US FTC takes action against GoodRx for sharing sensitive health info

The US Federal Trade Commission (FTC) moved ahead with the action, after it accused GoodRx of failing to notify consumers and others of its unauthorized disclosures of personal health information to Facebook, Google, and other companies.

For its part, GoodRx denied any wrongdoing and stated that it had entered into the settle to “avoid the time and expense of protracted litigation.”

In further comment, the company stated that the issues raised by the FTC had been addressed “almost three years ago”, before the current inquiry began. Explaining, “While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices.”

However, as a result of the action by the FTC, GoodRx will pay a $1.5m (€1.37m) civil penalty for violating rules on sharing user health data. The company will also be prohibited from sharing user health data with applicable third parties for advertising purposes in the future.

Misuse and illegal exploitation protection

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

GoodRx is a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company is able to collect personal and health information about its users when a consumer purchases a medication using a GoodRx coupon. According to the FTC, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.

On its website, the FTC listed​ the ways in which it claims GoodRx violated the FTC act. Primarily, the company share health information with Facebook, Google, Criteo, and others, since at least 2017. Further, the commission outlined that GoodRx had “deceptively promised its users that it would never share personal health information with advertisers or other third parties.”

The FTC added that the company used personal health information to targets its user with ads, effectively monetizing its users’ personal health information. Other issues included GoodRx failing to limit third-party use of personal health information, misrepresenting its HIPAA compliance, and failing to implement policies to protect personal health information.