By Sheila Sokolowski, Kate Black, and Mason Fitch

On February 1st, 2023, the Federal Trade Commission (FTC) issued a proposed order against GoodRx Holdings, Inc. (GoodRx), a digital health platform, for allegedly violating Section 5 of the FTC Act by making deceptive statements about its sharing of health data. In addition, in its first enforcement action under a decade-old Health Breach Notification Rule, the FTC alleged that GoodRx failed to notify its users of the unauthorized disclosure of their health data to advertising platforms. The Department of Justice filed the order along with a complaint on behalf of the FTC in California federal court. GoodRx subsequently agreed to the FTC’s stipulated order.

GoodRx’s Sharing User Health Data with Advertising Platforms and Other Web Tools and Other Section 5 Violations

In its complaint against GoodRx, the FTC alleged that GoodRx violated Section 5 of the FTC Act by promising its users that it would never share health data with advertisers or other third parties and then, contrary to those promises, shared that data with advertising platforms such as Facebook, Google, Criteo, and other third-parties. According to the FTC, GoodRx integrated tracking tools from these third parties into its websites and mobile app. These tracking tools included pixels and other automated trackers that collected and sent data to these third parties for advertising, data analytics, and other business services. The information sent included users’ contact information, persistent identifiers, location information, and information about users' activities on the website or mobile app (Events Data).

The FTC alleged that the Events Data shared by GoodRx with the advertising platforms included both standard events – routine functions such as the launch of the mobile app – and custom events that had customized names. According to the FTC, rather than giving custom events non-descriptive names such as “event_1,” GoodRx chose descriptive names that conveyed health information such as “drug name,” with the result that each time GoodRx shared a custom event with an advertising platform it was sharing a user’s health data. GoodRx also used Facebook’s digital advertising tools and ad-targeting features to create “custom audiences” for health-related advertisements for GoodRx’s services. These custom audiences were created by combining users’ medication or health condition-specific Events Data with their email addresses, phone numbers, and mobile identifiers to identify users with Facebook and Instagram accounts.

GoodRx’s other alleged Section 5 violations include failure to maintain sufficient policies and procedures governing privacy and data sharing, falsely claiming compliance with HIPAA by displaying a seal stating “HIPAA Secure. Patient Data Protected” on its website, and falsely claiming compliance with the Digital Advertising Alliance (DAA) principles.  The misrepresentation of its DAA compliance appears to be the first time the FTC has invoked such non-compliance as the basis for a deception claim under Section 5.

GoodRx’s Violation of the Health Breach Notification Rule

The complaint also alleged that GoodRx’s failure to provide the required notifications about these unauthorized disclosures violated the Health Breach Notification Rule. According to the FTC, GoodRx allows its users to manage their health data by tracking their prescriptions, refills, pricing, and medication purchase history, which makes it a vendor of personal health records under the Health Breach Notification Rule. When GoodRx shared its users’ health data with other third-parties it was making an unauthorized disclosure of individually identifiable information and should have notified the affected users, the FTC, and the media about the disclosures, which it did not do.

Permanent Injunction and Other Penalties.

Pursuant to the proposed order, GoodRx, and its officers, agents, employees, and attorneys who receive notice of the order would be permanently enjoined from:

1. disclosing health data to third parties for advertising, and

2. disclosing health data to third parties for non-advertising purposes without first obtaining affirmative express consent.

In addition, GoodRx would be required to provide notice to its users about the unauthorized disclosure of their health data, instruct all third parties who received health information from GoodRx to delete it, implement a comprehensive privacy program, and pay a $1.5 million civil penalty. GoodRx, in response to the FTC announcement, indicated that these were changes the company had already implemented, and the order would not impact its current operations.

Next Steps for Digital Health Platforms

1. Meet with your digital marketing team. Digital health practitioners need to develop strong relationships with front-end product, engineering, and marketing teams to better understand digital data flows and educate these teams on identifying health data.

2. Examine the curation of custom and look-a-like audiences. Work with your marketing team to ensure strong controls are in place to ensure that health data is used in accordance with your privacy policy and other public statements and be sure to account for uses such as the creation or deployment of look-a-like audiences that use health data.

3. Review your privacy notice. The next step is to review the privacy notice(s) for your app and/or website and determine if the notice accurately discloses the uses and disclosures of health data made in connection with any tracking technology, analytics, or other web tool vendors. Develop a plan for corrective action if necessary.

4. Implement a process, with the website management and IT team, for reviewing and implementing new web tool vendors. You should review any new engagement with a web tool vendor prior to engagement to determine the extent to which health data will be shared with that vendor and to ensure you put appropriate controls in place to manage the vendor’s use of health data. Develop naming classification standards for all customizable web elements, such as custom events and URLs, to avoid unnecessary inclusion of sensitive information.

5. Examine and understand the functionality of your website and/or app as it relates to users’ management of their information. If your website or app allows users to draw their health data from multiple sources and manage that information on your website or app, you will be a vendor of personal health records and subject to the FTC’s Health Breach Notification Rule.

FTC’s Enforcement Action Against GoodRx is No Surprise

While the FTC’s action against GoodRx is one of notable firsts – the first enforcement action under the Health Breach Notification Rule and the first proposed order prohibiting a company from sharing users’ health data for advertising purposes – it is not a surprise. In September 2021, the FTC issued a policy statement warning health apps that they must comply with the Health Breach Notification Rule. Additionally, the FTC complaint indicates that it became aware of concerns about GoodRx’s privacy practices based on a 2020 Consumer Reports article that reported the company was sharing health data with Facebook, Google, and other third parties and that Facebook’s own investigation concluded that GoodRx has violated Facebook’s terms, which prohibit the sharing of health data with Facebook.

This decision also comes on the heels of the U.S. Department of Health & Human Services Office for Civil Rights’ (OCR) recent bulletin regarding tracking technology for HIPAA entities, which made clear that the collection and transmission of health information via tracking technology is a violation of HIPAA in certain circumstances. (Read our analysis of OCR’s bulletin here.) Not unlike the FTC’s investigation of Good Rx, OCR’s bulletin followed reporting by the media about hospital websites collecting protected health information via tracking technology.

Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.