FTC fines drug discount app for sharing user information to Facebook and Google

It's the agency's first enforcement action under its Health Breach Notification Rule.

d3sign via Getty Images

The Federal Trade Commission has slapped prescription drug discount app GoodRx with a $1.5 million fine for the unauthorized disclosure of customers' identifiable health information with third parties, such as Facebook and Google. This is the first time the agency has taken enforcement action under its Health Breach Notification Rule, which requires vendors of personal health records to notify customers if their data has been breached. While the rule has applied to companies handling health records since 2009, FTC commissioners voted in favor of expanding it to cover health apps in 2021.

According to the FTC, the California-based telehealth service repeatedly violated the rule by sharing customers' personal health information, including their health conditions and the medicine they're taking. Further, it shared their information with companies that have third-party advertising platforms like Facebook, Google and Criteo despite making a promise to customers that it will never do so. The FTC says GoodRx also monetized its customers' information. In 2019, for instance, it uploaded the email addresses, phone numbers and mobile advertising IDs of users who purchased certain medications to Facebook, so it can target them with health-related ads.

In addition to imposing a $1.5 million fine on GoodRx, the FTC is also seeking to change how the company handles user information. In its proposed court order (PDF) against the company, it listed several provisions, including banning the service from disclosing user data for advertising purposes. For other purposes, it wants to require GoodRx to secure customers' consent first before sharing their health information to third parties. The FTC also wants GoodRx to get the third parties it shared data with to delete its customers' information, and it wants the company to establish a comprehensive privacy program that will protect user data.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in statement:

"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation."

In a statement sent to Engadget, GoodRx said it treats its customers' privacy as a priority and that it admits no wrongdoing:

"At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it.

The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.

We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.

In fact, almost three years ago, before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy. While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices. We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare."