The Federal Trade Commission has issued a $1.5 million fine against online pharmacy and telehealth provider GoodRx for allegedly sharing its customers’ private health data with Google, Facebook and other third parties without consent. GoodRx also agreed to an unprecedented provision that will prohibit the company from further sharing consumer health data with third parties for advertising. The FTC’s complaint comes after an investigation by Consumer reports And gizmode first discovered in 2020 that GoodRx was non-consensually sharing its customers’ private health information with more than 20 companies.
In a complaint filed Wednesday by the Department of Justice, the FTC accuses GoodRx of violating its privacy promises and the FTC’s health breach notification rule by not notifying those who use its services that their private health information, such as their own medical conditions and prescription medications, was disclosed to advertising companies and third-party platforms.
The complaint alleges that GoodRx has shared consumer health data with Facebook, Google, Criteo, Branch and Twilio since at least 2017, despite promising users that their information would never be disclosed to advertisers or other third parties. This information would be used to target GoodRx users with personalized ads specific to their medications and health on Facebook and Instagram. The complaint also alleges that the online pharmacy falsely represented its HIPAA compliance.
GoodRx admitted no wrongdoing in its filing in response to the FTC, saying it agreed to the settlement to “avoid the time and expense of protracted litigation.”
“We had been using vendor technologies to advertise in a manner that we believe complies with all applicable regulations and remains common practice among many health, consumer and government websites,” said GoodRx. The online pharmacy also says the settlement focuses on “an old issue that was proactively addressed nearly three years ago,” prior to the FTC’s investigation. However, gizmode He says The markupThe Backlight tool shows that GoodRx.com has continued to share consumer information with advertisers and has since added new advertising partners since the original survey in 2020.
The FTC’s ruling is still subject to federal court approval, but if it passes, it could have a profound effect on the legality of advertising practices within the healthcare and medical industries.
“Health apps and websites have been feeding our personal data for years without consequence,” said Justin Brookman, director of technology policy at Consumer reports (through The independent). “This case should be a game-changer. Companies now need to understand that sharing customer data without clear authorization will lead to investigations and fines.”
The practice of sharing consumer data with third parties without consent is quite common among health apps and services. However, this case marks the first time since it was introduced in 2009 that the FTC has sought to enforce its Health Breach Notification Rule, which requires companies to notify consumers about unauthorized access to their personal health records. . The FTC has previously said the Health Breach Notification Rule could also apply to consumer technology that isn’t covered by HIPAA, such as fitness trackers and health or diet apps.
“Digital health companies and mobile apps shouldn’t cash in on consumers’ highly sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Office of Consumer Protection. “The FTC is giving notice that it will use all of its legal authority to protect the sensitive data of American consumers from misuse and illegal exploitation.”