Health Tech, Legal

GoodRx Illegally Sold Users’ Data to Google & Facebook, FTC Says

GoodRx failed to notify users that it sold their personal health information to Google, Facebook and other tech companies, the FTC claimed. The agency filed an order that prohibits GoodRx from sharing its users' data with third parties for advertising purposes and requires the company to pay a $1.5 million penalty. GoodRx agreed to pay the settlement but did not admit to wrongdoing.

smartphone, data,

Consumer-focused digital healthcare platform GoodRx failed to notify users that it sold their personal health information to Google, Facebook and other tech companies, the Department of Justice, acting on behalf of the Federal Trade Commission (FTC) alleged on Wednesday.

To settle the case, GoodRx agreed to pay a $1.5 million penalty for failing to report its leakage of user data to third parties, but did not admit to wrongdoing. The settlement—which must be approved by the federal court before it goes into effect— bans GoodRx from sharing user data with advertisers and requires the company to direct third parties to delete the user data it shared with them.

In the complaint, the FTC claimed that GoodRx violated the FTC Act and failed to honor its privacy policies.

More than 55 million people have visited GoodRx’s website and mobile apps since January 2017, and the company regularly collects personal and health information about these users. This information is gathered from the users themselves as well as from pharmacy benefit managers, which let the company know when a patient purchases a medication using a GoodRx coupon.

GoodRx promised its users that it would only share their personal information with third parties for limited purposes. The company also told its users it would restrict third parties’ use of such information, and it promised to never share users’ health information with advertisers or other third parties, the FTC said.

The complaint asserted that GoodRx “repeatedly violated these promises” by sharing users’ information with advertising companies such as Google, Facebook and Criteo, as well other third party tech platforms like Branch and Twilio. The company shared its users’ prescriptions, health conditions, contact information and mobile advertising IDs with these third parties without notifying its users or obtaining their consent, according to the complaint.

GoodRx also used the data that it shared with Facebook to target GoodRx users with personalized ads on Facebook and Instagram, the FTC alleged. These ads were tailored to users’ individual health conditions.

In its complaint, the FTC cited an example from 2019 in which GoodRx compiled lists of its users who had bought particular medications, such as those treating heart disease and blood pressure. GoodRx then uploaded these users’ email addresses, phone numbers and mobile advertising IDs to Facebook so the tech giant could identify their profiles and target them with healthcare advertisements, the FTC claimed.

The complaint also claimed that GoodRx shared user data with third parties so they could improve their own operations. For example, GoodRx would allow third parties to use the user data it shared with them for research and development or to improve their advertising strategy, the FTC alleged.

The FTC’s order against GoodRx is the first enforcement action the agency has exercised for its Health Breach Notification Rule, which requires vendors of personal health records to notify users and the FTC when data is being shared without users’ consent or knowledge.

GoodRx denied wrongdoing in a statement posted to its website on the same day the FTC issued its complaint.

“We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations,” GoodRx said.

Photo: marchmeena29, Getty Images

Shares1

This article is featured in the Healthcare Docket newsletter, a partnership between Breaking Media publications MedCity News and Above the Law.

Enter your email address to subscribe.

Shares1