GoodRx, a popular drug discount website and application used by millions of Americans, entered into a $1.5 million settlement with the Federal Trade Commission for allegedly unfairly and deceptively sharing users’ personal health information with advertisers, including Facebook and Google. According to the FTC, GoodRx’s data handling practices violated both Section 5 of the FTC Act, and, in a “first of its kind” action, the 2009 Health Breach Notification Rule (HBNR), which requires vendors of personal health records to report data breaches, even if neither the entity nor the data in question is subject to HIPAA. The case highlights the growing concerns over the sharing of personal health information and the FTC’s increased efforts to regulate companies in the digital health industry, even those that are not subject to HIPAA.

The crux of the complaint focused on the allegedly deceptive disclosures in GoodRx’s privacy policy between 2017 to 2020, in which the company made bold and unqualified claims that it “never provide[s] advertisers any information that reveals a personal health condition.” Not so, claimed the FTC. GoodRx, like so many websites, used advertising tracking technologies such as cookies and pixels from popular services like Facebook, Google, and Criteo. Without proper notice and consent, these trackers allegedly funneled information to advertisers that included not just IP address, names, and browsing analytics, but also the medications and health conditions users were browsing on GoodRx.

As a result, Facebook, Google, and other advertisers obtained access to data that was arguably sufficient to construct highly personal profiles of users based on their health information, medical diagnoses, and lifestyles – everything from antibiotics for sexually transmitted infections, to antidepressants, to birth control and abortion drugs.

Not only did GoodRx provide this data to Facebook and Google, but it targeted users with Instagram and Facebook ads related to health conditions. For example, if a someone used GoodRx to search for information about sexual health, GoodRx later showed that user Facebook and Instagram advertisements for its subsidiary HeyDoctor’s STI testing clinics – it assumed they’d need them, after all. According to the FTC, sharing this information with Facebook violated promises in the GoodRx privacy policy that the company would “never” reveal such private health information to advertisers.

The FTC also alleged that multiple statements GoodRx had made were deceptive, such as a claim that the company was compliant with Digital Advertising Alliance (DAA) principles (when it wasn’t), and the unchecked use of a HIPAA compliance seal on the HeyDoctor website. In reality, neither GoodRx nor HeyDoctor were subject to HIPAA, and the seal created the misimpression that data was handled in accordance with that law.

In addition to Section 5, GoodRx also allegedly violated the Health Breach Notification Rule (HBNR). In a novel application of the rule, the FTC found that GoodRx’s disclosures of personal information via advertising trackers were in fact “breaches” that GoodRx failed to report. This expanded interpretation of the HBNR is likely a harbinger of more FTC enforcement to come at the multi-billion-dollar digital health and health-adjacent industry, including health and fitness applications, activity trackers, and fertility apps. Unlike traditional patient records in hospitals and doctors’ offices, these companies and the information they collect are not covered by HIPAA. It appears that, in the absence of federal legislation, the FTC plans to leverage HBNR and Section 5 in innovative ways to regulate health data.

Moreover, the FTC’s invocation of Section 5’s “unfairness” prong – on account of GoodRx not obtaining affirmative consent prior to sharing data with advertisers – suggests that all personal health information, even if not bona fide medical records, could require affirmative consent prior to being shared, even if such practices are clearly disclosed in the privacy policy. It remains to be seen whether and how aggressively the FTC will pursue this line of thinking. Such an interpretation could significantly impact the ability of health, wellness, and fitness companies to use any kid of advertising trackers without obtaining opt-in consent.

In a response statement, GoodRx stated that user privacy is one of its top priorities and that the issues the FTC identified were resolved three years ago. The company defended its use of advertising tracking technologies as both commonplace and compliant with applicable laws and regulations. The company also stated that the Facebook pixel that the FTC took issue with had been deactivated, and that in any event, no actual medical records were shared; just circumstantial browsing information that may or may not have pertained to a particular user’s medical information.

In light of the GoodRx action, companies should consider the following:

Consider health data – even circumstantial health data – “sensitive” under the law. While GoodRx and its subsidiaries did not handle medical records like the ones in doctors’ offices and hospitals, the information they shared was still considered “sensitive” by the FTC. Companies should limit their handling of any information regarding users’ health for non-essential purposes such as advertising. Use of health information for non-essential purposes could be considered a “breach” under the HBNR.

Clearly say what you do, and do what you say. Companies should review their use of advertising tracking technologies, and their privacy policies to ensure that their data handling practices are correctly characterized. Bold, unqualified statements (“We never…” or “We always…”) should be avoided. Also, companies should consider that the use of advertising tracking technologies likely constitutes a sale of personal information under the CPRA, and provide notice and opt-out opportunities accordingly, as applicable.

Review compliance with state laws. The California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. The California Attorney General has signaled that companies have a several-month grace period to comply with the CPRA before enforcement starts; however, CCPA compliance is required now. Companies should review their policies with an eye towards the requirements of these laws, particularly the detailed California requirements regarding the right to opt out of the sale or sharing of personal information, which the CA AG has signaled is a top priority. Companies should also review their privacy policies to ensure they comply with the forthcoming privacy laws of Colorado, Connecticut and Utah, which go into effect later this year.

Review and renegotiate contracts as necessary (or as feasible). To the extent possible, consider adding language to DPAs and other relevant contracts that restricts the recipient’s use of personal information to just what is necessary to provide services on the controller’s/business’s behalf.