• by Wendy Davis  @wendyndavis, July 10, 2023

Drug discounter GoodRx along with Google, Meta and Criteo are urging a federal judge to dismiss a class-action privacy complaint stemming from allegations that GoodRx wrongly shared consumers' health information with the tech companies for ad purposes.

GoodRx argues in papers filed Friday that it informed consumers about data sharing, and that people consented to share their information in exchange for coupons.

“GoodRx expressly disclosed in its privacy policy and terms of use that it shared personal information and browsing data with Facebook, Google, and other third parties for advertising and other purposes,” GoodRx says in a motion asking U.S. District Court Judge Araceli Martínez-Olguín in San Francisco to throw out the case.

GoodRx elaborated that its privacy policy specifically said the company could use tracking technologies including cookies, tags and pixels to collect personal information that would “assist Google, Facebook, other third parties, or GoodRx” with advertising.

“Users consented to provide certain information ... to GoodRx and its vendors; in exchange, GoodRx provided the users with valuable drug pricing information, coupons, and (for GoodRx Care users) access to discounted telehealth services,” the company writes.

Google, Meta and Criteo filed separate motions asking Martínez-Olguín to dismiss the lawsuit.

The companies' papers come in response to a class-action complaint brought by GoodRx users in February, soon after the Federal Trade Commission unveiled an enforcement action against the company. The FTC said GoodRx “repeatedly violated” promises to “never share personal health information with advertisers or other third parties.”

Among other allegations, the FTC said GoodRx shared sensitive information -- “prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers” -- with third-party ad companies.

GoodRx settled that matter by agreeing to pay $1.5 million, to refrain from sharing users' health data for ad purposes, and to obtain people's express consent before disclosing their health data for non-advertising purposes.

GoodRx said at the time that it didn't agree with the allegations. It also didn't admit wrongdoing. The company added that the settlement focused on “an old issue that was proactively addressed almost three years ago, before the FTC inquiry began."

The class-action complaint by consumers includes claims that GoodRx violated various state consumer protection laws by allegedly misrepresenting its policies regarding data. For instance, the consumers alleged that between October 2017 and March 2019, GoodRx's privacy policy contained the statement, “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.”

GoodRx counters that the consumers' don't specify when or where they saw that statement. GoodRx also says the consumers don't say how they relied on the statement, adding that the same privacy policy said the company would share people's personal information with Google, Facebook and other companies.

In addition to arguing that consumers consented to any data disclosures, GoodRx also says the users who sued can't prove any injury, and therefore lack “standing” to proceed in federal court. What's more, the company argues, some of the users who used GoodRx's coupons “very likely saved money through the free service.”

The complaint also claims the tech companies violated consumers' privacy by engaging in “intrusion upon seclusion” -- a broad concept that allows people to hold companies liable for “highly offensive” conduct that infringes privacy.

Criteo argues the complaint “makes only vague and factually unsupported allegations about Criteo’s business generally,” and also that it “fails to allege Criteo took any consumer-facing acts or established any practice, let alone a deceptive one.”

The company writes: “The complaint contains no facts to plausibly indicate that Criteo even received data from GoodRx -- no facts to indicate that the unspecified Criteo technology worked and was configured in such a way to send any data, or any particular data, to Criteo, or that any data sent to Criteo (if any was sent) was actually sensitive, or that it could be linked to plaintiffs individually.”

Meta says in its new papers that it doesn't want to receive sensitive health information from publishers, and contractually bars developers from sending that type of data. The company also says it has a system to filter out sensitive health data.

Meta also argues it shouldn't be responsible for “GoodRx’s alleged misuse” of a tracking technology, adding that the consumers consented to GoodRx's practices.

Google makes a similar argument, adding that it prohibits targeted advertising based on health conditions.

“Plaintiffs do not identify any fact that would make it plausible that Google served any ads based on data entered by plaintiffs on the GoodRx platforms,” the company writes.