Skip to content

Corruption Ledger

The Public Ledger of Corruption

  • About
  • Corruption
    • corporate
    • government
    • leaks
    • misinformation
    • privacy and surveillance
    • protest and unrest
  • War
  • Sanctions
    • Sanctions News
    • Global Sanctions Feed
    • European Sanctions Feed
    • Canadian Sanctions Feed
    • US Sanctions Feed
  • Regions
    • Asias
    • Europe
    • Oceania
    • Middle East
    • US & Canada
    • World
  • Enforcement Actions
  • Economy
    • Crypto
  • Video
  • Freedom of Speech / Press
  • Toggle search form
  • Russia says jet scrambled as US B-52 bombers fly over Baltic Sea international conflict
  • Railroad reluctant to say who OK’d chemical burn after Ohio derailment corporate corruption
  • Scientists insist on continuing search for toxics in East Palestine corporate corruption
  • US announces sanctions on Iran drone procurement network _enforcement
  • Putin and Xi sign two documents in Moscow economy
  • JP Morgan, Deutsche Bank to face lawsuit over Epstein ties banks
  • Zuckerberg, Meta sued for failing to address sex trafficking, child exploitation corporate corruption
  • Top aide of Canadian PM Trudeau will testify in parliament on Chinese election meddling corporate corruption

FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising

Posted on February 1, 2023March 8, 2023 By CorruptionLedger No Comments on FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
 

The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps. 

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:

  • Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio. 
  • Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. 

Health Breach Notification Rule Violation

According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history. 

GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.

Proposed Order

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
  • Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. Commissioner Christine S. Wilson issued a concurring statement. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorney on the GoodRx matter was Ronnie Solomon of the FTC’s Bureau of Consumer Protection.

ftc.gov

corporate corruption, corruption, health, Region US & Canada, regulatory, regulatory compliance, surveillance & privacy Tags:FTC, regulatory and enforcement, regulatory-compliance

Post navigation

Previous Post: La Baguette LLC, Dynamic Integrated Solutions Inc, Priority Acquisitions Inc: False Claims Act – Improper Paycheck Protection Program Loans
Next Post: NZ, Australia want ‘urgent’ answers over Saudi sponsorship of Women’s World Cup

See also

  • Dow tumbles nearly 500 points as Credit Suisse stokes fears of bank failure contagion banks
  • China property tycoon Zhang Li arrested on US bribery charge corruption
  • Twitter to Pay $150 Million Civil Penalty to Resolve Data Privacy Violations regulatory
  • Peru closes Machu Picchu as protesters face arrest in Lima corporate corruption
  • Ex-ad agency chief admits guilt as Tokyo Olympic bribery trial opens corporate corruption
  • Video Documents Mariupol Mass Graves Hoax (Eva Bartlett) corruption

You must log in to post a comment.

  • Railroad reluctant to say who OK’d chemical burn after Ohio derailment
  • Scientists insist on continuing search for toxics in East Palestine
  • Top aide of Canadian PM Trudeau will testify in parliament on Chinese election meddling
  • Zuckerberg, Meta sued for failing to address sex trafficking, child exploitation
  • Norfolk Southern: Independent group finds toxic chemicals that Ohio EPA didn’t – Ohio train derailment (East Palestine)
  • JP Morgan, Deutsche Bank to face lawsuit over Epstein ties
  • Putin announces readiness to switch to the Chinese Yuan currency in foreign trade
  • Putin and Xi sign two documents in Moscow
  • US announces sanctions on Iran drone procurement network
  • Russia says jet scrambled as US B-52 bombers fly over Baltic Sea
Rumble Video

Corruption Ledger Follow

The Public ▇▇▇ Ledger of ▇▇▇ Corruption. https://t.co/wkobrEotQR

5amResearch
Corruption Ledger @5amresearch ·
10 Feb

News Coverage of the September 2022 #NordStream Pipeline Attack https://corruptionledger.com/news-coverage-of-the-september-2022-nord-stream-pipeline-attack/ via @5amResearch

Reply on Twitter 1623868066818928641 Retweet on Twitter 1623868066818928641 Like on Twitter 1623868066818928641
Corruption Ledger @5amresearch ·
10 Feb

Mia Jankowicz of Business Insider calls Pulitzer prize-winning journalist Seymore Harsh a "discredited journalist." #NordStream

Reply on Twitter 1623857264086974464 Retweet on Twitter 1623857264086974464 Like on Twitter 1623857264086974464 1
Corruption Ledger @5amresearch ·
9 Feb

#Kraken to Discontinue Unregistered Offer and Sale of Crypto Asset Staking-As-A-Service Program and Pay $30 Million to Settle SEC Charges
https://www.sec.gov/news/press-release/2023-25

Reply on Twitter 1623815305452560384 Retweet on Twitter 1623815305452560384 Like on Twitter 1623815305452560384
Corruption Ledger @5amresearch ·
9 Feb

SpaceX: Ukraine breaching agreement, weaponizing Starlink https://en.mdn.tv/71FW

Reply on Twitter 1623685510496505860 Retweet on Twitter 1623685510496505860 Like on Twitter 1623685510496505860
Load More

–

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Copyright © 2022 Corruption Ledger. This web site contains no ads.