store, track and retrieve alerts on prescriptions, refills, pricing and drug purchase history.
- According to the complaint, the company collects data from its users and pharmacy benefit managers (PBMs) to confirm that someone used one of its coupons to purchase a prescription drug.
- According to the complaint, more than 55 million consumers have visited or used GoodRx’s website or mobile app since January 2017.
What they say: A GoodRx spokesperson told Axios that the order “focuses on old issues that were actively addressed almost three years ago” and disagreed with the allegations.
- “We do not condone any wrongdoing,” the spokesperson said. “By entering into a settlement, we can avoid the time and expense of lengthy litigation.”
- “Today’s health data isn’t just what doctors keep in files behind their desks,” an FTC official said at a briefing. It reflects.”
- “We expect this to have a significant impact on the market,” the official added.
Flashback: In 2021, the FTC issued a warning that health apps and other apps that collect or use consumer health information must comply with the Health Infringement Rule.
- “We are showing the market that we intended to do business when we issued our policy statement,” an FTC official said.
What’s next: In addition to imposing a $1.5 million civil penalty on GoodRx and prohibiting it from disclosing users’ health information in its ads, the order requires the company to:
- Direct third parties to delete shared consumer health data and notify users of violations and FTC enforcement actions.
- Obtain user consent before sharing health data with third parties for purposes other than advertising, and detail the types of health information we disclose to third parties.
- Limit how long personal health information can be retained.
- Create a privacy program that includes safeguards to protect such data.
note: The order is binding only on GoodRx, but companies that received the data, including Facebook, “have been notified that they were receiving illegally collected data,” another FTC official said. .
This story has been updated to include the company’s comments.