On February 1, 2023, the Federal Trade Commission (FTC) reached a settlement with digital health platform GoodRx for sharing users’ personal health information with third parties without properly disclosing their data practices or obtaining users’ affirmative consent, as well as for failing to maintain adequate policies or procedures to protect users’ personal health information. This is the FTC’s first ever enforcement decision under the Health Breach Notification Rule (HBNR), which requires vendors of personal health records (PHRs) or PHR-related entities to notify consumers, the FTC, and sometimes the media, when they discover certain data breaches. GoodRx agreed to pay $1.5 million under the terms of the settlement, as well to implement other remedies regarding its data practices, including being permanently banned from disclosing user health information to advertisers for most advertising purposes and being forced to direct third parties to delete the consumer health data that was shared with them.
This case not only creates novel results in a variety of areas related to the disclosure of health information but also flags for entities dealing with health information a wide range of new risks and concerns to evaluate going forward. This is an area where it is clear that the FTC will be pursuing aggressive and innovative theories about potential consumer risks associated with health information.
The complaint charges GoodRx with violating Section 5 of the FTC Act and the Health Breach Notification Rule. Specifically, the complaint alleges that GoodRx (among other things):
- Used health information to target ads to consumers without obtaining their consent. The FTC alleged that GoodRx configured tracking pixels on its website and used software development kits (SDKs) on its mobile app to share information with advertisers, such as the drug for which users had received coupons and the medical condition that the drug treats, along with other user information such as phone number, email, zip code, and IP address. Furthermore, Android and iOS operating systems shared users’ geographic coordinates and advertising IDs to target individuals with ads. The FTC also alleged that in August 2019, GoodRx collected a list of users who had purchased heart disease-related medication and uploaded their email addresses, phone numbers, and mobile advertising IDs to an advertiser to create custom audiences in order to target users with relevant advertisements. According to the complaint, these constituted “unfair” practices under Section 5 because GoodRx did not obtain “affirmative express consent” for these uses.
- Did not implement policies to protect health information or other personal information. According to the FTC, GoodRx did not have any sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. The FTC alleged that this also constituted an “unfair” practice under Section 5.
The last two points are particularly noteworthy because the FTC raised these allegations under the “unfairness” prong of Section 5, as opposed to the “deceptive” prong. According to the FTC, GoodRx’s failure to obtain affirmative consent before using consumer health information for targeted advertising purposes and to implement policies to protect health information violated Section 5 not only because they were inconsistent with the representations made by the company but also because they “caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” This is an important distinction because it suggests that the FTC is leveraging its unfairness authority to begin to create precedent around companies’ privacy practices, just as it did with reasonable data security.
The Proposed Order
In addition to paying a $1.5 million penalty, the proposed order creates a number of substantive limits on GoodRx’s data practices, as well as requires the company to implement certain policies and procedures. Specifically, the order states that GoodRx is:
- Prohibited from disclosing health information for targeted advertising purposes. This further substantiates the argument that the FTC may view the use of health information for targeted advertising practices as an “unfair” practice in violation of Section 5 unless a company obtains prior affirmative consent.
- Required to implement a comprehensive privacy program. GoodRx must document this privacy program and, among other things, 1) designate a person responsible for the program; 2) conduct a risk assessment related to the privacy program every 12 months; 3) develop a number of specific policies and procedures (including those related to data retention and privacy training); and 4) provide an update of the privacy program to the board of directors at least once every 12 months. GoodRx’s privacy program must also be subject to a biennial assessment from a third-party assessor.
Companies should be paying attention to the following points in light of the GoodRx decision:
- Review their targeted advertising practices. Companies that disclose personal information for targeted advertising purposes, especially health information, should be aware that this is an enforcement priority for the FTC. Companies that operate in this space should review the disclosures that they make to consumers regarding their data use and ensure that their practices are consistent with their representations. Companies should also assess whether they affirmative obtain consent for this activity and whether their consent process would meet the FTC’s standards.
- Compliance with the Health Breach Notification Rule. Companies that manage health data should reevaluate whether they meet the definition of a “vendor” of personal health records or a PHR-related entity and are potentially subject to the HBNR. This may potentially raise the risk related to an FTC investigation, as the FTC is looking for opportunities to enforce its trade regulations rules (like the HBNR) which give it the ability to obtain penalties for first time violations.
- Monitor and limit third party use of data. Companies should monitor and audit third parties that they share personal information with (especially for marketing and advertising purposes) to understand how they use the personal information that they disclose to them. Companies should also look to implement contractual and technical limitations on how third parties are permitted to use the data they receive and otherwise ensure that these third parties’ use of their data is consistent with the representations they are making in public.
- Implement appropriate policies and procedures around personal data. The FTC expects that all companies that process personal data have a privacy program in place, especially companies that process sensitive health information. The GoodRx order can be used as a benchmark for understanding where their policies and procedures regarding their use, disclosure, and safeguarding of such information might fall short from the FTC’s perspective.