USA —Online pharmacy GoodRx has agreed to pay US$1.5 million in civil penalties for years of sharing the health information of consumers with third parties like Facebook, Google, and Criteo for advertising purposes, the Federal Trade Commission has said.
In a complaint filed in a California federal court, the FTC accused the healthcare and telemedicine giant of failing to notify consumers that their personal health information — collected while using its website and services — would be shared with third parties.
According to a complaint filed in federal court by the FTC, the California-based company used sensitive information about online consumers, such as prescription medication and health conditions, to allow third parties to target them with related advertisements despite its privacy promises to users.
GoodRx shared consumers’ personal health information with Meta Platforms Inc.’s Facebook and Alphabet Inc.’s Google, as well as with online advertising companies Criteo, Twilio, and Branch, the commission alleged.
The agency accused GoodRx of violating federal consumer protection law and a rule overseeing unauthorized disclosures of personal health data.
According to the commission, over 55 million consumers have visited or used GoodRx’s website or mobile apps for prescription drug discounts, telehealth visits, and other health services since 2017.
In response to the enforcement action, GoodRx said in a statement that the settlement “focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.”
This is the first enforcement action brought by the FTC under its health breach notification rule since it was issued more than a decade ago. The case serves as a wake-up call to companies that use health data and technology firms that target advertising based on user data.
The FTC’s proposed court order would require GoodRx to direct advertisers to delete any consumer health data that was improperly shared with them, though the order would only bind the telehealth platform.
GoodRx would also be permanently barred from sharing health data for advertising purposes, and any other data-sharing would require user permission. The order must be approved by the court.
It will also be required to limit how long it can retain personal and health information “according to a data retention schedule” and it needs to detail to users what it collects and why. It also needs to implement a privacy program to protect consumers’ data in the future.
The FTC will also require GoodRx to seek the deletion of data by contacting the companies with which it shared users’ data.
GoodRx is a prime example of how the rules might be violated, but with the proliferation of online healthcare services in recent years — which got a boost in particular with the arrival of the COVID-19 pandemic.
The FTC previously warned health app developers to follow its health breach notification rule, which requires them to notify consumers if their data is exposed or shared without their consent.
The rule is particularly important in light of the fact that there are ever more healthcare services coming online.
Following the US Supreme Court’s decision to overturn a federal right to abortion, the regulator has also indicated that it will closely monitor the use of sensitive data such as location and health information, particularly when companies claim that such data cannot be linked to a specific person.
The FTC’s 2021 enforcement advisory was intended to fill a regulatory gap for health apps not covered by the Health Insurance Portability and Accountability Act, or HIPAA.
Healthcare providers and insurers are required by federal law to protect the privacy and security of personal health data.
Just last week, Amazon launched RxPass, a Prime add-on that lets people fill all of their prescriptions for a set of conditions using generic prescription drugs for one flat monthly fee.
For all the latest healthcare industry news from Africa and the World, subscribe to our NEWSLETTER, and YouTube Channel, follow us on Twitter and LinkedIn, and like us on Facebook.