GoodRx, a popular drug discount website and application used by millions of Americans, entered into a $1.5 million settlement with the Federal Trade Commission for allegedly unfairly and deceptively sharing users’ personal health information with advertisers, including Facebook and Google. According to the FTC, GoodRx’s data handling practices violated both Section 5 of the FTC Act, and, in a “first of its kind” action, the 2009 Health Breach Notification Rule (HBNR), which requires vendors of personal health records to report data breaches, even if neither the entity nor the data in question is subject to HIPAA. The case highlights the growing concerns over the sharing of personal health information and the FTC’s increased efforts to regulate companies in the digital health industry, even those that are not subject to HIPAA.
As a result, Facebook, Google, and other advertisers obtained access to data that was arguably sufficient to construct highly personal profiles of users based on their health information, medical diagnoses, and lifestyles – everything from antibiotics for sexually transmitted infections, to antidepressants, to birth control and abortion drugs.
The FTC also alleged that multiple statements GoodRx had made were deceptive, such as a claim that the company was compliant with Digital Advertising Alliance (DAA) principles (when it wasn’t), and the unchecked use of a HIPAA compliance seal on the HeyDoctor website. In reality, neither GoodRx nor HeyDoctor were subject to HIPAA, and the seal created the misimpression that data was handled in accordance with that law.
In addition to Section 5, GoodRx also allegedly violated the Health Breach Notification Rule (HBNR). In a novel application of the rule, the FTC found that GoodRx’s disclosures of personal information via advertising trackers were in fact “breaches” that GoodRx failed to report. This expanded interpretation of the HBNR is likely a harbinger of more FTC enforcement to come at the multi-billion-dollar digital health and health-adjacent industry, including health and fitness applications, activity trackers, and fertility apps. Unlike traditional patient records in hospitals and doctors’ offices, these companies and the information they collect are not covered by HIPAA. It appears that, in the absence of federal legislation, the FTC plans to leverage HBNR and Section 5 in innovative ways to regulate health data.
In a response statement, GoodRx stated that user privacy is one of its top priorities and that the issues the FTC identified were resolved three years ago. The company defended its use of advertising tracking technologies as both commonplace and compliant with applicable laws and regulations. The company also stated that the Facebook pixel that the FTC took issue with had been deactivated, and that in any event, no actual medical records were shared; just circumstantial browsing information that may or may not have pertained to a particular user’s medical information.
In light of the GoodRx action, companies should consider the following:
Consider health data – even circumstantial health data – “sensitive” under the law. While GoodRx and its subsidiaries did not handle medical records like the ones in doctors’ offices and hospitals, the information they shared was still considered “sensitive” by the FTC. Companies should limit their handling of any information regarding users’ health for non-essential purposes such as advertising. Use of health information for non-essential purposes could be considered a “breach” under the HBNR.
Clearly say what you do, and do what you say. Companies should review their use of advertising tracking technologies, and their privacy policies to ensure that their data handling practices are correctly characterized. Bold, unqualified statements (“We never…” or “We always…”) should be avoided. Also, companies should consider that the use of advertising tracking technologies likely constitutes a sale of personal information under the CPRA, and provide notice and opt-out opportunities accordingly, as applicable.
Review compliance with state laws. The California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. The California Attorney General has signaled that companies have a several-month grace period to comply with the CPRA before enforcement starts; however, CCPA compliance is required now. Companies should review their policies with an eye towards the requirements of these laws, particularly the detailed California requirements regarding the right to opt out of the sale or sharing of personal information, which the CA AG has signaled is a top priority. Companies should also review their privacy policies to ensure they comply with the forthcoming privacy laws of Colorado, Connecticut and Utah, which go into effect later this year.
Review and renegotiate contracts as necessary (or as feasible). To the extent possible, consider adding language to DPAs and other relevant contracts that restricts the recipient’s use of personal information to just what is necessary to provide services on the controller’s/business’s behalf.