FTC and GoodRX Settle Complaint Around Health Breach Notification Rule

GoodRx, executive, leadership, hires

The Federal Trade Commission (FTC) has taken the first enforcement action under its Health Breach Notification Rule.

The proposed order bars digital health platform GoodRX from sharing consumers’ health information for advertising and fines the firm $1.5 million for not reporting its unauthorized disclosure of the data to Facebook, Google and other companies, the FTC said in a Wednesday (Feb. 1) press release.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” FTC Bureau of Consumer Protection Director Samuel Levine said in the release. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The Health Breach Notification Rule requires vendors of personal health records and other entities to notify customers, the FTC and occasionally the media when data is acquired without customer permission.

GoodRX said in a Wednesday blog post that it does not agree with the allegations, admits no wrongdoing and entered into the settlement to avoid protracted litigation.

The company said in the post it addressed the issue in 2020, before the FTC inquiry began, by removing Facebook Javascript tracking pixels and adding new ways for consumers to protect their privacy.

It also said in the post that Facebook tracking pixels are widely used, that no medical records were shared and that the settlement with the FTC will not require any significant changes to its current practices or products.

“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices,” GoodRX said in the post. “We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare.”

The FTC’s proposed order, which must be approved by a federal court, prohibits GoodRX from sharing health data with third parties for advertising purposes and requires it to obtain users’ consent before sharing data for any other purpose. It also requires the company to direct third parties to delete the data that was shared with them, limit its retention of data and implement a privacy policy, according to the press release.