The Federal Trade Commission has fined online retailer GoodRx $1.5 million for sharing its customers’ private information with Google, Facebook, and other parties without permission. GoodRx also agreed to an unprecedented settlement that will prevent the company from sharing consumer health information with third parties for marketing purposes. The FTC’s complaint comes after an investigation by Consumer Reports and Gizmodo first discovered in 2020 that GoodRx illegally shared its customers’ personal information with more than 20 companies.
In a complaint filed by the Department of Justice on Wednesday, the FTC accuses GoodRx of violating its privacy promises and the FTC’s Health Breach Notification Rule by failing to notify users of its services that their medical information, such as their illnesses and medications. products, were disclosed to advertising companies and third-party platforms.
The complaint alleges that GoodRx has shared consumer health information with Facebook, Google, Criteo, Branch, and Twilio since at least 2017, despite promising users that their information would not be shared with advertisers or third parties. This information was allegedly used to target GoodRx users with personalized drug and health related ads on Facebook and Instagram. The complaint also alleges that the online store misrepresented its HIPAA compliance.
GoodRx did not admit any wrongdoing in its statement in response to the FTC, saying it agreed with the settlement to “avoid time and waste of time.”
“We used marketing technologies to advertise in a way that we believe complies with all applicable laws and practices on many health, consumer and government websites,” GoodRx said. The online retailer also says the settlement focuses on “an old issue that was quickly addressed three years ago,” before the FTC inquired. However, Gizmodo he says The MarkupThe Backlight tool shows that GoodRx.com has continued to share consumer information with advertising companies and has added advertising partners since the initial investigation in 2020.
The FTC rule is still subject to court approval, but if passed, it could have a significant impact on the legality of advertising in the health and medical industry.
“Health apps and websites have been sharing our information for years with no results,” said Justin Brookman, director of technology policy at Consumer Reports (via The Independent). “This case needs to change dramatically – now companies need to understand that sharing customer information without express consent will lead to investigations and fines.”
The practice of sharing data with third parties without consent is very common in healthcare programs and services. However, this case is the first since it was enacted in 2009 that the FTC intends to implement the Health Breach Notification Rule, which mandates that companies notify consumers of unauthorized access to their health records. The FTC previously said the Health Breach Notification Rule could also apply to consumer technology not covered by HIPAA — such as fitness trackers and health or nutrition apps.
“Electronic health companies and mobile apps should not include sensitive consumer information,” said Samuel Levine, director of the FTC’s Consumer Protection Bureau. “The FTC is giving notice that it will use its best efforts to protect the privacy of American consumers from misuse and abuse.”