GoodRx will cough up $1.5 million to settle claims it shared people's health information with Facebook, Google, and other third parties.

According to America's Federal Trade Commission (FTC), the discount prescription drug app broke the watchdog's Health Breach Notification Rule by breaking a promise to not share personal health info with the likes of Facebook and Google; used that info to target ads; failed to limit web giants' use of this data; and more.

We're told that this is the first time the FTC has gone after an org regarding this breach rule, introduced more than a decade ago.

In settling these claims, GoodRx also agreed to ensure there will be no sharing of user health data with third parties for advertising purposes, to get consent before sharing this private info with third parties, among other undertakings.

To put the $1.5 million bill in context: GoodRx's 2021 revenue was $745.4 million, resulting in a $25 million loss [PDF]. It's scheduled to report its full-year 2022 revenue later this month.

GoodRx, in a statement, maintained that it was in compliance with the law and that its use of Facebook et al's technology on its pages "remains common practice among many health, consumer and government websites." 

We do not agree with the FTC's allegations and we admit no wrongdoing

"We do not agree with the FTC's allegations and we admit no wrongdoing," the company added. "Entering into the settlement allows us to avoid the time and expense of protracted litigation." 

GoodRx is "glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare."

Your prescriptions are valuable in more ways than one

The California-based health company offers prescription drug discounts, telehealth visits, and other services across its GoodRx and HeyDoctor websites. This all collects a ton of personal and health data from users who provide their information, and also from pharmacy managers who confirm when someone buys medication using a GoodRx coupon.

According to the FTC, more than 55 million folks have visited or used GoodRx's website or mobile apps since 2017.  

Here's what the digital health company did wrong with all of that sensitive data, at least according to the watchdog's complaint [PDF].

User privacy? Or advertising dollars?

Beginning in 2017 or earlier, and after "promising" its users that it would only share personal details with limited parties for limited purposes - and never share health information with advertisers or other third parties - GoodRx went ahead and did all of these things it explicitly promised not to do, the FTC said.

GoodRx shared sensitive user info with Facebook, Google, Criteo, Branch, and Twilio, among others, according to the FTC complaint. This included users' prescription medications, health conditions, personal contact information, and unique advertising and persistent identifiers.

Specifically, the FTC accused GoodRx of embedding tracking pixels and software development kits (SDKs) from Facebook et al in its websites and apps. These trackers collected user data, and then sent this private info back to third parties, which was used for advertising, data analytics and other business purposes, it is said. 

Facebook and the like apparently profited from the data - and advertising dollars - while consumers remained unaware that GoodRx was sharing this health info without their consent.

Meanwhile, it'sclaimed, GoodRx also profited from the information it shared with Facebook, and used this information to target specific consumers with health-related ads, according to the complaint:

In addition to paying $1.5 million and agreeing to never share health data for ads, a proposed court order [PDF] also requires GoodRx to direct third parties to delete all the health data it is said to have shared with them, tell customers about the breaches and FTC enforcement action, limit how long it can retain personal and health data and post this retention schedule, and put in place a better privacy program that protects consumer data.

Who will be next?

"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said this week.

"The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." 

In other words: GoodRx isn't the only company in the agency's crosshairs. If the FTC doesn't go after companies sharing sensitive data via mobile apps, there's a good chance that California prosecutors will.

California's attorney general has put mobile app developers on notice: comply with the state's privacy laws and consumer opt-out requests, or get ready to pay.

In the state's latest "investigative sweep," California Attorney General Rob Bonta sent letters to businesses with mobile apps that allegedly ignore consumer opt-out requests or sell users' data, despite the California Consumer Privacy Act (CCPA) protections. ®

https://www.theregister.com//2023/02/02/ftc_goodrx_enforcement/