First FTC Health Breach Notification Rule Case Addresses GoodRx’s Not-So-Poor Privacy Practices

The company’s name may be GoodRx, but consumers are unlikely to use the adjective “good” to describe the company’s unauthorized disclosure of personal health information to companies like Facebook and Google, thereby violating its privacy commitments. How does GoodRx do this? By using automated “plug-and-play” tracking pixels and software development kits (SDKs) from Facebook, Google and others, these tools are designed to harvest vast amounts of consumer data and use it for advertising purposes. In the case of GoodRx, this includes consumers’ personal and health information.

Settlement of First FTC Action Alleging Violations of FTC Regulations Health Violation Notification Rules, GoodRx will pay a $1.5 million civil penalty. But there’s also an unprecedented provision in the proposed settlement that’s sure to generate buzz among app developers, privacy professionals and others in the booming health tech industry. Read on to learn more.

GoodRx operates a digital health platform where consumers can compare prescription drug prices and receive prescription drug coupons. It also offers a paid monthly subscription service, GoodRx Gold, which claims to offer deeper discounts and virtual telemedicine visits through a product called GoodRx Care. GoodRx collects large amounts of personal data, including highly sensitive health information, from consumers and pharmacy benefit managers (companies that manage prescription drug benefits) to identify when someone uses a GoodRx coupon to get a prescription.

Although the specific language has changed over the years, GoodRx has made many privacy promises to consumers. For example, in describing its use of third-party tracking tools, GoodRx assures people, “[W]We never provide any information that discloses an individual’s health status or personal health information to advertisers or any other third parties. GoodRx also promises users that it “rarely shares” personal health information with third parties, and when it does, it “ensures that those third parties must comply with federal standards on how to handle your personal health information for medical purposes.” Data’. Name, contact information and other personally identifiable information.” In addition, GoodRx stated that it will only share users’ personal information for certain limited administrative functions, such as “to provide services directly to users”, “to comply with the law or legal Procedures”, “Taking action to protect users in emergency situations”. someone’s safety” or “processing a customer request.”

In a phrase we’ve repeated frequently in recent blog posts, that’s what the company promises, but the FTC says what GoodRx is doing behind the scenes contradicts those comforting assurances. According to the complaint, GoodRx violated its privacy commitments starting at least in 2017 by sharing information about users’ prescription medications, health conditions and personal information (such as contact information and personal identification numbers) with some of the biggest names in digital advertising.

You’ll have to read the complaint to learn the details of how the FTC says GoodRx violated its privacy pledge, but here’s the short version. In building its website and mobile app, GoodRx integrates third-party trackers from companies such as Facebook, Google, and Criteo, often in the form of SDKs or automated web beacons called tracking pixels. Despite what GoodRx told consumers, the trackers still sent their messages back to these businesses for marketing and other purposes.

For example, GoodRx has configured a Google tracking pixel on its website and an SDK on its app to share information with Google, including the name of the drug for which the user received a coupon, the medical condition for which the drug was treated, and the user’s mobile phone number , email, postal code and IP address. In addition, the Google Android and iOS SDKs share a user’s latitude and longitude coordinates and a unique advertising ID, which can be used to target ads to individuals.

The FTC said GoodRx configured the Facebook Pixel on some of its websites to send the same type of information to Facebook, if not more. According to the complaint, GoodRx was able to identify customers with Facebook and Instagram accounts and then use their personal and health information to serve ads to them on the platform. For example, people who get GoodRx coupons for products like Viagra will see ads for erectile dysfunction drugs on Facebook or Instagram page ads. Likewise, people who use GoodRx telemedicine to get treatment for sexually transmitted diseases will also receive ads for STD testing services. In some cases, GoodRx disclosed drug purchase data it received from pharmacy benefit managers to Facebook and used the data to serve targeted ads.

What impact does GoodRx’s practices have on the real world? By using Facebook’s ad targeting platform, GoodRx designs campaigns that serve ads to customers based on their health information. For example, if a customer discloses a possible erectile dysfunction problem to GoodRx, they may see ads on Facebook similar to those listed in Exhibit A of the FTC complaint.

