The Federal Trade Commission has cited telehealth and prescription drug discount provider GoodRx for sharing sensitive consumer health data with several advertising platforms, in violation of its own privacy promises to consumers.
The agency has filed a proposed order demanding that GoodRx pay $1.5 million in civil penalties for failing to let consumers know about unauthorized disclosures of its data to a list of advertiser platforms. including Facebook and Google.
The company, which is based in California, operates a digital health platform offering prescription drug discounts, telehealth visits and other health services. It captures a wide range of data from consumers who use its services as well as data from pharmacy benefit managers who get involved when consumers use GoodRx coupons. More than 55 million consumers have visited or used GoodRx’s website or mobile apps since 2017.
According to the FTC, GoodRx has been funneling personal health information from these consumers to advertising companies and platforms such as Facebook, Google and Criteo, along with
other third parties such as Branch and Twilio. In addition to making the data available for advertising purposes, it also allowed third parties to use this information internally to conduct research and development or improve advertising.
This news comes at an especially bad time for Meta, the company behind Facebook, which is coping with a fusillade of accusations that it has been engaged in improper collection and sale of sensitive patient health information.
Not only did GoodRx share the data without permission from consumers, it also failed to report these unauthorized data sharing efforts to federal authorities as required by the Health Breach Notification Rule, according to the FTC’s complaint.
Since September 2021, when the FTC issued a policy statement on the subject, companies that use health apps or other means to collect and use consumer health information need to notify consumers, the FTC and the media about any unauthorized disclosure of individually identified health information to its partners.
In addition, GoodRx misled consumers in several ways when it came to its privacy practices. For example, the company displayed a seal at the bottom of its telehealth services homepage which falsely suggested that it complied with HIPAA.
What’s more, the company never put adequate policies to protect personal health information into place, according to the proposed settlement. Until February 2020, when a consumer watchdog group shined a spotlight on its practices, GoodRx apparently had no sufficiently formal written privacy policies in place, nor any compliance programs.
To address the FTC’s objections, GoodRx will have to accept being permanently banned from discussing user health information with applicable third parties for advertising purposes. GoodRx will also need to ask third parties to delete consumer health data that it shared with them, as well as informing consumers about the breaches and the FTC’s response.
In addition, GoodRx will be required to create a data retention schedule spelling out the limits on how long it can retain personal health information. The company will be required to post that retention schedule publicly and explain what information it connects and why this data collection is necessary.
Finally, the company will be required to put a comprehensive data privacy program in place which provides strong safeguards to protect consumer data.
