On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

The GoodRx settlement marks the first time that the FTC has enforced the HBNR, which it implemented in 2009. In general, the HBNR requires that non­-HIPAA-covered vendors of personal health records (“PHR”) give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of PHR. As we have previously written, in 2021 the FTC published guidance stating that it intended to enforce the HBNR where health apps violated the rule. We have also previously written about the U.S. Health and Human Service’s recent bulletin cautioning HIPAA-covered entities in their use of cookies, pixels, and other tracking technology to ensure that protected health information (“PHI”) is not disclosed to third parties in violation of HIPAA. The GoodRx settlement shows that the FTC is also scrutinizing the use of advertising cookies and pixels on websites that collect personal health information.

Turning to the substance of the allegations, the FTC claims that GoodRx—a provider of services that allegedly allows individuals to compare prescription pricing at nearby pharmacies on its mobile application or on its website—“integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App,” which collected and sent personal data to third parties for “advertising, data analytics, or other business services.” The information GoodRx allegedly shared with third parties included contact information, persistent identifiers, location information, and “events data” (e.g., page views that may have reflected the consumers’ health concerns). Notably, the FTC also alleged that GoodRx tracked and shared “custom events” through the Facebook Pixel that conveyed health information about its website users, including medication names and health conditions. And while GoodRx’s privacy policy described the use of third-party tracking tools, it also stated: “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” The FTC also alleged that GoodRx monetized its violations by sharing the sensitive information with third parties so that it could target users with health-related advertisements.

According to the FTC’s Complaint, GoodRx violated the FTC Act by, among other things, disclosing personal and health information to third parties while representing in its privacy policies that it would “never” share such information with advertisers or other third parties. The FTC alleged that GoodRx also violated the FTC Act by deceptively stating in its privacy policies that disclosure to third party providers was limited to what was necessary to provide telehealth services unless the consumer consented to other uses. The Complaint alleges that GoodRx failed to comply with the HBNR by failing to report these unauthorized disclosures.  

The FTC’s enforcement action against GoodRx and proposed settlement shows that non-HIPAA covered entities collecting health-related information should understand the technologies used on their websites and in their mobile applications and ensure that their privacy policies accurately reflect their collection, use and disclosure of such information using those technologies.  The failure to properly disclose information sharing practices could be a violation of the FTC Act—which generally prohibits unfair or deceptive business practices—and, in any event, lead to an investigation and/or enforcement action.  The FTC’s action also highlights the FTC’s interpretation of “breach of security” under the HBNR, to potentially include the disclosure of health-related information using third-party advertising technology on a website or through a mobile application without appropriate consumer authorization.  The FTC’s action is part of a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.