Consumer-focused digital healthcare platform GoodRx failed to notify users that it sold their personal health information to Google, Facebook and other tech companies, the Federal Trade Commission alleged on Wednesday.
On behalf of the FTC, the Department of Justice filed an order that prohibits GoodRx from sharing its users’ data with third parties for advertising purposes. In the complaint, the FTC claimed that GoodRx violated the FTC Act and failed to honor its privacy policies, and the agency imposed a $1.5 million penalty on the company. GoodRx agreed to pay the settlement but did not admit to wrongdoing.
More than 55 million people have visited GoodRx’s website and mobile apps since January 2017, and the company regularly collects personal and health information about these users. This information is gathered from the users themselves as well as from pharmacy benefit managers, which let the company know when a patient purchases a medication using a GoodRx coupon.
GoodRx promised its users that it would only share their personal information with third parties for limited purposes. The company also told its users it would restrict third parties’ use of such information, and it promised to never share users’ health information with advertisers or other third parties, the FTC said.
The complaint asserted that GoodRx “repeatedly violated these promises” by sharing users’ information with advertising companies such as Google, Facebook and Criteo, as well other third party tech platforms like Branch and Twilio. The company shared its users’ prescriptions, health conditions, contact information and mobile advertising IDs with these third parties without notifying its users or obtaining their consent, according to the complaint.
GoodRx also used the data that it shared with Facebook to target GoodRx users with personalized ads on Facebook and Instagram, the FTC alleged. These ads were tailored to users’ individual health conditions.
In its complaint, the FTC cited an example from 2019 in which GoodRx compiled lists of its users who had bought particular medications, such as those treating heart disease and blood pressure. GoodRx then uploaded these users’ email addresses, phone numbers and mobile advertising IDs to Facebook so the tech giant could identify their profiles and target them with healthcare advertisements, the FTC claimed.
The complaint also claimed that GoodRx shared user data with third parties so they could improve their own operations. For example, GoodRx would allow third parties to use the user data it shared with them for research and development or to improve their advertising strategy, the FTC alleged.
The FTC’s order against GoodRx is the first enforcement action the agency has exercised for its Health Breach Notification Rule. which requires vendors of personal health records to notify users and the FTC when data is being shared without users’ consent or knowledge.
The order — which must be approved by the federal court before it goes into effect — not only seeks to ban GoodRx from sharing user data with advertisers, but it also requires the company to direct third parties to delete the user data it shared with them.
Under the proposed order, GoodRx agreed to pay a $1.5 million penalty for failing to report its leakage of user data to third parties. But GoodRx denied wrongdoing in a statement posted to its website on the same day the FTC issued its complaint.
“We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations,” GoodRx said.
Photo: marchmeena29, Getty Images
