The US Federal Trade Commission has fined online pharmacy and telemedicine provider GoodRx $1.5 million for sharing customers’ personal health data with Google, Facebook and other third parties without consent. GoodRx has further agreed to unprecedented provisions that prohibit companies from further sharing consumer health data with third parties for advertising purposes. The FTC’s complaint Consumer Reports and gizmodo We first discovered in 2020 that GoodRx was sharing its customers’ personal health information with over 20 companies without their consent.
In a complaint filed by the Department of Justice on Wednesday, the FTC accused GoodRx of violating its privacy commitments and the FTC’s health breach notification rules by not disclosing personal health information, such as medical conditions and prescriptions, to people who use its services. Disclosed to drugs, advertising companies, and third-party platforms.
This is a really big case. Over the years we have been reading stories of health apps sharing data with G/FB/data brokers.
In this case, the FTC says apps that share personal health data without explicit permission violate health breach notification rules. https://t.co/UCAQXkWN1D
— Justin Brookman (@JustinBrookman) February 1, 2023
The complaint alleges that GoodRx has shared consumer health data with Facebook, Google, Criteo, Branch, and Twilio since at least 2017. This despite promising users that their information would never be disclosed to advertisers or other third parties. This information was allegedly used to target GoodRx users with personalized ads specific to drugs and health on Facebook and Instagram. The complaint also alleges that the online pharmacy misrepresented HIPAA compliance.
GoodRx admitted no wrongdoing in a statement responding to the FTC, claiming that it had agreed to a settlement “to avoid the time and cost of lengthy litigation.”
“We used our vendor technology to advertise in a way that we believe complies with all applicable regulations and remains common practice on many health, consumer and government websites,” said GoodRx. The online pharmacy claims the agreement focuses on “a long-standing problem that was preemptively resolved nearly three years ago” prior to the FTC’s investigation. but, gizmodo says markupA backlit tool shows that GoodRx.com has continued to share consumer information with advertisers and has added new advertising partners since our initial investigation in 2020.
since last night, @ToddFeathers and @varlogsimon Confirmed that GoodRx is still sending health data to Google-owned advertising platform.
The screenshot below shows the drug’s name, dose and order quantity being sent to Google Ads. ⬇️ pic.twitter.com/EHWlYswiYm
— Markup (@themarkup) February 1, 2023
The FTC’s order still needs to be approved by federal courts, but if passed, it could have significant implications for the legality of advertising practices within the health and medical industry.
“Health apps and websites have provided our personal data for years without consequences,” said Justin Brookman, Director of Technology Policy. Consumer Reports (Through independent). “This incident should be a turning point. Companies now need to understand that sharing customer data without explicit permission will result in an investigation and fines.”
that much @FTCorder against @GoodRx The future sale of user health data to third parties is completely prohibited. This is the kind of behavior-altering remedy that has been hard to come by in past cases (and why injustice can be such a powerful tool). https://t.co/kv3i3leRP6
— Ben Rosen (@benrossen) February 1, 2023
The practice of sharing consumer data with third parties without consent is very common across health apps and services. But this case is the first since it was introduced in 2009, when the FTC tried to enforce health breach notification rules that would require consumers to be notified of unauthorized access to personal health records. The FTC has previously said that health breach notification rules may also apply to consumer technology that is not subject to HIPAA, such as fitness trackers and health or diet apps.
“Digital health companies and mobile apps should not make money off consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Consumer Protection Division. “The FTC hereby informs us that it will use all of its statutory powers to protect U.S. consumers’ sensitive data from misuse and illegal exploitation.”