On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

The GoodRx settlement marks the first time that the FTC has enforced the HBNR, which it implemented in 2009. In general, the HBNR requires that non­HIPAA-covered vendors of personal health records (“PHR”) give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of PHR. As we have previously written, in 2021 the FTC published guidance stating that it intended to enforce the HBNR where health apps violated the rule. We have also previously written about the U.S. Health and Human Service’s recent bulletin cautioning HIPAA-covered entities in their use of cookies, pixels, and other tracking technology to ensure that protected health information (“PHI”) is not disclosed to third parties in violation of HIPAA. The GoodRx settlement shows that the FTC is also scrutinizing the use of advertising cookies and pixels on websites that collect personal health information.

Turning to the substance of the allegations, the FTC claims that GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” The information GoodRx allegedly shared with third parties included contact information, persistent identifiers, location information, and “events data” (e.g., page views that may have reflected the consumers’ health concerns). Notably, the FTC also alleged that GoodRx tracked and shared “custom events” through the Facebook Pixel that conveyed health information about its website users, including medication names and health conditions. And while GoodRx’s privacy policy described the use of third-party tracking tools, it also stated: “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” The FTC also alleged that GoodRx monetized its violations by sharing the sensitive information with third parties so that it could target users with health-related advertisements.

According to the FTC’s Complaint, GoodRx violated the FTC Act by, among other things, disclosing personal and health information to third parties while representing in its privacy policies that it would “never” share such information with advertisers or other third parties. The FTC alleged that GoodRx also violated the FTC Act by deceptively stating in its privacy policies that disclosure to third party providers was limited to what was necessary to provide telehealth services unless the consumer consented to other uses. The Complaint alleges that GoodRx failed to comply with the HBNR by failing to report these unauthorized disclosures.  

The FTC’s enforcement action against GoodRx and proposed settlement shows that non-HIPAA covered entities collecting health-related information should understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies.  The failure to properly disclose information sharing practices could be a violation of the FTC Act—which generally prohibits unfair or deceptive business practices—and, in any event, lead to an investigation and/or enforcement action.  The FTC’s action also highlights the FTC’s interpretation of “breach of security” under the HBNR, to potentially include the disclosure of health-related information using third-party advertising technology on a website or through a mobile application without appropriate consumer authorization.  The FTC’s action is part of a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.