On February 1, 2023, the FTC announced an enforcement action against GoodRx for unlawfully disclosing users’ health information through the use of third-party tracking technologies, sending a strong warning to the online health industry against tracking health-related personal data for advertising purposes.
Alleged Missteps
GoodRx sells health-related products and services, including prescription medications and telehealth services. According to the FTC, GoodRx integrated advertising trackers, including pixels and SDKs, into its websites and apps in ways that disclosed health information to third parties, including Facebook, Google, and Criteo. Among other things, the FTC’s complaint alleged that:
- The trackers collected data about user interactions (“Events”). GoodRx gave these Events names, like “Drug Name,” that identified users’ health conditions, prescription medications, and other health information. (The FTC settlement with Flo Health focused on the same issue, which we covered here.)
- GoodRx used the Facebook pixel to track Events that disclosed the medications for which users accessed GoodRx coupons; URLs containing medication name; health conditions; medication quantity; and IP address. GoodRx also allegedly configured some pixels to share users’ first and last name, email address, date of birth, phone number, and prescription medication name.
- GoodRx used health information to target users with health-related ads. For example, GoodRx created Facebook Custom Audiences based on medication purchases and gave some audiences names (such as “Birth Control,” “Hepatitis C,” “HIV,” and “TB”) that revealed users’ medications or health conditions. GoodRx also targeted users who visited treatment pages related to sexually transmitted diseases with ads for GoodRx STD testing services.
The FTC alleged that GoodRx did little to limit how third parties used health information and made numerous misrepresentations about its own use of health information. For example:
- GoodRx’s privacy policy claimed that GoodRx never provides advertisers with information that reveals a health condition, rarely shares personal health information with third parties, and ensures that third parties receiving health information comply with certain federal standards. The company’s CEO made related claims on social media.
- GoodRx stated that it complies with the Digital Advertising Alliance principles, which require companies to obtain consent to use pharmaceutical prescriptions or medical records for online behavioral advertising.
- The telehealth service’s privacy policy did not state that health information would be shared with third-party advertisers. The service’s homepage also displayed a “HIPAA Secure” seal, which (the FTC alleges) falsely signaled that GoodRx was covered by and compliant with HIPAA.
Charges
The FTC charged GoodRx with violating Section 5 of the FTC Act by its allegedly unfair and deceptive misrepresentations of its privacy practices. GoodRx is also charged with violating the FTC’s Health Breach Notification Rule (HBNR) by disclosing unsecured, identifiable health record information to third parties without users’ authorization. This is the first HBNR enforcement action to date.
The FTC’s stipulated Order seeks a $1.5 million penalty and an injunction. It would also permanently prohibit GoodRx from sharing individually identifiable health information for advertising purposes and require it to (1) obtain affirmative, express user consent to disclose health information for even non-advertising purposes, except for disclosures to limited service providers; (2) instruct certain third parties to delete health information provided by GoodRx; (3) adhere to various privacy practices; and (4) biennially assess and report to the FTC on compliance for 20 years. The Order also requires GoodRx to comply with the HBNR, including its onerous breach notification requirements.
Takeaways
Using third-party pixels, SDKs, and similar technologies to track health-related information is increasingly risky, especially if this information is used for advertising purposes. If your website or app includes health-related information, you should carefully monitor how trackers are used and what user information they collect and convey to third parties.
Disabling or reconfiguring trackers to not collect health-related information would significantly mitigate the risks. Short of this, you should use such information in compliance with laws governing sensitive information, which often includes health information. For example, some U.S. state laws require an opt out for certain uses of sensitive personal information, and others require affirmative consent to process or disclose sensitive personal information. Use of health information under EU law is even more restricted.
Lastly, you should ensure that you use and disclose health-related information in accordance with the representations in your privacy policy, website, social media, and elsewhere. You should vet any statements related to your privacy practices prior to publication to ensure accuracy.
