A consumer-centric digital healthcare platform GoodRx failed to notify consumers that it sold their personal health information to Google, Facebook and other tech companies, the Federal Trade Commission supposed on Wednesday.
On behalf of the FTC, Department of Justice placed an order which prohibits GoodRx from sharing its users’ data with third parties for advertising purposes. In the complaint, the FTC alleged that GoodRx violated FTC Act and failed to follow its privacy policies, and the agency fined the company $1.5 million.
More than 55 million people have visited GoodRx’s website and mobile apps since January 2017, and the company regularly collects personal and health information about these users. This information is collected from consumers themselves, as well as from pharmacy benefit managers who notify the company when a patient purchases a drug using a GoodRx coupon.
GoodRx has promised its users that it will only share their personal information with third parties for limited purposes. The company also told its users that it would limit the use of such information by third parties and promised never to share users’ health information with advertisers or other third parties, the FTC said.
The complaint alleges that GoodRx “repeatedly breaks these promises” by sharing consumer information with advertising companies such as Google, Facebook and Criteo, as well as other third-party technology platforms such as Branch and Twilio. The company shared its users’ prescriptions, health status, contact information and mobile advertising identifiers with these third parties without notifying its users or obtaining their consent, according to the complaint.
GoodRx also used the data it shared with Facebook to target GoodRx users with personalized ads on Facebook and Instagram, the FTC alleged. These ads were tailored to users’ individual health conditions.
In its complaint, the FTC cited an example from 2019 in which GoodRx compiled lists of its users who purchased certain drugs, such as those for heart disease and blood pressure. GoodRx then uploaded those users’ email addresses, phone numbers and mobile advertising IDs to Facebook so the tech giant could identify their profiles and target them with health ads, the FTC alleged.
The complaint also alleges that GoodRx shares user data with third parties so they can improve their own operations. For example, GoodRx would allow third parties to use the user data it shares with them for research and development or to improve their advertising strategy, the FTC alleged.
The FTC order against GoodRx is the first enforcement action the agency has taken against it Health Breach Notification Rule. which requires providers of personal health records to notify consumers and the FTC when data is shared without the consumers’ consent or knowledge.
The order — which must be approved by a federal court before taking effect — not only seeks to prohibit GoodRx from sharing user data with advertisers, but also requires the company to order third parties to delete user data it has shared with them.
Under the proposed order, GoodRx agreed to pay a $1.5 million penalty for failing to report the leak of user data to third parties. But GoodRx denied wrongdoing in a statement posted on its website the same day the FTC filed its complaint.
“We disagree with the Federal Trade Commission’s allegations and admit no wrongdoing. Entering into a settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements described in the settlement will not have a material impact on our business or on our current or future operations,” GoodRx said.
Photo: marchmeena29, Getty Images