• by Wendy Davis  @wendyndavis, February 1, 2023

The drug discount company GoodRx has agreed to pay $1.5 million, and to refrain from sharing users' health data for ad purposes, to settle allegations that it wrongly disclosed health information, the Federal Trade Commission said Wednesday.

In a complaint filed in U.S. District Court for the Northern District of California, the government alleged that GoodRx “repeatedly violated” promises to “never share personal health information with advertisers or other third parties.”

GoodRx shared “sensitive user information with third-party advertising companies and platforms ... like Facebook, Google, and Criteo, and other third parties like Branch and Twilio,” the complaint alleged.

The data allegedly shared included users' “prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers.”

The complaint, brought by the Justice Department on behalf of the Federal Trade Commission, also alleged that GoodRx used Facebook's ad targeting platform to send ads to users based on their prescriptions and health conditions.

“In one campaign, which GoodRx ran in August 2019, GoodRx compiled lists of its users who had purchased particular medications, uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook to identify their profiles, and labeled them by the medication they had purchased,” the complaint states. “GoodRx then targeted these users with health-related advertisements.”

News of the enforcement action comes amid increasing concern that law enforcement authorities in states that have outlawed abortion will harness digital data to prosecute women seeking abortions.

Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated Wednesday that the FTC “is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” he stated.

Among other claims, the government alleged that GoodRx deceived consumers by misrepresenting its privacy practices. One of the ways the company allegedly misrepresented those practices was by representing that it complied with the self-regulatory group Digital Advertising Alliance's code, according to the complaint.

“GoodRx has represented, directly or indirectly, expressly or by implication, that GoodRx adheres to the Digital Advertising Alliance’s principles, including its Sensitive Data Principle,” the complaint alleges. “In truth and in fact, GoodRx violated the Digital Advertising Alliance’s Sensitive Data Principle, when it used personal health information to target users with health-related advertisements on the Facebook and Instagram platforms, without obtaining users’ affirmative express consent.”

Another notable claim is that GoodRx violated the Health Breach Notification Rule by failing to inform consumers about the disclosure of identifiable health information.

In 2021, the FTC extended that rule -- which previously covered only vendors of personal health records and their service providers -- to app developers. At the same time, the agency also said that the disclosure requirements would be triggered by any unauthorized disclosures of covered health information.

GoodRx stated that the settlement "focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began."

The company added that it doesn't agree with the allegations and doesn't admit wrongdoing.

"We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations," the company stated.

In addition to the $1.5 million fine and the ban on disclosing health data for ad purposes, the settlement requires GoodRx to obtain users' express consent before disclosing their health data for non-advertising purposes.

Other terms include a requirement that GoodRx direct third parties to delete the consumer health data that was shared, inform consumers about the data sharing, and implement a comprehensive privacy program.