GoodRx has been selling personal health information to Google, Facebook, and other tech companies without notifying users about it. And so they got an order from the FTC prohibiting the company from doing so for advertising purposes. GoodRx will also have to direct third parties to delete the user data it shared with them.
Furthermore, the company will have to pony up a $1.5 million penalty; it agreed to pay the settlement but did not admit to wrongdoing. And, we would add, neither did Google nor Facebook, both of which already have a ton of data about almost all of us. But that, apparently, is not enough — they want more and more.
The settlement still has to be approved by the federal court before it goes into effect, though.
In the complaint, the FTC claimed that GoodRx violated the FTC Act and failed to honor its privacy policies.
It is estimated that over 55 million people have visited GoodRx’s website and mobile apps since January 2017, and the company regularly collects personal and health information about these users. This information is gathered from the users themselves as well as from pharmacy benefit managers, which inform the company when a patient purchases a medication using a GoodRx coupon.
The FTC claims that GoodRx said to its users that it would only share their personal information with third parties for limited purposes. The company also said it would restrict third parties’ use of such information, and it promised never to share users’ health information with advertisers or other third parties.
The complaint asserted that GoodRx “repeatedly violated these promises” by sharing users’ details with companies such as Google, Facebook, and Criteo, as well other third-party tech platforms like Branch and Twilio. Specifically, GoodRx shared its users’ prescriptions, health conditions, contact information, and mobile advertising IDs without notifying its users or obtaining their consent.
Additionally, GoodRx used the data that it shared with Facebook to target GoodRx users with personalized ads on Facebook and Instagram, the FTC alleged. These ads were tailored to users’ individual health conditions.
The FTC cited an example from 2019 in which GoodRx compiled lists of its users who had bought particular medications, like those used for treating heart disease and blood pressure. GoodRx then uploaded these users’ email addresses, phone numbers, and mobile advertising IDs to Facebook so they could be identified and targeted with healthcare advertisements, the FTC claimed.
Like that’s not enough, GoodRx shared user data with third parties so they could improve their own operations. For instance, GoodRx would allow third parties to use the user data it shared with them for research and development or to improve their advertising strategy.
The FTC’s order against GoodRx is the first enforcement action the agency has exercised for its Health Breach Notification Rule, which requires vendors that host personal health records to notify users and the FTC when that data is being shared without users’ consent or knowledge.
Again, GoodRx denied wrongdoing. “We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation,” the company wrote in a statement. “We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”
Sure, it’s business as usual, or is it? Way to go FTC; now, if you could enforce more such actions, that would be a blast. 😉