The complaint alleges that GoodRx violated Section 5 of the Federal Trade Commission Act and the Health Violation Notification Rule. According to the lawsuit, GoodRx violated Article 5, which included telling consumers that it would not disclose personal health information to advertisers or other third parties when the company continued to do so. The FTC said GoodRx’s promise to disclose users’ personal information only for limited purposes was also false or deceptive because GoodRx disclosed users’ names, addresses, email addresses, phone numbers and other personal identifiers to advertisers for marketing purposes. The complaint also alleges that GoodRx deceptively promised to restrict how third parties who received personal health information could use that information, but failed to do so. Therefore, companies such as Facebook, Google and Criteo are free to use this information for their own commercial purposes, including advertising.

Additionally, the FTC alleged that GoodRx unfairly failed to prevent unauthorized disclosures of health information and unfairly failed to obtain consumer consent before using and disclosing health information for advertising purposes.

The complaint also alleges that GoodRx is a “personal health records vendor” subject to Health Violation Notification Rules. Consumers can use the company’s service to track their health information, including details about their prescription drug history. The FTC said GoodRx violated the rule by failing to notify customers, the FTC and the media about the company’s unauthorized disclosures of personally identifiable health information to Facebook, Google, Criteo and other companies.

In addition to a $1.5 million civil penalty for violating the rules, the proposed order includes remedies first seen in an FTC case. In short, the order comprehensively prohibits GoodRx from sharing user health data with applicable third parties for advertising purposes. This is a novel remedy, but the FTC believes it is intended to protect consumers from similar illegal conduct in the future. What’s more, GoodRx must obtain user consent before sharing health data with applicable third parties for any other purpose, and must notify consumers of its unauthorized sharing with Facebook and others.

What can your company expect from the enforcement action against GoodRx?

Be honest about how you plan to use your customers’ health data. Be transparent about your practices, provide appropriate and timely explanations, and obtain explicit consent from consumers before collecting, using, or sharing health information. But promises are not enough. Companies should develop a plan to ensure their practices deliver on these promises.

If sensitive health data is part of your business, know that you’ve upped the ante on keeping it safe and private. Like trucks transporting flammable materials on highways, companies collecting sensitive consumer data should be especially cautious. This includes maintaining and implementing appropriate policies to protect that information from unauthorized disclosure, only collecting data for which you have a legitimate business need, training your employees to handle the data with care when you have it, and handling the data carefully when you don’t. Securely dispose of this data when it is no longer in your possession. There are good reasons to maintain it.

Set contractual boundaries on how third parties may use information obtained from your company. Consider including clauses in contracts with third parties that address how data will be shared. It can be easy to gloss over what appears to be a “click-through” agreement. But it’s smarter to reconcile any agreements you have with other companies regarding consumer data with the privacy promises you make to consumers and your actual practices. Additionally, service provider agreements should be developed to contractually limit how these providers may use consumer data.

Monitor the data flow of all third parties that your website or application may connect to through SDKs or other interfaces. Ad tech tools are easy to use and integrate into an app or website — perhaps as simple as a toggle button — but they can also facilitate the disclosure of highly sensitive information. In fact, the companies behind these tools often make money by collecting as much user data as possible to target ads. It’s your responsibility to make sure people understand up front how you plan to use their personal information, and even so, don’t use ad tech tools unless you understand exactly how they work and are prepared to configure them appropriately. Provide an anonymous name for application events that does not convey sensitive information. And never violate your own privacy commitments.

Are you covered by the health breach notification rules? Consider this a clarion call for compliance. Federal Trade Commission Health Privacy Website is a good starting point.consult Comply with the FTC’s Health Breach Notification Rules for fundamentals. Next on your reading list: 2021 Commission’s Statement on Violations of Health Apps and Other Connected Devices. Don’t miss this crucial sentence:

[T]The Commission reminds entities that provide services covered by the rule that “violations” are not limited to cybersecurity intrusions or malicious conduct. Incidents of unauthorized access, including sharing of covered information without the individual’s authorization, trigger notification obligations under the rule.